Artikel ini adalah bagian kedua dari seri yang membahas tcpdump yang hebat kegunaan. Anda dapat menggunakan utilitas ini untuk menangkap lalu lintas jaringan untuk pemecahan masalah dan analisis (dan menguping). Di sini, di bagian dua, saya mendemonstrasikan menangkap dan melihat data.
7. Opsi -r
Jika Anda sampai sejauh ini dan menulis pcap file, Anda tahu Anda tidak dapat menggunakan editor teks sederhana untuk membaca konten file. Oleh karena itu, Anda harus menggunakan -r file.pcap . Ia membaca file tangkapan yang ada dan mencetaknya sebagai output.
# tcpdump -r dns.pcap
reading from file dns.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
dropped privs to tcpdump
20:33:45.240421 wlp0s20f3 Out IP kkulkarni.attlocal.net.37376 > dsldevice.attlocal.net.domain: 8860+ PTR? 89.1.168.192.in-addr.arpa. (43)
20:33:45.250107 wlp0s20f3 In IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.37376: 8860* 1/0/0 PTR kkulkarni.attlocal.net. (79)
20:33:45.253418 wlp0s20f3 Out IP kkulkarni.attlocal.net.54366 > dsldevice.attlocal.net.domain: 23092+ PTR? 1.112.168.192.in-addr.arpa. (44)
20:33:45.260212 wlp0s20f3 In IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.54366: 23092 NXDomain* 0/0/0 (44) [ Anda mungkin juga menikmati: Menghitung jaringan baru dengan Nmap ]
8. Opsi tuan rumah
Jika Anda ingin memfilter lalu lintas untuk host tertentu, Anda dapat menggunakan host ip atau host name untuk menangkap paket untuk host tertentu.
# tcpdump host redhat.com -i any -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:40:03.331999 tun0 Out IP kkulkarni > 10.4.204.55: ICMP echo request, id 3, seq 1, length 64
20:40:03.407110 tun0 In IP 10.4.204.55 > kkulkarni: ICMP echo reply, id 3, seq 1, length 64
20:40:03.474267 tun0 Out IP kkulkarni.43846 > 10.4.204.55.hostmon: Flags [S], seq 708429466, win 64680, options [mss 1320,sackOK,TS val 2091589339 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
20:40:03.474377 tun0 Out IP kkulkarni.43848 > 10.4.204.55.hostmon: Flags [S], seq 1993455236, win 64680, options [mss 1320,sackOK,TS val 2091589340 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
4 packets captured
54 packets received by filter
0 packets dropped by kernel
Anda dapat menggunakan src atau dst kata kunci untuk memberitahu tcpdump jika paket yang diambil harus berisi host di alamat sumber atau tujuan, mis., Anda dapat mencoba menjalankan tcpdump -i any src host localhost atau tcpdump -i any dst host redhat.com
9. Operator logika
tcpdump mendukung dan /atau /tidak operator sebagai kata kunci, mis., tcpdump -i eth0 “host redhat.com and (port 80 or port 443)” . Sebaiknya gunakan tanda kutip di sekitar ekspresi majemuk sehingga bash tidak mencoba menafsirkan tanda kurung.
# tcpdump -i any "host redhat.com and (port 22 or port 443)"
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:47:07.210126 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [S], seq 2898988806, win 64680, options [mss 1320,sackOK,TS val 2092013075 ecr 0,nop,wscale 7], length 0
20:47:07.309977 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [S.], seq 3757049161, ack 2898988807, win 3960, options [mss 1320,nop,wscale 2,nop,nop,TS val 2416723958 ecr 2092013075,sackOK,eol], length 0
20:47:07.310082 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1, win 506, options [nop,nop,TS val 2092013175 ecr 2416723958], length 0
20:47:07.336927 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 1:518, ack 1, win 506, options [nop,nop,TS val 2092013202 ecr 2416723958], length 517
20:47:07.430495 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 518, win 1119, options [nop,nop,TS val 2416724085 ecr 2092013202], length 0
20:47:07.439951 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1:1309, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.439995 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1309, win 502, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440032 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1309:2617, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.440051 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 2617, win 494, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440070 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 2617:3455, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 838
20:47:07.440084 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3455, win 488, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.442272 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 518:644, ack 3455, win 502, options [nop,nop,TS val 2092013307 ecr 2416724087], length 126
20:47:07.540457 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 644, win 1150, options [nop,nop,TS val 2416724191 ecr 2092013307], length 0
20:47:07.540516 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3455:3506, ack 644, win 1150, options [nop,nop,TS val 2416724192 ecr 2092013307], length 51
20:47:07.540549 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 0
20:47:07.541003 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 644:747, ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 103
20:47:07.642712 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 747, win 1176, options [nop,nop,TS val 2416724288 ecr 2092013406], length 0
20:47:07.642759 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3506:3664, ack 747, win 1176, options [nop,nop,TS val 2416724289 ecr 2092013406], length 158
20:47:07.642815 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 0
20:47:07.643276 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 747:778, ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 31
20:47:07.645016 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [F.], seq 778, ack 3664, win 502, options [nop,nop,TS val 2092013510 ecr 2416724289], length 0
20:47:07.740205 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740283 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [F.], seq 3664, ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740328 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3665, win 502, options [nop,nop,TS val 2092013606 ecr 2416724391], length 0
20:47:07.740358 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 779, win 1184, options [nop,nop,TS val 2416724392 ecr 2092013510], length 0
20:47:22.662001 tun0 Out IP kkulkarni.46274 > 10.4.204.55.ssh: Flags [S], seq 401723346, win 64680, options [mss 1320,sackOK,TS val 2092028527 ecr 0,nop,wscale 7], length 0
20:47:22.745682 tun0 In IP 10.4.204.55.ssh > kkulkarni.46274: Flags [R.], seq 0, ack 401723347, win 0, length 0 10. Jaring kata kunci
jaring kata kunci dapat digunakan untuk menentukan jaringan apa yang akan ditangkap dengan menggunakan notasi CIDR. Anda dapat menggunakan src dan dst CIDR jaringan dengan operator logis dan paket filter dengan lebih tepat.
# tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 10.0.0.0/8" -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:49:05.299091 wlp0s20f3 B IP 192.168.1.76.49154 > 255.255.255.255.ircu-3: UDP, length 188
20:49:05.300437 wlp0s20f3 Out IP 192.168.1.89.36676 > 18.211.133.65.https: Flags [.], ack 493003385, win 2033, options [nop,nop,TS val 2037223284 ecr 885784861], length 0
20:49:06.238513 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
20:49:06.238603 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
4 packets captured
5 packets received by filter
0 packets dropped by kernel 11. Kata kunci eter
Filter dapat diterapkan menggunakan host ether kata kunci untuk membatasi penangkapan lalu lintas ke alamat MAC. Gunakan -e untuk mencetak header tingkat tautan pada setiap baris dump. Ini dapat digunakan, misalnya, untuk mencetak alamat lapisan MAC untuk protokol seperti Ethernet dan IEEE 802.11. Contoh di bawah ini menangkap lalu lintas siaran Layer 2:
# tcpdump ether host ff:ff:ff:ff:ff:ff -i wlp0s20f3 -e -c4
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:56:35.965137 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
20:56:36.886722 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
20:56:37.808286 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
20:56:39.958693 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
4 packets captured
4 packets received by filter
0 packets dropped by kernel 12. Kata kunci ip6
Lalu Lintas IPv6 dapat ditangkap menggunakan ip6 kata kunci. Ini contohnya:
# tcpdump -i any ip6 host google.com -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:00:22.825749 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 1, length 64
21:00:22.863347 wlp0s20f3 In IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 1, length 64
21:00:23.827332 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 2, length 64
21:00:23.864202 wlp0s20f3 In IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 2, length 64
4 packets captured
7 packets received by filter
0 packets dropped by kernel [ Panduan gratis dari Red Hat:5 langkah untuk mengotomatisasi bisnis Anda. ]
Menutup
Di bagian kedua, Anda mempelajari enam opsi baru untuk mengelola pengambilan paket di jaringan menggunakan tcpdump . Artikel ini didasarkan pada informasi yang tercakup di bagian satu. Di angsuran terakhir, Anda akan melihat enam tanda lagi yang membantu memfilter tcpdump hasil.
Cara menggunakan Ansible untuk mengonfigurasi proxy terbalik
Cara menggunakan Ansible untuk mengirim email menggunakan Gmail