tcpdump命令及输出详解(转)

输出详解
http://www.enterprisenetworkingplanet.com/netos/article.php/3442341

I confess, I'm an outlaw at heart. I like using packet sniffers like tcpdump because it satisfies my base snooping impulses. Packet-sniffing is wiretapping after all, only it's applied to TCP/IP packets, not voice transmissions. Sure, they're my packets on my systems, but still the idea is appealing. Even more appealing is knowing I have the ability to monitor incoming and outgoing traffic, and knowing exactly what's going on.

For example, being an untrusting soul as all wise network administrators are, I can use tcpdump to verify that encryption is working. Here is what a plain unencrypted POP mail session looks like. This is an abbreviated example showing only the initial three-way TCP handshake. You can do this yourself by firing up tcpdump, then checking mail. Ctrl+C stops it:

# tcpdump port 110
15:04:49.050227 windbag.34348 > venus.domain.com.pop3: S 2974284112:2974284112(0) win 5840 (DF)
15:04:49.190076 venus.domain.com.pop3 > windbag.34348: S 2862911212:2862911212(0) ack 2974284113 win 5840 (DF)
15:04:49.190168 windbag.34348 > venus.domain.com.pop3: . ack 1 win 5840 (DF)

Handshake Dissection

There is a whole lot going on here, which I shall now deign to explain.

15:04:49.050227 is the timestamp, in hh:mm:ss:fraction format.

windbag.34348 > is the originating host and port.

venus.domain.com.pop3: is the destination host and port (see /etc/services).

S is the first part of the three-way TCP handshake (SYN, SYN, ACK).

2974284112:2974284112 is the byte sequence/range. The initial sequence number (ISN) is generated randomly. Then sequence numbers for the rest of the bytes in the connection are incremented by 1 from the ISN. Since no data are exchanged at this stage, both numbers are the same.

win 5840 is the window size, or the number of bytes of buffer space the host has available for receiving data.

mss 1460 is the maximum segment size, or maximum IP datagram size that can be handled without using fragmentation. Both sides of the connection must agree on a value; if they are different, the lower value is used.

sackOK means "selective acknowledgments," or allow the receiver to acknowledge packets out of sequence. Originally, packets could only be acknowledged in sequence. So if the third packet out of a thousand packets received went missing, the host could only acknowledge the receipt of the first two packets, and the sender would have to resend all packets from number three through one thousand. sackOK allows only the missing third packet to be re-sent.

timestamp 995173 0 measures the round-trip time. There are two fields: the Timestamp Value and the Timestamp Echo Reply. On the first exchange, the Echo Reply is set to 0. When the second host receives that packet, it transfers the timestamp from the old packet's Timestamp Value field to the new packet's Timestamp Echo Reply field. Then it generates a new value for the Timestamp Value field. So the Timestamp Value field contains the latest timestamp, while the Timestamp Echo Reply field contains the previous timestamp.

nop, or "no operation," is just padding. TCP options must be multiples of 4 bytes, so nop is used to pad undersized fields.

wscale 0> is a nifty hack to get around the original window size limitation of 65,535 bytes, because the window size field is only 16 bits long. wscale provides for a full gigabyte of buffer. Both sides of the connection must support this and agree; otherwise the window size does not change.

(DF) means "don't fragment."

Here is a sample of the rest of the dump, showing data transfer:

15:04:49.548954 windbag.34348 > venus.domain.com.pop3: P 46:52(6) ack 181 win 5840 (DF)
15:04:49.653945 venus.domain.com.pop3 > windbag.34348: P 181:238(57) ack 52 win 5840 (DF)

The P flag means "push", or data are being sent. And now you see an example of the byte sequence/range when data are sent: 181:238(57); or 57 packets in this particular exchange.

Verifying Encryption

Now let's get back to our original task of examing packets to verify that logging in to our mail server

is properly encrypted. Here is the quick way:

# tcpdump port 995
tcpdump: listening on eth0
16:10:05.054198 windbag.34465 > venus.euao.com.pop3s: S 2698160498:2698160498(0) win 5840 (DF)
16:10:05.171235 venus.domain.com.pop3s > windbag.34465: S 2694170013:2694170013(0) ack 2698160499 win 5840 (DF)
16:10:05.171319 windbag.34465 > venus.domain.com.pop3s: . ack 1 win 5840 (DF)

This shows the protocol is pop3s, rather than pop3, which is what we want. We can dig even deeper and view the login itself:

# tcpdump -X port 995
The X option displays the packet in nice readable ASCII, as this snippet shows:

E...R(@.5..fE8..
................
P...`.......J...
F..A....yY.I.D..
=2....'i..E.....J.

Readable enough to verify that anyone snooping on our connection cannot capture logins and passwords. This snippet plainly shows the login and password in a clear text login:

# tcpdump -X port 110
E8.....n.....V%.
P...T...USER.car
la@domain.com..

32:46(14) ack 70 win 5840 (DF)
E..6..@.@..x....
E8.....n...".V&.
P...n...PASS.mgY6Rf9W..

Hubs Are Blabbermouths

If your LAN is connected with hubs, which is so twentieth century, you can sniff traffic for any host on the network from the comfort of your own chair. Anyone on the LAN can simply name the host they wish to surveil:

# tcpdump dst host workstation5

Or specify the host's IP address. tcpdump automatically puts your NIC into promiscuous mode, but you won't see this with ifconfig. You'll see it in dmesg or /var/log/messages. Just for kicks, open two terminal windows. In one, run tail -f /var/log/messages. In the other, run tcpdump, then stop it. The first one will show something like

Nov 22 20:43:30 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:43:30 windbag kernel: device eth0 entered promiscuous mode
Nov 22 20:44:07 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:44:07 windbag kernel: device eth0 left promiscuous mode

Foiled By Switches

If your LAN is blessed with switches instead of hubs, you cannot do this. You must first put the switch in SPAN (Switch Port Analyzer) mode. This is also called "port mirroring." Whatever you call it, it puts the switch in broadcast mode just like a hub, with one major difference: all the LAN traffic is directed to a sniffer port, so only you, the godlike admin, can see the packets. Low-cost SOHO switches, such as those made by Linksys, D-Link, and Netgear, cannot do this; this is a feature of higher-priced products from Cisco and Extreme.

Come back next week to learn some nifty network diagnostic tricks with tcpdump, such as finding signs of evil activity, diagnosing network problems, and sending tcpdump's output to binary files suitable for parsing by utilities like Ethereal and Snort.

Resources

Unlike my columns, RFCs are less-than-riveting reading. But they contain complete information.

• rfc 793 describes the transmission control protocol (tcp) in exhaustive detail.
• rfc 1180 is an excellent tutorial.
• tcpdump home page

命令详解
第一种是关于类型的关键字，主要包括host，net，port， 例如 host 210.27.48.2，指明 210.27.48.2是一台主机， net 202.0.0.0 指明 202.0.0.0是一个网络地址，port 23 指明端口号是23.如果没有指定类型，缺省的类型是host.

　 　第二种是确定传输方向的关键字，主要包括src ， dst ，dst or src， dst and src ，这些关键字指明了传输的方向。举例 说明，src 210.27.48.2 ，指明ip包中源地址是210.27.48.2 ， dst net 202.0.0.0 指明目的网络地址是 202.0.0.0 .如果没有指明方向关键字，则缺省是src or dst关键字。

　　第三种是协议的关键字，主要包括fddi， ip，arp，rarp，tcp，udp等类型。Fddi指明是在FDDI（分布式光纤数据接口网络）上的特定 的网络协议，实际上它是"ether"的 别名，fddi和ether具有类似的源地址和目的地址，所以可以将fddi协议包当作ether的包进行处理和 分析。其他的几个关键字就是指明了监听 的包的协议内容。如果没有指定任何协议，则tcpdump将会监听所有协议的信息包。

　　除了这三种类型的关键字之外，其他重要的关键字 如下：gateway， broadcast，less，greater，还有三种逻辑运算，取非运算是 'not ' '！ '， 与运算是 'and'，'&&'；或运算 是'or' ，'││'；这些关键字可以组合起来构成强大的组合条件来满足人们的需要，下面举几个例子来 说明。

　　普通情况下，直接启动tcpdump将监视第一个网络界面上所有流过的数据包。

　　# tcpdump

　　tcpdump： listening on fxp0

　　11：58：47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns： udp 50

　　11：58：47.974331 0：10：7b：8：3a：56 > 1：80：c2：0：0：0 802.1d ui/C len=43

　　0000 0000 0080 0000 1007 cf08 0900 0000

　　0e80 0000 902b 4695 0980 8701 0014 0002

　　000f 0000 902b 4695 0008 00

　　11：58：48.373134 0：0：e8：5b：6d：85 > Broadcast sap e0 ui/C len=97

　　ffff 0060 0004 ffff ffff ffff ffff ffff

　　0452 ffff ffff 0000 e85b 6d85 4008 0002

　　0640 4d41 5354 4552 5f57 4542 0000 0000

　　0000 00

　　使用-i参数指定tcpdump监听的网络界面，这在计算机具有多个网络界面时非常有用，

　　使用-c参数指定要监听的数据包数量，

　　使用-w参数指定将监听到的数据包写入文件中保存

　　A想要截获所有210.27.48.1 的主机收到的和发出的所有的数据包：

　　#tcpdump host 210.27.48.1

　　B想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信，使用命令：（在命令行中适用　括号时，一定要

　　#tcpdump host 210.27.48.1 and \ （210.27.48.2 or 210.27.48.3 \）

　　C如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包，使用命令：

　　#tcpdump ip host 210.27.48.1 and ！ 210.27.48.2

　　D如果想要获取主机210.27.48.1接收或发出的telnet包，使用如下命令：

　　#tcpdump tcp port 23 host 210.27.48.1

　　E 对本机的udp 123 端口进行监视 123 为ntp的服务端口

　　# tcpdump udp port 123

　　F 系统将只对名为hostname的主机的通信数据包进行监视。主机名可以是本地主机，也可以是网络上的任何一台计算机。下面的命令可以读取主机hostname发送的所有数据：

　　#tcpdump -i eth0 src host hostname

　　G 下面的命令可以监视所有送到主机hostname的数据包：

　　#tcpdump -i eth0 dst host hostname

　　H  我们还可以监视通过指定网关的数据包：

　　#tcpdump -i eth0 gateway Gatewayname

　　I 如果你还想监视编址到指定端口的TCP或UDP数据包，那么执行以下命令：

　　#tcpdump -i eth0 host hostname and port 80

　　J 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包

　　，使用命令：

　　#tcpdump ip host 210.27.48.1 and ！ 210.27.48.2

　　K 想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信，使用命令

　　：（在命令行中适用　括号时，一定要

　　#tcpdump host 210.27.48.1 and \ （210.27.48.2 or 210.27.48.3 \）

　　L 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包，使用命令：

　　#tcpdump ip host 210.27.48.1 and ！ 210.27.48.2

　　M 如果想要获取主机210.27.48.1接收或发出的telnet包，使用如下命令：

　　#tcpdump tcp port 23 host 210.27.48.1

　　第三种是协议的关键字，主要包括fddi，ip ，arp，rarp，tcp，udp等类型

　　除了这三种类型的关键字之外，其他重要的关键字如下：gateway， broadcast，less，

　　greater，还有三种逻辑运算，取非运算是 'not ' '！ '， 与运算是'and'，'&&'；或运算 是'o

　　r' ，'||'；

　　第二种是确定传输方向的关键字，主要包括src ， dst ，dst or src， dst and src ，

　　如果我们只需要列出送到80端口的数据包，用dst port；如果我们只希望看到返回80端口的数据包，用src port.

　　#tcpdump –i eth0 host hostname and dst port 80  目的端口是80

　　或者

　　#tcpdump –i eth0 host hostname and src port 80  源端口是80  一般是提供http的服务的主机

　　如果条件很多的话  要在条件之前加and 或 or 或 not

　　#tcpdump -i eth0 host ！ 211.161.223.70 and ！ 211.161.223.71 and dst port 80

　　如果在ethernet 使用混杂模式 系统的日志将会记录

　　May  7 20：03：46 localhost kernel： eth0： Promiscuous mode enabled.

　　May  7 20：03：46 localhost kernel： device eth0 entered promiscuous mode

　　May  7 20：03：57 localhost kernel： device eth0 left promiscuous mode

　 　tcpdump对截获的数据并没有进行彻底解码，数据包内的大部分内容是使用十六进制的形式直接打印输出的。显然这不利于分析网络故障，通常的解决办法 是先使用带-w参数的tcpdump 截获数据并保存到文件中，然后再使用其他程序进行解码分析。当然也应该定义过滤规则，以避免捕获的数据包填满整个硬 盘。