Use tcpdump to capture packets

/ Luyu Huang's Tech Blog

Original link: https://luyuhuang.tech/2022/12/05/tcpdump.html

tcpdump is a very practical tool for capturing packets. I have always just copied common commands on the Internet, and I have no understanding of its logic. Recently, I read its manual carefully and summarized the usage of tcpdump.

command format

If you use tcpdump --help to view its usage, you will always get a lot of parameter options, and you are still at a loss as to how to use it. The actual usage of tcpdump is as follows:

 $ tcpdump [选项] [表达式]

tcpdump will read the data in the network, analyze the protocol, and then match the expression. If it can match, it will output the content of the data packet in the specified way. Options are used to specify how to read data from the network (if specified network interface) and how to output the captured data.

Before going deep into the options and expression syntax, let’s look at a simple example. The option -A means to print the content of the data packet in ASCII in text form, -i specifies the network interface; the expression tcp && port 80 means the capture protocol is tcp , and the data packet with port 80 .

 $ tcpdump -i eth0 -A 'tcp && port 80' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

For this use, if we execute curl http://luyuhuang.tech on this machine, we can see that tcpdump prints out:

 16:43:22.947734 IP 172.29.57.43.41858 > luyuhuang.tech.http: Flags [S], seq 3607076262, win 64240, options [mss 1460,sackOK,TS val 2356831936 ecr 0,nop,wscale 7], length 0 E..<..@[email protected]++..+...P.............&......... .zf......... 16:43:22.961963 IP luyuhuang.tech.http > 172.29.57.43.41858: Flags [S.], seq 1991848100, ack 3607076263, win 65160, options [mss 1424,sackOK,TS val 1839405528 ecr 2356831936,nop,wscale 7], length 0 E..<[email protected]...+..+..9+.P..v.0.........g.......... m....zf..... 16:43:22.962003 IP 172.29.57.43.41858 > luyuhuang.tech.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 2356831951 ecr 1839405528], length 0 E..4..@[email protected]++..+...P....v.0............ .zf.m...

The above is the three-way handshake of TCP. Each packet will first print a line of basic information, called “dump line”, such as the current time, the IP addresses and ports of the two communicating parties, TCP flags, serial numbers, and options. Next is the content of the package body, which is printed in text form. If it is not ASCII code, it will be printed as . . Next is the HTTP request:

 16:43:22.962049 IP 172.29.57.43.41858 > luyuhuang.tech.http: Flags [P.], seq 1:79, ack 1, win 502, options [nop,nop,TS val 2356831951 ecr 1839405528], length 78: HTTP: GET / HTTP/1.1 E.....@[email protected]++..+...P....v.0......l..... .zf.m...GET / HTTP/1.1 Host: luyuhuang.tech User-Agent: curl/7.68.0 Accept: */* 16:43:22.975713 IP luyuhuang.tech.http > 172.29.57.43.41858: Flags [.], ack 79, win 509, options [nop,nop,TS val 1839405541 ecr 2356831951], length 0 [email protected]...+..+..9+.P..v.0................ m....zf. 16:43:22.975715 IP luyuhuang.tech.http > 172.29.57.43.41858: Flags [P.], seq 1:368, ack 79, win 509, options [nop,nop,TS val 1839405542 ecr 2356831951], length 367: HTTP: HTTP/1.1 301 Moved Permanently [email protected]...+..+..9+.P..v.0..........7..... m....zf.HTTP/1.1 301 Moved Permanently Server: nginx/1.20.2 Date: Sat, 26 Nov 2022 08:43:22 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://luyuhuang.tech/ <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx/1.20.2</center> </body> </html> 16:43:22.975748 IP 172.29.57.43.41858 > luyuhuang.tech.http: Flags [.], ack 368, win 501, options [nop,nop,TS val 2356831964 ecr 1839405542], length 0 E..4..@[email protected]++..+...P....v.2............ .zf.m...

We can see the HTTP request GET / HTTP/1.1 in text form, followed by the ACK sent by the server. Then the response message HTTP/1.1 301 Moved Permanently sent by the server, and finally the ACK sent by the client.

Common options

There are many options for tcpdump, here we only introduce some commonly used options. It is not too late to check the manual or Google for others when you really need to use them.

  • -i INTERFACE specifies the network interface. Use -i any to grab the data of all network interfaces.
  • -A Print the content of the packet in ASCII text, excluding the link layer header. Suitable for grabbing text protocols.
  • -X Print the contents of the packet in both hexadecimal and text form, excluding link-layer headers. Type this format: 
     0x0000: 4500 0082 6aa1 4000 4006 27dd ac1d 392b E...j.@.@.'...9+ 0x0010: 2b84 972b cf7e 0050 1b87 34d8 b04b de5b +..+.~.P..4..K.[ 0x0020: 8018 01f6 a86c 0000 0101 080a 8cca db1f .....l.......... 0x0030: 6df3 8eff 4745 5420 2f20 4854 5450 2f31 m...GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 6c75 7975 6875 .1..Host:.luyuhu 0x0050: 616e 672e 7465 6368 0d0a 5573 6572 2d41 ang.tech..User-A

    Good for grabbing binary protocols.

  • -XX Prints the contents of the packet, including the link-layer header, in both hexadecimal and text form.
  • -t do not print time on dump line.
  • -tt print time in UNIX timestamp format.
  • -ttt print the time interval since the last packet.
  • -v Display detailed information on the dump line. For example, it will display the ttl, id, and total length of the IP packet; the checksum of the TCP segment and other information.
  • -vv displays more detailed information.
  • -vvv displays more detailed information.
  • -n does not convert the address into a name. For example, the above example shows that the server address is luyuhuang.tech.http , if you specify -n , it will show the IP address and port number 80.
  • -c COUNT captures the specified number of packages, and automatically exits when this number is reached.
  • -s SNAPLEN Capture the first SNAPLEN bytes of the packet, the default is 262144. Adjusting this value appropriately according to needs can improve performance.
  • -# Print out the number of the packet.
  • -w FILE Write raw packet data to the specified file instead of printing them on the terminal. The file extension is usually .pcap , and the saved data can be analyzed later with tcpdump.
  • -r FILE Read and analyze the specified pcap file instead of grabbing network interface data. Here is an example of using -w and -r : 
     $ tcpdump -i eth0 -w luyu.pcap 'tcp && port 80' 11 packets captured 11 packets received by filter 0 packets dropped by kernel $ tcpdump -r luyu.pcap -# -ttt 'dst port 80' # 筛选发送到80 端口的包reading from file luyu.pcap, link-type EN10MB (Ethernet) 1 00:00:00.000000 IP 172.19.180.38.34716 > luyuhuang.tech.http: Flags [S], seq 3218407543, win 64240, options [mss 1460,sackOK,TS val 4127289318 ecr 0,nop,wscale 7], length 0 2 00:00:00.026788 IP 172.19.180.38.34716 > luyuhuang.tech.http: Flags [.], ack 1418465742, win 502, options [nop,nop,TS val 4127289345 ecr 1941966167], length 0 3 00:00:00.000199 IP 172.19.180.38.34716 > luyuhuang.tech.http: Flags [P.], seq 0:78, ack 1, win 502, options [nop,nop,TS val 4127289345 ecr 1941966167], length 78: HTTP: GET / HTTP/1.1 4 00:00:00.028462 IP 172.19.180.38.34716 > luyuhuang.tech.http: Flags [.], ack 368, win 501, options [nop,nop,TS val 4127289374 ecr 1941966194], length 0

    It is worth mentioning that the pcap file can also be read by wireshark . If you like to use the graphical interface of wireshark to view the captured data, using -w to export the pcap file is a good choice.

expression syntax

The expression tells tcpdump which packets to capture. It consists of one or more basic expressions , and supports Boolean operators such as && and || to combine them. The format of the basic expression is one or more modifiers + ID. Modifiers are predefined keywords, such as tcp , host , port , etc.; IDs are corresponding values, usually numbers, addresses or names. There are three kinds of modifiers

  1. Type qualifier , indicating the type of ID. It can be host , net , port , portrange , etc. For example, host localhost , net 128.3 , port 20 , portrange 6000-6008 . If no type is specified, it defaults to host .
  2. Direction modifier , specifies the direction of data transmission. It can be src or dst . Because the type field usually distinguishes the transmission direction, for example, there are source address and destination address in IP packet, and source port and destination port in TCP segment. Use direction Modifiers can restrict matching to type fields in that direction. If no direction modifier is specified, type fields in both directions are matched.
  3. Protocol modifier , specifies the protocol. It can be tcp , udp , ip , ip6 , arp , ether , etc. Because some protocols have the same type field, for example, both TCP and UDP have ports. Use protocol modifiers to limit the captured protocol. If no protocol modifier is specified, all protocols with this type of field will be fetched.

Give some examples of basic expressions

  • tcp : Capture all TCP protocol data.
  • port 20 : Grab the data whose source port or destination port is 20 for TCP and UDP protocols. Because no protocol is specified, and TCP and UDP have port fields, all protocols with port fields are grabbed; and because no direction is specified, so Get bidirectional data.
  • tcp dst port 80 : Grab the TCP data whose target port is 80. Here, there are protocol modifiers to limit only capture TCP, and the direction modifier dst to limit the matching target port.

Basic expressions can be combined with logical operators. The logical operators of tcpdump are and, or, not, which can be written as && , || and ! , or and , or and not . Parentheses can be used to change the priority of operations, such as host luyuhuang.tech && (port 80 || port 443) .

In composite expressions, modifiers can sometimes be omitted. If a base expression only provides an ID but no modifiers, it is considered to have the same modifier as the previous base expression. For example, the expression port 22 or 80 or 443 , where 80 and 443 have no modifiers, and their modifiers are considered to be port . So this expression is equivalent to port 22 or port 80 or port 443 .

The usage of some modifiers is listed below

  • dst host HOST : Match IPv4 and IPv6 packets whose destination address is HOST . HOST can be an IP address or a name.
  • src host HOST : Match IPv4 and IPv6 packets whose source address is HOST .
  • ip src host HOST : Match the packets whose IPv4 protocol source address is HOST .
  • host HOST : Match IPv4 and IPv6 protocols whose source address or destination address is HOST .
  • ether host EHOST : Match frames whose Ethernet protocol source or destination address is EHOST . Here EHOST is the MAC address.
  • net NET/LEN : Match IPv4 and IPv6 protocol source address or destination address of the network number of NET/LEN packets. For example, net 192.168.1.1/16 matches the address prefix 192.168 .
  • tcp port PORT : Match the packets whose TCP protocol source port or destination port is PORT .
  • tcp src port PORT : Match packets whose TCP source port is PORT .
  • port PORT : Match TCP and UDP protocols whose source port or destination port is PORT
  • portrange PORT1-PORT2 : Match TCP and UDP protocol port range packets between PORT1 and PORT2 .
  • ip proto PROTOCOL : Match IPv4 packets whose protocol number is PROTOCOL . PROTOCOL can be a number representing the protocol number, such as 6 for TCP, 17 for UDP; or a protocol name, the optional values ​​are icmp , icmp6 , igmp , igrp , pim , ah , esp , vrrp , udp , or tcp . Note that icmp , tcp and udp are keywords, and must be escaped with a backslash \ , such as \tcp .
  • ip6 proto PROTOCOL : Match the IPv6 protocol number (actually next header in IPv6) to the group of PROTOCOL .
  • proto PROTOCOL : Match IPv4 and IPv6 packets whose protocol number is PROTOCOL .
  • tcp , udp and icmp : actually the abbreviations of proto \tcp , proto \udp and proto \icmp . Because these three protocols are too commonly used, tcpdump provides these three abbreviations.

It can be considered that a basic expression is to express the value of a certain field of a certain layer protocol . It is easy to understand the syntax of tcpdump after knowing this.

 ip src host 192.168.1.1 |------|----------|--------------|协议: 字段: 值: TCP 源地址192.168.1.1 tcp dst port 8080 |------|----------|-----------|协议: 字段: 值: TCP 目标端口8080 ip proto igmp |------|---------|-----------|协议: 字段: 值: IP 协议号IGMP(2)

advanced usage

tcpdump also supports comparing certain bytes in the protocol to capture packets that meet the conditions. tcpdump provides a syntax called packet data accessor for obtaining specified bytes:

 PROTO [ POS : SIZE ]

PROTO indicates the protocol, which can be ether , ppp , ip , arp , rarp , tcp , udp , icmp , ip6 , etc.; POS indicates the number of bytes from the beginning of this layer of protocol; SIZE indicates how many bytes are taken at this position, Its value can be 1, 2 or 4. If SIZE is omitted, it means to take a byte. The value of the packet data accessor is a 32-bit unsigned integer.

Packet data accessors can perform some arithmetic operations ( + , - , * , / , % , & , | , ^ , << , >> ), and then perform comparison operations ( > , < , >= , <= , = , != ). For example:

  • ip[0] & 0xf != 5 means to capture all IP packets without options. Because the 4 to 7 bits of the IPv4 protocol, that is, the lower 4 bits of the first byte are the header length, if the header length is not 5, Indicates that the header has option data.
  • ip[6:2] & 0x1fff = 0 means capture the IP packet whose fragmentation offset field is 0.
  • tcp[((tcp[12] & 0xf0) >> 4) * 4] == 42 means to grab the segment whose first byte of TCP payload is equal to 42. Because the high 4 of the 12th byte of the TCP header The bit is the Data offset field, indicating how many words (word) there are in the TCP header. Here use tcp[12] & 0xf0) >> 4 to get the Data offset field, and then multiply by 4, because a word is 4 bytes. In this way, tcp[((tcp[12] & 0xf0) >> 4) * 4] will get the first byte of the TCP payload.

example

Here are some common examples.

  • tcp port 80 captures TCP packets whose source port or destination port is 80.
  • tcp && host luyuhuang.tech && (port 80 || 443) grabs the TCP packets whose source or destination address is luyuhuang.tech , and whose source or destination port is 80 or 443.
  • icmp && src host 172.27.211.226 && dst host 172.27.208.1 grabs ICMP packets sent by 172.27.211.226 to 172.27.208.1.
  • tcp && host 172.27.211.226 && ! port 22 grabs the TCP communication with 172.27.211.226, and the package whose port is not 22.

  • tcp[((tcp[12] & 0xf0) >> 4) * 4 : 4] == 0x47455420 && tcp dst port 80 capture HTTP GET request. tcp[((tcp[12] & 0xf0) >> 4) * 4 : 4] Get the first 4 bytes of the TCP payload, and 0x47455420 is actually the four characters "GET " :

     0x47455420 == 'G' << 24 | 'E' << 16 | 'T' << 8 | ' '

further reading

The above content is basically enough to draw inferences from one instance and understand the use of tcpdump. If you want to know the usage of more options, you can refer to man tcpdump ; if you need to learn expressions in depth, you can refer to man pcap-filter .

This article is transferred from: https://luyuhuang.tech/2022/12/05/tcpdump.html
This site is only for collection, and the copyright belongs to the original author.