Questo articolo è la parte finale della mia serie in tre parti che copre 18 diversi tcpdump suggerimenti e trucchi in cui continuo a mostrare funzionalità che ti aiutano a filtrare e organizzare le informazioni restituite da tcpdump . Consiglio di leggere le parti uno e due prima di continuare con i contenuti di seguito.
[ Potrebbe interessarti anche: Un'introduzione a Wireshark ]
13. Filtri basati su flag TCP
È possibile filtrare il traffico TCP in base a vari tcp bandiere. Ecco un esempio che filtra in base a tcp-ack bandiera.
# tcpdump -i any "tcp[tcpflags] & tcp-ack !=0" -c3
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:01:26.064889 wlp0s20f3 In IP ec2-54-227-95-54.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.37834: Flags [P.], seq 1819770188:1819770212, ack 92255846, win 530, options [nop,nop,TS val 2380606750 ecr 2653646722], length 24
21:01:26.065072 wlp0s20f3 Out IP kkulkarni.attlocal.net.37834 > ec2-54-227-95-54.compute-1.amazonaws.com.https: Flags [P.], seq 1:29, ack 24, win 501, options [nop,nop,TS val 2653656956 ecr 2380606750], length 28
21:01:26.066067 wlp0s20f3 In IP ec2-54-227-95-54.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.37834: Flags [P.], seq 0:24, ack 1, win 530, options [nop,nop,TS val 2380607026 ecr 2653646722], length 24
3 packets captured
5 packets received by filter
0 packets dropped by kernel 14. Formattazione
Il tcpdump può anche regolare i formati di output usando -X per esadecimale o -A per ASCII.
# tcpdump -i any -c4 -X
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:03:17.917658 wlp0s20f3 In IP ec2-18-211-133-65.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.36676: Flags [P.], seq 493377705:493378516, ack 1627250260, win 14, options [nop,nop,TS val 885998040 ecr 2038075821], length 811
0x0000: 456c 035f c3f4 4000 2f06 2a23 12d3 8541 El._..@./.*#...A
0x0010: c0a8 0159 01bb 8f44 1d68 58a9 60fd de54 ...Y...D.hX.`..T
0x0020: 8018 000e d2f8 0000 0101 080a 34cf 41d8 ............4.A.
0x0030: 797a 91ad 1703 0303 2609 56db 0bfc cdbf yz......&.V.....
0x0040: 2ab1 86eb 197c 2a34 f20f 58fa 9318 156e *....|*4..X....n
0x0050: 2719 ba42 b498 b32c c9c3 69e1 7de3 6070 '..B...,..i.}.`p
0x0060: a785 80f5 adee a501 6374 e5f9 61c3 2b6e ........ct..a.+n
0x0070: edde e3ff 2abe 0198 226a 6729 f325 8f4a ....*..."jg).%.J
0x0080: af0b d865 e44a e941 b03e fda7 501c 3de7 ...e.J.A.>..P.=.
0x0090: 28d9 58f9 be3f 9cd8 64aa 8701 f45b a280 (.X..?..d....[..
0x00a0: 9f19 ed22 9646 2f19 9f49 226a d55e 33bf ...".F/..I"j.^3.
0x00b0: ed13 e2cb ef26 bc37 f4d8 0a6e 7534 e278 .....&.7...nu4.x
0x00c0: e6b6 60b1 1abe 6457 efc6 eaf3 03ad 3b50 ..`...dW......;P
0x00d0: e98f 2751 2680 f3c6 c562 3b81 437b be3d ..'Q&....b;.C{.=
0x00e0: 9e36 0a8f 3cf2 3b5e 4569 7e4c 7c94 844c .6..<.;^Ei~L|..L
0x00f0: 5925 614e b8b1 a79e 0abb 9818 ff29 1b08 Y%aN.........)..
0x0100: 5e43 83fc 0049 5a08 a085 aec5 09fb 3277 ^C...IZ.......2w
0x0110: c971 db88 4fc4 0d27 b418 1dfe 946e 3c83 .q..O..'.....n<.
0x0120: d6f6 4ff1 9e7e 5c86 b4e6 e0e5 dd82 8827 ..O..~\........'
0x0130: 6ba6 46d1 2374 a1af 412a 1687 24cc 0c04 k.F.#t..A*..$...
0x0140: 2179 5293 67f4 14f0 b502 935a 86e5 f8bc !yR.g......Z....
0x0150: 83be e285 941e 0bec d022 5cdb 2cc2 db13 ........."\.,...
0x0160: a186 8ce0 300e 6893 a0f1 4906 7b67 7848 ....0.h...I.{gxH
0x0170: cc28 286d 5ceb c468 17f1 4ed4 7a4e e88a .((m\..h..N.zN..
0x0180: e71a 95b2 15c2 7a76 94da 1568 239e 5078 ......zv...h#.Px
0x0190: d264 8b40 d2d3 ba9a 6818 9871 8875 3ad0 [email protected]:.
0x01a0: abac f776 0a22 b788 4acf 81ac 72d2 146c ...v."..J...r..l
0x01b0: 2c12 bc52 de57 fa96 66d5 c6cd f9b6 c428 ,..R.W..f......(
0x01c0: f7c8 f3ad 5b06 7da5 b7cf 15a7 7ac4 9760 ....[.}.....z..`
0x01d0: 0e70 cf36 e4ed d3b3 0e18 3046 5e9f 1dee .p.6......0F^...
0x01e0: 6277 c53b e38d ecf0 db89 7d19 32f2 1bed bw.;......}.2...
0x01f0: 6bb3 0ab5 0cb6 6b77 a40e 7bf5 5de3 7d4b k.....kw..{.].}K
0x0200: 0b96 474d 66f4 9589 39a4 d2ff 6c08 36aa ..GMf...9...l.6.
0x0210: 3fe9 89f5 6603 9f61 16ce 8cb9 e9c6 8d67 ?...f..a.......g
0x0220: 0b22 5ebc 39f3 50c2 cd70 08c3 01c6 2feb ."^.9.P..p..../.
0x0230: dbdc ba44 e091 8a8d e5b2 82c7 23ad c496 ...D........#...
0x0240: 7199 f3d1 34bf cff3 e51a 1d12 83ad 46ff q...4.........F.
0x0250: e93c 0975 729e ed82 3461 73dc c2ca abc1 .<.ur...4as.....
0x0260: 3e88 260d 1129 1777 2d0c 1a76 5234 123b >.&..).w-..vR4.;
0x0270: cef3 ef26 b12d 1eeb 82c2 554f 2112 18e9 ...&.-....UO!...
0x0280: ff14 a65d f7ae 2e53 8c9b 909c 9d32 4fab ...]...S.....2O.
0x0290: 2fc1 9154 ea1e 2318 06da 0f8e 07f0 555e /..T..#.......U^
0x02a0: 686b 9396 bfed 6771 d813 d32f f1ad 690e hk....gq.../..i.
0x02b0: 22b6 ea49 df3f 68ee a78b bdc5 bcca c6ac "..I.?h.........
0x02c0: 9c01 90fd 9c74 1a46 8981 dfe3 1492 9a2e .....t.F........
0x02d0: 67bc b4c2 f65f 0422 4f9c 1fad 86d3 1a4d g...._."O......M
0x02e0: c282 e510 88f9 dda8 9c0c c2c9 c114 59ab ..............Y.
0x02f0: 92a9 9f22 6cd8 0176 fd2b 7ce6 57ed 6849 ..."l..v.+|.W.hI
0x0300: 7214 c31a 49c1 46fe c980 01db 0fcb 5ddf r...I.F.......].
0x0310: a8d6 0b4f ea6a 6fa3 d359 04fb bcfa 7fde ...O.jo..Y......
0x0320: 6c6e 920a f40a fc41 7890 97af 2b5a 516c ln.....Ax...+ZQl
0x0330: 7b9f 3dbd 17ed a472 0d87 9897 9570 0a49 {.=....r.....p.I
0x0340: 84d6 b180 1c23 39f0 610b d6a8 a0ef 5e5c .....#9.a.....^\
0x0350: fa24 d1ef 6343 4d8a 1242 3a9a b25e b3 .$..cCM..B:..^.
21:03:17.917688 wlp0s20f3 Out IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [.], ack 811, win 2033, options [nop,nop,TS val 2038075901 ecr 885998040], length 0
0x0000: 4500 0034 eba9 4000 4006 f504 c0a8 0159 E..4..@[email protected]
0x0010: 12d3 8541 8f44 01bb 60fd de54 1d68 5bd4 ...A.D..`..T.h[.
0x0020: 8010 07f1 5a3c 0000 0101 080a 797a 91fd ....Z<......yz..
0x0030: 34cf 41d8 4.A.
21:03:17.948052 wlp0s20f3 In IP ovpn-rdu2.redhat.com.https > kkulkarni.attlocal.net.49254: UDP, length 76
0x0000: 4500 0068 68eb 4000 3211 f29c 42bb e840 [email protected]..@
0x0010: c0a8 0159 01bb c066 0054 36c8 4800 06ee ...Y...f.T6.H...
0x0020: 0032 9be8 f4aa ee8b 7e67 daa5 f3d2 a602 .2......~g......
0x0030: 67d0 8ca8 8c61 f4b2 12b2 47cd 6e96 661d g....a....G.n.f.
0x0040: 57f1 59be bdfc a1a6 a589 cde5 f027 d6b0 W.Y..........'..
0x0050: 1b57 72f9 348c 7735 03ca 8eb3 1dcd 8ef1 .Wr.4.w5........
0x0060: c8bd aec5 8442 f2cb .....B..
21:03:17.948133 tun0 In IP 10.0.115.119.https > kkulkarni.33082: Flags [.], ack 4094910727, win 400, options [nop,nop,TS val 3391720680 ecr 1350874080], length 0
0x0000: 4500 0034 6b11 4000 3606 db5f 0a00 7377 [email protected].._..sw
0x0010: 0a0a 76d2 01bb 813a c602 1989 f413 6107 ..v....:......a.
0x0020: 8010 0190 63c6 0000 0101 080a ca29 8ce8 ....c........)..
0x0030: 5084 b3e0 P...
4 packets captured
328 packets received by filter
0 packets dropped by kernel
Con il -A opzione, viene visualizzato ASCII.
# tcpdump -i any -c4 -A
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:03:21.363917 wlp0s20f3 Out IP6 kkulkarni > ff02::1:ff0e:bfb6: ICMP6, neighbor solicitation, who has kkulkarni, length 32
`.... :.........Q{AZq..w.................................r.pm.....`.b...
21:03:21.363953 lo In IP6 kkulkarni.45656 > kkulkarni.hostmon: Flags [S], seq 3428690149, win 65476, options [mss 65476,sackOK,TS val 1750938785 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
`....,...........r.pm............r.pm....X...].....................
h]4........."...
21:03:21.363972 lo In IP6 kkulkarni.hostmon > kkulkarni.45656: Flags [S.], seq 3072789718, ack 3428690150, win 65464, options [mss 65476,sackOK,TS val 1750938785 ecr 1750938785,nop,wscale 7], length 0
`....(...........r.pm............r.pm......X.'...].................
h]4.h]4.....
21:03:21.363988 lo In IP6 kkulkarni.45656 > kkulkarni.hostmon: Flags [.], ack 1, win 512, options [nop,nop,TS val 1750938785 ecr 1750938785], length 0
`.... ...........r.pm............r.pm....X...]...'.......w.....
h]4.h]4.
4 packets captured
173 packets received by filter
0 packets dropped by kernel 15. Opzioni per maggiore verbosità
Con alcuni programmi Linux, a volte è utile avere un output più dettagliato. tcpdump usa -v , -vv o -vvv per fornire diversi livelli di verbosità. Vedi sotto per esempi senza verbosità a tre livelli di verbosità.
Prolissità predefinita:
# tcpdump -i any -c1
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:00.903186 lo In IP kkulkarni.39876 > kkulkarni.hostmon: Flags [S], seq 1718143023, win 65495, options [mss 65495,sackOK,TS val 1879208671 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
1 packet captured
100 packets received by filter
0 packets dropped by kernel
Usando il -v opzione:
# tcpdump -i any -c1 -v
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:04.209638 lo In IP6 (flowlabel 0xd17f0, hlim 1, next-header TCP (6) payload length: 44) kkulkarni.33022 > kkulkarni.hostmon: Flags [S], cksum 0x0d5b (incorrect -> 0x6c92), seq 2003870985, win 65476, options [mss 65476,sackOK,TS val 3266653263 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
1 packet captured
20 packets received by filter
0 packets dropped by kernel
Ecco il -vv opzione:
# tcpdump -i any -c1 -vv
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:05.916423 tun0 Out IP (tos 0x0, ttl 64, id 22069, offset 0, flags [DF], proto TCP (6), length 1360)
kkulkarni.37152 > 10.0.115.119.https: Flags [.], cksum 0xe218 (correct), seq 168413028:168414336, ack 944490821, win 502, options [nop,nop,TS val 1351042119 ecr 3391883323], length 1308
1 packet captured
235 packets received by filter
0 packets dropped by kernel
Infine, mostra il massimo livello di dettaglio con il -vvv opzione:
# tcpdump -i any -c1 -vvv
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:08.076276 wlp0s20f3 B ifindex 3 cc:ab:2c:60:a4:a8 (oui Unknown) ethertype Unknown (0x7373), length 127:
0x0000: 1211 0000 0043 d3ea bdb4 5baf 9b3e 309c .....C....[..>0.
0x0010: f09c 490e b239 17dc be94 cffa 6e3e 5756 ..I..9......n>WV
0x0020: 9c35 702f fe49 0000 0201 8003 06cc ab2c .5p/.I.........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 087f 8d75 d5a4 8508 b3 .....u.....
1 packet captured
5 packets received by filter
0 packets dropped by kernel 16. Filtra per protocollo
Puoi utilizzare i nomi dei protocolli per filtrare i pacchetti per un protocollo particolare.
In questo esempio, il comando filtra per UDP:
# tcpdump udp -i wlp0s20f3 -c2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:01.108588 IP kkulkarni.attlocal.net.49254 > ovpn-rdu2.redhat.com.https: UDP, length 108
21:10:01.178840 IP kkulkarni.attlocal.net.55267 > dsldevice.attlocal.net.domain: 55685+ PTR? 89.1.168.192.in-addr.arpa. (43)
2 packets captured
9 packets received by filter
0 packets dropped by kernel In questo caso, il filtro visualizza i dati TCP:
# tcpdump tcp -i wlp0s20f3 -c2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:05.614912 IP ec2-18-211-133-65.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.36676: Flags [P.], seq 493594593:493594680, ack 1627254976, win 16, options [nop,nop,TS val 886099951 ecr 2038478733], length 87
21:10:05.615050 IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [.], ack 87, win 2033, options [nop,nop,TS val 2038483598 ecr 886099951], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel 17. Output a bassa verbosità
Se vuoi l'opposto della verbosità, usa -q per fornire un output più silenzioso (bassa verbosità).
# tcpdump tcp -i wlp0s20f3 -c2 -q
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:54.022506 IP kkulkarni.attlocal.net.37762 > whatsapp-cdn-shv-02-atl3.fbcdn.net.https: tcp 39
21:10:54.070360 IP whatsapp-cdn-shv-02-atl3.fbcdn.net.https > kkulkarni.attlocal.net.37762: tcp 39
2 packets captured
3 packets received by filter
0 packets dropped by kernel 18. Opzioni timestamp
Alcune delle opzioni comuni per stampare i timestamp sono:
Rimuovi timestamp
Il -t l'opzione rimuove i timestamp.
# tcpdump tcp -i wlp0s20f3 -c2 -t
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP kkulkarni.attlocal.net.36748 > lga15s49-in-f14.1e100.net.https: Flags [P.], seq 1609781320:1609781672, ack 1533085267, win 2318, options [nop,nop,TS val 1144363923 ecr 1220239837], length 352
IP kkulkarni.attlocal.net.36748 > lga15s49-in-f14.1e100.net.https: Flags [P.], seq 352:530, ack 1, win 2318, options [nop,nop,TS val 1144363924 ecr 1220239837], length 178
2 packets captured
4 packets received by filter
0 packets dropped by kernel Differenza nei pacchetti consecutivi
Il -ttt l'opzione mostra le differenze tra i pacchetti. Queste informazioni vengono utilizzate per vedere picchi/rallentamenti nei pacchetti.
# tcpdump tcp -i wlp0s20f3 -c2 -ttt
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:00:00.000000 IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [P.], seq 1627256885:1627256944, ack 493640277, win 2033, options [nop,nop,TS val 2038675951 ecr 886146249], length 59
00:00:00.002185 IP kkulkarni.attlocal.net.36686 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [P.], seq 158675267:158675326, ack 3869427473, win 501, options [nop,nop,TS val 2038675953 ecr 242652703], length 59
2 packets captured
8 packets received by filter
0 packets dropped by kernel [ Rete fuori controllo? Dai un'occhiata all'automazione della rete per tutti, un libro gratuito di Red Hat. ]
Concludi
Nella terza parte, hai esaminato i filtri di flag e altri tcpdump caratteristiche. Uno degli argomenti più utili trattati è la verbosità, che ti consente di controllare il livello di output da tcpdump comando. Questo è l'ultimo articolo della serie, quindi assicurati di aver letto la prima e la seconda parte.
Conclusione della serie
Ci sono molti modi per usare tcpdump . In questa serie di articoli in tre parti, hai visto 18 diversi suggerimenti e trucchi che renderanno più utili le acquisizioni dei pacchetti di rete. Puoi utilizzare ciascuna delle opzioni e delle parole chiave indipendentemente o insieme per ottenere una logica di filtro complessa. Il tcpdump command ha molto da offrirti per la risoluzione dei problemi e l'esplorazione del traffico di rete e questo, che tu ci creda o no, ne è solo una parte. Ti incoraggio a esplorarlo ulteriormente. Usa quelle pagine man. E non preoccuparti, non puoi danneggiare nulla usando tcpdump .