GNU/Linux >> Linux Esercitazione >  >> Linux

6 opzioni di formattazione tcpdump avanzate

Questo articolo è la parte finale della mia serie in tre parti che copre 18 diversi tcpdump suggerimenti e trucchi in cui continuo a mostrare funzionalità che ti aiutano a filtrare e organizzare le informazioni restituite da tcpdump . Consiglio di leggere le parti uno e due prima di continuare con i contenuti di seguito.

[ Potrebbe interessarti anche: Un'introduzione a Wireshark ]

13. Filtri basati su flag TCP

È possibile filtrare il traffico TCP in base a vari tcp bandiere. Ecco un esempio che filtra in base a tcp-ack bandiera.

# tcpdump -i any  "tcp[tcpflags] & tcp-ack !=0" -c3
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:01:26.064889 wlp0s20f3 In  IP ec2-54-227-95-54.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.37834: Flags [P.], seq 1819770188:1819770212, ack 92255846, win 530, options [nop,nop,TS val 2380606750 ecr 2653646722], length 24
21:01:26.065072 wlp0s20f3 Out IP kkulkarni.attlocal.net.37834 > ec2-54-227-95-54.compute-1.amazonaws.com.https: Flags [P.], seq 1:29, ack 24, win 501, options [nop,nop,TS val 2653656956 ecr 2380606750], length 28
21:01:26.066067 wlp0s20f3 In  IP ec2-54-227-95-54.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.37834: Flags [P.], seq 0:24, ack 1, win 530, options [nop,nop,TS val 2380607026 ecr 2653646722], length 24
3 packets captured
5 packets received by filter
0 packets dropped by kernel

14. Formattazione

Il tcpdump può anche regolare i formati di output usando -X per esadecimale o -A per ASCII.

# tcpdump -i any -c4 -X
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:03:17.917658 wlp0s20f3 In  IP ec2-18-211-133-65.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.36676: Flags [P.], seq 493377705:493378516, ack 1627250260, win 14, options [nop,nop,TS val 885998040 ecr 2038075821], length 811
    0x0000:  456c 035f c3f4 4000 2f06 2a23 12d3 8541  El._..@./.*#...A
    0x0010:  c0a8 0159 01bb 8f44 1d68 58a9 60fd de54  ...Y...D.hX.`..T
    0x0020:  8018 000e d2f8 0000 0101 080a 34cf 41d8  ............4.A.
    0x0030:  797a 91ad 1703 0303 2609 56db 0bfc cdbf  yz......&.V.....
    0x0040:  2ab1 86eb 197c 2a34 f20f 58fa 9318 156e  *....|*4..X....n
    0x0050:  2719 ba42 b498 b32c c9c3 69e1 7de3 6070  '..B...,..i.}.`p
    0x0060:  a785 80f5 adee a501 6374 e5f9 61c3 2b6e  ........ct..a.+n
    0x0070:  edde e3ff 2abe 0198 226a 6729 f325 8f4a  ....*..."jg).%.J
    0x0080:  af0b d865 e44a e941 b03e fda7 501c 3de7  ...e.J.A.>..P.=.
    0x0090:  28d9 58f9 be3f 9cd8 64aa 8701 f45b a280  (.X..?..d....[..
    0x00a0:  9f19 ed22 9646 2f19 9f49 226a d55e 33bf  ...".F/..I"j.^3.
    0x00b0:  ed13 e2cb ef26 bc37 f4d8 0a6e 7534 e278  .....&.7...nu4.x
    0x00c0:  e6b6 60b1 1abe 6457 efc6 eaf3 03ad 3b50  ..`...dW......;P
    0x00d0:  e98f 2751 2680 f3c6 c562 3b81 437b be3d  ..'Q&....b;.C{.=
    0x00e0:  9e36 0a8f 3cf2 3b5e 4569 7e4c 7c94 844c  .6..<.;^Ei~L|..L
    0x00f0:  5925 614e b8b1 a79e 0abb 9818 ff29 1b08  Y%aN.........)..
    0x0100:  5e43 83fc 0049 5a08 a085 aec5 09fb 3277  ^C...IZ.......2w
    0x0110:  c971 db88 4fc4 0d27 b418 1dfe 946e 3c83  .q..O..'.....n<.
    0x0120:  d6f6 4ff1 9e7e 5c86 b4e6 e0e5 dd82 8827  ..O..~\........'
    0x0130:  6ba6 46d1 2374 a1af 412a 1687 24cc 0c04  k.F.#t..A*..$...
    0x0140:  2179 5293 67f4 14f0 b502 935a 86e5 f8bc  !yR.g......Z....
    0x0150:  83be e285 941e 0bec d022 5cdb 2cc2 db13  ........."\.,...
    0x0160:  a186 8ce0 300e 6893 a0f1 4906 7b67 7848  ....0.h...I.{gxH
    0x0170:  cc28 286d 5ceb c468 17f1 4ed4 7a4e e88a  .((m\..h..N.zN..
    0x0180:  e71a 95b2 15c2 7a76 94da 1568 239e 5078  ......zv...h#.Px
    0x0190:  d264 8b40 d2d3 ba9a 6818 9871 8875 3ad0  [email protected]:.
    0x01a0:  abac f776 0a22 b788 4acf 81ac 72d2 146c  ...v."..J...r..l
    0x01b0:  2c12 bc52 de57 fa96 66d5 c6cd f9b6 c428  ,..R.W..f......(
    0x01c0:  f7c8 f3ad 5b06 7da5 b7cf 15a7 7ac4 9760  ....[.}.....z..`
    0x01d0:  0e70 cf36 e4ed d3b3 0e18 3046 5e9f 1dee  .p.6......0F^...
    0x01e0:  6277 c53b e38d ecf0 db89 7d19 32f2 1bed  bw.;......}.2...
    0x01f0:  6bb3 0ab5 0cb6 6b77 a40e 7bf5 5de3 7d4b  k.....kw..{.].}K
    0x0200:  0b96 474d 66f4 9589 39a4 d2ff 6c08 36aa  ..GMf...9...l.6.
    0x0210:  3fe9 89f5 6603 9f61 16ce 8cb9 e9c6 8d67  ?...f..a.......g
    0x0220:  0b22 5ebc 39f3 50c2 cd70 08c3 01c6 2feb  ."^.9.P..p..../.
    0x0230:  dbdc ba44 e091 8a8d e5b2 82c7 23ad c496  ...D........#...
    0x0240:  7199 f3d1 34bf cff3 e51a 1d12 83ad 46ff  q...4.........F.
    0x0250:  e93c 0975 729e ed82 3461 73dc c2ca abc1  .<.ur...4as.....
    0x0260:  3e88 260d 1129 1777 2d0c 1a76 5234 123b  >.&..).w-..vR4.;
    0x0270:  cef3 ef26 b12d 1eeb 82c2 554f 2112 18e9  ...&.-....UO!...
    0x0280:  ff14 a65d f7ae 2e53 8c9b 909c 9d32 4fab  ...]...S.....2O.
    0x0290:  2fc1 9154 ea1e 2318 06da 0f8e 07f0 555e  /..T..#.......U^
    0x02a0:  686b 9396 bfed 6771 d813 d32f f1ad 690e  hk....gq.../..i.
    0x02b0:  22b6 ea49 df3f 68ee a78b bdc5 bcca c6ac  "..I.?h.........
    0x02c0:  9c01 90fd 9c74 1a46 8981 dfe3 1492 9a2e  .....t.F........
    0x02d0:  67bc b4c2 f65f 0422 4f9c 1fad 86d3 1a4d  g...._."O......M
    0x02e0:  c282 e510 88f9 dda8 9c0c c2c9 c114 59ab  ..............Y.
    0x02f0:  92a9 9f22 6cd8 0176 fd2b 7ce6 57ed 6849  ..."l..v.+|.W.hI
    0x0300:  7214 c31a 49c1 46fe c980 01db 0fcb 5ddf  r...I.F.......].
    0x0310:  a8d6 0b4f ea6a 6fa3 d359 04fb bcfa 7fde  ...O.jo..Y......
    0x0320:  6c6e 920a f40a fc41 7890 97af 2b5a 516c  ln.....Ax...+ZQl
    0x0330:  7b9f 3dbd 17ed a472 0d87 9897 9570 0a49  {.=....r.....p.I
    0x0340:  84d6 b180 1c23 39f0 610b d6a8 a0ef 5e5c  .....#9.a.....^\
    0x0350:  fa24 d1ef 6343 4d8a 1242 3a9a b25e b3    .$..cCM..B:..^.
21:03:17.917688 wlp0s20f3 Out IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [.], ack 811, win 2033, options [nop,nop,TS val 2038075901 ecr 885998040], length 0
    0x0000:  4500 0034 eba9 4000 4006 f504 c0a8 0159  E..4..@[email protected]
    0x0010:  12d3 8541 8f44 01bb 60fd de54 1d68 5bd4  ...A.D..`..T.h[.
    0x0020:  8010 07f1 5a3c 0000 0101 080a 797a 91fd  ....Z<......yz..
    0x0030:  34cf 41d8                                4.A.
21:03:17.948052 wlp0s20f3 In  IP ovpn-rdu2.redhat.com.https > kkulkarni.attlocal.net.49254: UDP, length 76
    0x0000:  4500 0068 68eb 4000 3211 f29c 42bb e840  [email protected]..@
    0x0010:  c0a8 0159 01bb c066 0054 36c8 4800 06ee  ...Y...f.T6.H...
    0x0020:  0032 9be8 f4aa ee8b 7e67 daa5 f3d2 a602  .2......~g......
    0x0030:  67d0 8ca8 8c61 f4b2 12b2 47cd 6e96 661d  g....a....G.n.f.
    0x0040:  57f1 59be bdfc a1a6 a589 cde5 f027 d6b0  W.Y..........'..
    0x0050:  1b57 72f9 348c 7735 03ca 8eb3 1dcd 8ef1  .Wr.4.w5........
    0x0060:  c8bd aec5 8442 f2cb                      .....B..
21:03:17.948133 tun0  In  IP 10.0.115.119.https > kkulkarni.33082: Flags [.], ack 4094910727, win 400, options [nop,nop,TS val 3391720680 ecr 1350874080], length 0
    0x0000:  4500 0034 6b11 4000 3606 db5f 0a00 7377  [email protected].._..sw
    0x0010:  0a0a 76d2 01bb 813a c602 1989 f413 6107  ..v....:......a.
    0x0020:  8010 0190 63c6 0000 0101 080a ca29 8ce8  ....c........)..
    0x0030:  5084 b3e0                                P...
4 packets captured
328 packets received by filter
0 packets dropped by kernel

Con il -A opzione, viene visualizzato ASCII.

# tcpdump -i any -c4 -A
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:03:21.363917 wlp0s20f3 Out IP6 kkulkarni > ff02::1:ff0e:bfb6: ICMP6, neighbor solicitation, who has kkulkarni, length 32
`.... :.........Q{AZq..w.................................r.pm.....`.b...
21:03:21.363953 lo    In  IP6 kkulkarni.45656 > kkulkarni.hostmon: Flags [S], seq 3428690149, win 65476, options [mss 65476,sackOK,TS val 1750938785 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
`....,...........r.pm............r.pm....X...].....................
h]4........."...
21:03:21.363972 lo    In  IP6 kkulkarni.hostmon > kkulkarni.45656: Flags [S.], seq 3072789718, ack 3428690150, win 65464, options [mss 65476,sackOK,TS val 1750938785 ecr 1750938785,nop,wscale 7], length 0
`....(...........r.pm............r.pm......X.'...].................
h]4.h]4.....
21:03:21.363988 lo    In  IP6 kkulkarni.45656 > kkulkarni.hostmon: Flags [.], ack 1, win 512, options [nop,nop,TS val 1750938785 ecr 1750938785], length 0
`.... ...........r.pm............r.pm....X...]...'.......w.....
h]4.h]4.
4 packets captured
173 packets received by filter
0 packets dropped by kernel

15. Opzioni per maggiore verbosità

Con alcuni programmi Linux, a volte è utile avere un output più dettagliato. tcpdump usa -v , -vv o -vvv per fornire diversi livelli di verbosità. Vedi sotto per esempi senza verbosità a tre livelli di verbosità.

Prolissità predefinita:

# tcpdump -i any -c1
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:00.903186 lo    In  IP kkulkarni.39876 > kkulkarni.hostmon: Flags [S], seq 1718143023, win 65495, options [mss 65495,sackOK,TS val 1879208671 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
1 packet captured
100 packets received by filter
0 packets dropped by kernel

Usando il -v opzione:

# tcpdump -i any -c1 -v
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:04.209638 lo    In  IP6 (flowlabel 0xd17f0, hlim 1, next-header TCP (6) payload length: 44) kkulkarni.33022 > kkulkarni.hostmon: Flags [S], cksum 0x0d5b (incorrect -> 0x6c92), seq 2003870985, win 65476, options [mss 65476,sackOK,TS val 3266653263 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
1 packet captured
20 packets received by filter
0 packets dropped by kernel

Ecco il -vv opzione:

# tcpdump -i any -c1 -vv
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:05.916423 tun0  Out IP (tos 0x0, ttl 64, id 22069, offset 0, flags [DF], proto TCP (6), length 1360)
    kkulkarni.37152 > 10.0.115.119.https: Flags [.], cksum 0xe218 (correct), seq 168413028:168414336, ack 944490821, win 502, options [nop,nop,TS val 1351042119 ecr 3391883323], length 1308
1 packet captured
235 packets received by filter
0 packets dropped by kernel

Infine, mostra il massimo livello di dettaglio con il -vvv opzione:

# tcpdump -i any -c1 -vvv
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:06:08.076276 wlp0s20f3 B   ifindex 3 cc:ab:2c:60:a4:a8 (oui Unknown) ethertype Unknown (0x7373), length 127:
    0x0000:  1211 0000 0043 d3ea bdb4 5baf 9b3e 309c  .....C....[..>0.
    0x0010:  f09c 490e b239 17dc be94 cffa 6e3e 5756  ..I..9......n>WV
    0x0020:  9c35 702f fe49 0000 0201 8003 06cc ab2c  .5p/.I.........,
    0x0030:  60a4 a104 0104 0701 071b 0100 0806 ccab  `...............
    0x0040:  2c60 a4a8 0901 030e 1800 0000 0000 0000  ,`..............
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0019 087f 8d75 d5a4 8508 b3              .....u.....
1 packet captured
5 packets received by filter
0 packets dropped by kernel

16. Filtra per protocollo

Puoi utilizzare i nomi dei protocolli per filtrare i pacchetti per un protocollo particolare.

In questo esempio, il comando filtra per UDP:

# tcpdump udp -i wlp0s20f3 -c2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:01.108588 IP kkulkarni.attlocal.net.49254 > ovpn-rdu2.redhat.com.https: UDP, length 108
21:10:01.178840 IP kkulkarni.attlocal.net.55267 > dsldevice.attlocal.net.domain: 55685+ PTR? 89.1.168.192.in-addr.arpa. (43)
2 packets captured
9 packets received by filter
0 packets dropped by kernel

In questo caso, il filtro visualizza i dati TCP:

# tcpdump tcp -i wlp0s20f3 -c2

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:05.614912 IP ec2-18-211-133-65.compute-1.amazonaws.com.https > kkulkarni.attlocal.net.36676: Flags [P.], seq 493594593:493594680, ack 1627254976, win 16, options [nop,nop,TS val 886099951 ecr 2038478733], length 87
21:10:05.615050 IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [.], ack 87, win 2033, options [nop,nop,TS val 2038483598 ecr 886099951], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel

17. Output a bassa verbosità

Se vuoi l'opposto della verbosità, usa -q per fornire un output più silenzioso (bassa verbosità).

# tcpdump tcp -i wlp0s20f3 -c2 -q

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:10:54.022506 IP kkulkarni.attlocal.net.37762 > whatsapp-cdn-shv-02-atl3.fbcdn.net.https: tcp 39
21:10:54.070360 IP whatsapp-cdn-shv-02-atl3.fbcdn.net.https > kkulkarni.attlocal.net.37762: tcp 39
2 packets captured
3 packets received by filter
0 packets dropped by kernel

18. Opzioni timestamp

Alcune delle opzioni comuni per stampare i timestamp sono:

Rimuovi timestamp

Il -t l'opzione rimuove i timestamp.

# tcpdump tcp -i wlp0s20f3 -c2 -t  

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP kkulkarni.attlocal.net.36748 > lga15s49-in-f14.1e100.net.https: Flags [P.], seq 1609781320:1609781672, ack 1533085267, win 2318, options [nop,nop,TS val 1144363923 ecr 1220239837], length 352
IP kkulkarni.attlocal.net.36748 > lga15s49-in-f14.1e100.net.https: Flags [P.], seq 352:530, ack 1, win 2318, options [nop,nop,TS val 1144363924 ecr 1220239837], length 178
2 packets captured
4 packets received by filter
0 packets dropped by kernel

Differenza nei pacchetti consecutivi

Il -ttt l'opzione mostra le differenze tra i pacchetti. Queste informazioni vengono utilizzate per vedere picchi/rallentamenti nei pacchetti.

# tcpdump tcp -i wlp0s20f3 -c2 -ttt

dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 00:00:00.000000 IP kkulkarni.attlocal.net.36676 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [P.], seq 1627256885:1627256944, ack 493640277, win 2033, options [nop,nop,TS val 2038675951 ecr 886146249], length 59
 00:00:00.002185 IP kkulkarni.attlocal.net.36686 > ec2-18-211-133-65.compute-1.amazonaws.com.https: Flags [P.], seq 158675267:158675326, ack 3869427473, win 501, options [nop,nop,TS val 2038675953 ecr 242652703], length 59
2 packets captured
8 packets received by filter
0 packets dropped by kernel

[ Rete fuori controllo? Dai un'occhiata all'automazione della rete per tutti, un libro gratuito di Red Hat. ] 

Concludi

Nella terza parte, hai esaminato i filtri di flag e altri tcpdump caratteristiche. Uno degli argomenti più utili trattati è la verbosità, che ti consente di controllare il livello di output da tcpdump comando. Questo è l'ultimo articolo della serie, quindi assicurati di aver letto la prima e la seconda parte.

Conclusione della serie

Ci sono molti modi per usare tcpdump . In questa serie di articoli in tre parti, hai visto 18 diversi suggerimenti e trucchi che renderanno più utili le acquisizioni dei pacchetti di rete. Puoi utilizzare ciascuna delle opzioni e delle parole chiave indipendentemente o insieme per ottenere una logica di filtro complessa. Il tcpdump command ha molto da offrirti per la risoluzione dei problemi e l'esplorazione del traffico di rete e questo, che tu ci creda o no, ne è solo una parte. Ti incoraggio a esplorarlo ulteriormente. Usa quelle pagine man. E non preoccuparti, non puoi danneggiare nulla usando tcpdump .


Linux
  1. Opzioni di comando di grub-install

  2. dpkg-reconfigure Opzioni di comando

  3. Opzioni del comando ufw

  4. Visualizza le opzioni della presa

  5. Formattazione struct timespec

Le mie opzioni di comando principali di Linux preferite

Comando Tcpdump in Linux

Controllo audio avanzato su Linux

Esercitazione avanzata su Git

comando Linux tcpdump

Cattura i pacchetti con tcpdump