超级详细Tcpdump 的用法
Super-detailed Tcpdump Usage
1、抓取回环网口的包:tcpdump -i lo
1 The bag to retrieve the ring portal #xff1a; tcpdump-i lo
2、防止包截断:tcpdump -s0
2. Prevention of package cut-off xff1a;tcpdump-s0
3、以数字显示主机及端口:tcpdump -n
3. Show host and port #xff1a in numbers; tcpdump-n
第一种是关于类型的关键字,主要包括host,net,port, 例如 host 210.27.48.2,指明 210.27.48.2是一台主机,net 202.0.0.0 指明 202.0.0.0是一个网络地址,port 23 指明端口号是23。如果没有指定类型,缺省的类型是host.
The first is the key word for the type & #xff0c; mainly including host, net, port, e.g. host 210.27.48.2, specifying 210.27.48.2 as a host & #xff0c; net 202.0.0 as a network address & #xff0c; port 23 as a port number 23. If no specified type & #xff0c; default type is host.
第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,这些关键字指明了传输的方向。举例说明,src 210.27.48.2 ,指明ip包中源地址是210.27.48.2 , dst net 202.0.0.0 指明目的网络地址是202.0.0.0 。如果没有指明方向关键字,则缺省是src or dst关键字。
The second is the key word & #xff0c that determines the direction of the transfer; mainly the src, dst, dst or src, dst and src, which indicates the direction of the transfer. Example & #xff0c; src 210.27.48.2, indicating the source address in the ip package is 210.27.48.2, dst net 202.0.0, specifying the target network address is 202.0.0. If no directions key & #xff0c; default is the src or dst key.
第三种是协议的关键字,主要包括fddi,ip,arp,rarp,tcp,udp等类型。Fddi指明是在FDDI(分布式光纤数据接口网络)上的特定 的网络协议,实际上它是"ether"的别名,fddi和ether具有类似的源地址和目的地址,所以可以将fddi协议包当作ether的包进行处理和 分析。其他的几个关键字就是指明了监听的包的协议内容。如果没有指定任何协议,则tcpdump将会监听所有协议的信息包。
The third is the key word of the protocol & #xff0c; mainly the type of fddi, ip, arp, rp, tcp, udp, etc. Fddi indicates the specific network protocol , on the FDDI (distributed fibre-optic data interface network); in fact it is 34; other #xff0c; aliases #xff0c; fddi and else have similar source and destination addresses fffff0c; so the fddi package can be processed and analysed as a body package. The other key words are the content of the package that identifies the listening package. If no agreement is specified, then tcpdump will listen to all the package.
除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,greater,还有三种逻辑运算,取非运算是 'not ' '! ', 与运算是'and','&&;或运算 是'or' ,'||';这些关键字可以组合起来构成强大的组合条件来满足人们的需要,下面举几个例子来说明。
In addition to these three types of keywords, xff0c; other important keywords are xff1a; Gateway, Broadcast, less, Greater, and there are three logical algorithms xff0c; decomposition & #39;not & #39; & #39;! & #39; operations 39; ; or #39; or 39; 39; xff1b; these keywords can be combined to form powerful combinations to meet people's needs xff0c; and several examples are given below.
普通情况下,直接启动tcpdump将监视第一个网络界面上所有流过的数据包。
& #xff0c; directly starting tcpdump will monitor all passing data packages on the first network interface.
tcpdump: listening on fxp0
11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.netbios-ns: udp 50
11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1d ui/C len=43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014 0002
000f 0000 902b 4695 0008 00
11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast sap e0 ui/C len=97
ffff 0060 0004 ffff ffff ffff ffff ffff
0452 ffff ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
0000 00
使用-i参数指定tcpdump监听的网络界面,这在计算机具有多个网络界面时非常有用,
使用-c参数指定要监听的数据包数量,
使用-w参数指定将监听到的数据包写入文件中保存
A想要截获所有210.27.48.1 的主机收到的和发出的所有的数据包:
Specify the network interface for tcpdump listening & #xff0c using the -i parameter; this is very useful when computers have multiple web interfaces xff0c;
specify the number of data packages to be monitored xff0c using the -c parameter;
use the -w parameter to specify that the monitored data package is saved in the file
A intends to intercept all data packages received and sent by the host of 210.27.48.1 xff1a;
B想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,使用命令:(在命令行中适用 括号时,一定要
B seeks to intercept communications from host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 xff0c; uses command xff1a; xff08; applies brackets in command line xff0c;
C如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
C if you want to access an ip package & #xff0c of all mainframe communications except for the host and host 210.27.48.1; use command & #xff1a;
D如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令:
D if you want to get the host 210.27.48.1 received or sent from the Telnet package xff0c; use the following command xff1a;
E 对本机的udp 123 端口进行监视 123 为ntp的服务端口
E to monitor the udp 123 port of this machine 123 service port for ntp
F 系统将只对名为hostname的主机的通信数据包进行监视。主机名可以是本地主机,也可以是网络上的任何一台计算机。下面的命令可以读取主机hostname发送的所有数据:
The F system will monitor only the communication data package of the hostname. The host name can be the local host & #xff0c; or any computer on the network. The next command can read all data sent by the hosthostname & #xff1a;
G 下面的命令可以监视所有送到主机hostname的数据包:
G The following orders can monitor all data packages sent to hostname xff1a;
H 我们还可以监视通过指定网关的数据包:
H. We can also monitor data packages via designated gateways #xff1a;
I 如果你还想监视编址到指定端口的TCP或UDP数据包,那么执行以下命令:
i If you also want to monitor TCP or UDP data packs at specified ports xff0c; then execute the following command xff1a;
J 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包
,使用命令:
J If you want to get an ip package for all mainframe communications except for the host and host 210.27.48.2
& #xff0c; use command & #xff1a;
K 想要截获主机210.27.48.1 和主机210.27.48.2 或210.27.48.3的通信,使用命令
:(在命令行中适用 括号时,一定要
K intended to intercept communications from host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3 & #xff0c; use command
& #xff1a; & #xff08; apply parenthesis in command line & #xff0c; be bound
L 如果想要获取主机210.27.48.1除了和主机210.27.48.2之外所有主机通信的ip包,使用命令:
#tcpdump ip host 210.27.48.1 and ! 210.27.48.2
L If you want to get an ip package & #xff0c for all mainframe communications except for host and host 210.27.48.1; use command & #xff1a;
#tcpdump ip host 210.27.48.1 and!210.27.48.2
M 如果想要获取主机210.27.48.1接收或发出的telnet包,使用如下命令:
#tcpdump tcp port 23 host 210.27.48.1
M If you want to get host 210.27.48.1 received or sent from Telnet package & #xff0c; use command & #xff1a;
#tcpdumpttcpport 23 host 210.27.48.1
第三种是协议的关键字,主要包括fddi,ip ,arp,rarp,tcp,udp等类型
除了这三种类型的关键字之外,其他重要的关键字如下:gateway, broadcast,less,
greater,还有三种逻辑运算,取非运算是 'not ' '! ', 与运算是'and','&&';或运算 是'o
r' ,'||';
第二种是确定传输方向的关键字,主要包括src , dst ,dst or src, dst and src ,
如果我们只需要列出送到80端口的数据包,用dst port;如果我们只希望看到返回80端口的数据包,用src port。
The third is the key word of the protocol & #xff0c; it consists mainly of the fddi, ip, arp, rarp, tcp, udp, etc.
greater, and three other logical operations & #xff0c; take-off & #39;not & #39; & #39! & #39; and #39; & #39; #39; & & #39; & & dst #39; or #39; o
r& #39; #39; xff1b;
the second is the key word to determine the direction of transmission & #x0c; mainly includes Src, dst, dststst, dstststst & & & ffft; we need to send the data package of < > 80; we need to send the data package of < < #xxx #d #d & & & & #dfft.
或者
Or...
如果条件很多的话 要在条件之前加and 或 or 或 not
If there are many conditions, add them before the conditions or not.
如果在ethernet 使用混杂模式 系统的日志将会记录
May 7 20:03:46 localhost kernel: eth0: Promiscuous mode enabled.
May 7 20:03:46 localhost kernel: device eth0 entered promiscuous mode
May 7 20:03:57 localhost kernel: device eth0 left promiscuous mode
tcpdump对截获的数据并没有进行彻底解码,数据包内的大部分内容是使用十六进制的形式直接打印输出的。显然这不利于分析网络故障,通常的解决办法是先使用带-w参数的tcpdump 截获数据并保存到文件中,然后再使用其他程序进行解码分析。当然也应该定义过滤规则,以避免捕获的数据包填满整个硬盘。
If a mixed mode is used in the restnet, the logs of the system will record
May 7 20:03:46 localhost ernel:eth0:Promiscuous mode enabled.
May 7:20:46 localhost Kernel: device 0 entry
; most of the contents in the data package are directly printed in the form of a 16-digit system. This is obviously detrimental to the analysis of network failures & #xff0c; the solution is usually to use tcpdump parameters to intercept data and save them on file & #xff0c; and then to use other procedures to interpret #ff0c.
00:02:03.096713 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010208:2010352(144) ack 33377 win 8576
00:02:03.096951 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010352:2010496(144) ack 33377 win 8576
00:02:03.100928 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010496:2010640(144) ack 33377 win 8576
00:02:03.101165 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010640:2010784(144) ack 33377 win 8576
00:02:03.102554 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 2010784:2010928(144) ack 33425 win 8576
表明在00:02:03点的时候,211.167.237.199通过ssh源端口连接到221.216.165.189的1467端口
xff0c at 00:02:03; 211.167.237.199 connected to the 1467 port at 221.216.165.189 via the ssh port
00:09:27.603075 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180400:180544(144) ack 2833 win 8576
00:09:27.605631 IP 211.167.237.199.ssh > 221.216.165.189.1467: P 180544:180688(144) ack 2881 win 8576
截获所有由eth0进入、源地址(src)为192.168.0.5的主机(host),并且(and)目标(dst)端口(port)为80的数据包
Interception of all host (host) & #xff0c with eth0, source (src) 192.168.0.5; and (and) target (dst) port (port) 80 data packs
观看网卡传送、接收数据包的状态
$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 14639 0 0 0 5705 119 0 0 BMRU
Watching webcard transfer, receiving data packages state
$netstat-i
Kernel Interface table
iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 15000 14639 0 0 0 0 0 0 5705 119 0 BMRU
Iface: 网卡
RX-OK RX-ERR RX-DRP RX-OVR : 网卡正确接收数据包的数量以及发生错误、流失、碰撞的总数
TX-OK TX-ERR TX-DRP TX-OVR : 网卡正确发送数据包的数量以及发生错误、流失、碰撞的总数
Iface: Netcard
RX-OK RX-ERR RX-DRP RX-OVR: Number of correct receivers and total number of errors, losses, collisions
TX-OK TX-ERR TX-DRP TX-OVR: Number of correct data packages sent by webcards and total number of errors, losses, collisions
[root@linux ~]# tcpdump [-nn] [-i 介面] [-w 儲存檔名] [-c 次數] [-Ae]
[-qX] [-r 檔案] [所欲擷取的資料內容]
參數:
-nn:直接以 IP 及 port number 顯示,而非主機名與服務名稱
-i :後面接要『監聽』的網路介面,例如 eth0, lo, ppp0 等等的介面;
-w :如果你要將監聽所得的封包資料儲存下來,用這個參數就對了!後面接檔名
-c :監聽的封包數,如果沒有這個參數, tcpdump 會持續不斷的監聽,
直到使用者輸入 [ctrl]-c 為止。
-A :封包的內容以 ASCII 顯示,通常用來捉取 WWW 的網頁封包資料。
-e :使用資料連接層 (OSI 第二層) 的 MAC 封包資料來顯示;
-q :僅列出較為簡短的封包資訊,每一行的內容比較精簡
-X :可以列出十六進位 (hex) 以及 ASCII 的封包內容,對於監聽封包內容很有用
-r :從後面接的檔案將封包資料讀出來。那個『檔案』是已經存在的檔案,
並且這個『檔案』是由 -w 所製作出來的。
所欲擷取的資料內容:我們可以專門針對某些通訊協定或者是 IP 來源進行封包擷取,
那就可以簡化輸出的結果,並取得最有用的資訊。常見的表示方法有:
'host foo', 'host 127.0.0.1' :針對單部主機來進行封包擷取
'net 192.168' :針對某個網域來進行封包的擷取;
'src host 127.0.0.1' 'dst net 192.168':同時加上來源(src)或目標(dst)限制
'tcp port 21':還可以針對通訊協定偵測,如 tcp, udp, arp, ether 等
還可以利用 and 與 or 來進行封包資料的整合顯示呢!
[root & #64; linux ~ #tcpdump [-n] [-i interface] [-w saved file name] [-c] [-Ae]
xff1a; nxff1a > ; direct IP and port number xf0; not host name < < xf0c > ;
範例一:以 IP 與 port number 捉下 eth0 這個網路卡上的封包,持續 3 秒
[root@linux ~]# tcpdump -i eth0 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 116:232(116) ack 1 win 9648
01:33:40.41 IP 192.168.1.100.22 > 192.168.1.11.1190: P 232:364(132) ack 1 win 9648
<==按下 [ctrl]-c 之後結束
6680 packets captured <==捉下來的封包數量
14250 packets received by filter <==由過濾所得的總封包數量
7512 packets dropped by kernel <==被核心所丟棄的封包
如果你是第一次看 tcpdump 的 man page 時,肯定一個頭兩個大,因為 tcpdump 幾乎都是分析封包的表頭資料,使用者如果沒有簡易的網路封包基礎,要看懂粉難吶! 所以,至少您得要回到網路基礎裡面去將 TCP 封包的表頭資料理解理解才好啊! ^_^!至於那個範例一所產生的輸出範例中,我們可以約略區分為數個欄位, 我們以範例一當中那個特殊字體行來說明一下:
01:33:40.41:這個是此封包被擷取的時間,『時:分:秒』的單位;
IP:透過的通訊協定是 IP ;
192.168.1.100.22 > :傳送端是 192.168.1.100 這個 IP,而傳送的 port number 為 22,您必須要瞭解的是,那個大於 (>) 的符號指的是封包的傳輸方向喔!
192.168.1.11.1190:接收端的 IP 是 192.168.1.11, 且該主機開啟 port 1190 來接收;
P 116:232(116):這個封包帶有 PUSH 的資料傳輸標誌, 且傳輸的資料為整體資料的 116~232 byte,所以這個封包帶有 116 bytes 的資料量;
ack 1 win 9648:ACK與 Window size 的相關資料。
最簡單的說法,就是該封包是由 192.168.1.100 傳到 192.168.1.11,透過的 port 是由 22 到 1190 , 且帶有 116 bytes 的資料量,使用的是 PUSH 的旗標,而不是 SYN 之類的主動連線標誌。 呵呵!不容易看的懂吧!所以說,上頭才講請務必到 TCP 表頭資料的部分去瞧一瞧的啊!
& xff1a; catch eth0 with IP and port number & xff0c; continue 3 seconds
[root@ linux ~#tcpdump-i eth0 -n
& xp & ffp/ p & # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
再來,一個網路狀態很忙的主機上面,你想要取得某部主機對你連線的封包資料而已時, 使用 tcpdump 配合管線命令與正規表示法也可以,不過,畢竟不好捉取! 我們可以透過 tcpdump 的表示法功能,就能夠輕易的將所需要的資料獨立的取出來。 在上面的範例一當中,我們僅針對 eth0 做監聽,所以整個 eth0 介面上面的資料都會被顯示到螢幕上, 不好分析啊!那麼我們可以簡化嗎?例如只取出 port 21 的連線封包,可以這樣做:
[root@linux ~]# tcpdump -i eth0 -nn port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:54:37.96 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 1 win 65535
01:54:37.96 IP 192.168.1.100.21 > 192.168.1.11.1240: P 1:21(20) ack 1 win 5840
01:54:38.12 IP 192.168.1.11.1240 > 192.168.1.100.21: . ack 21 win 65515
01:54:42.79 IP 192.168.1.11.1240 > 192.168.1.100.21: P 1:17(16) ack 21 win 65515
01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: . ack 17 win 5840
01:54:42.79 IP 192.168.1.100.21 > 192.168.1.11.1240: P 21:55(34) ack 17 win 5840
瞧!這樣就僅提出 port 21 的資訊而已,且仔細看的話,你會發現封包的傳遞都是雙向的, client 端發出『要求』而 server 端則予以『回應』,所以,當然是有去有回啊! 而我們也就可以經過這個封包的流向來瞭解到封包運作的過程。 舉例來說:
我們先在一個終端機視窗輸入『 tcpdump -i lo -nn 』 的監聽,
再另開一個終端機視窗來對本機 (127.0.0.1) 登入『ssh localhost』
那麼輸出的結果會是如何?
[root@linux ~]# tcpdump -i lo -nn
1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
2 listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
3 11:02:54.253777 IP 127.0.0.1.32936 > 127.0.0.1.22: S 933696132:933696132(0)
win 32767 <mss 16396,sackOK,timestamp 236681316 0,nop,wscale 2>
4 11:02:54.253831 IP 127.0.0.1.22 > 127.0.0.1.32936: S 920046702:920046702(0)
ack 933696133 win 32767 <mss 16396,sackOK,timestamp 236681316 236681316,nop,
wscale 2>
5 11:02:54.253871 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 1 win 8192 <nop,
nop,timestamp 236681316 236681316>
6 11:02:54.272124 IP 127.0.0.1.22 > 127.0.0.1.32936: P 1:23(22) ack 1 win 8192
<nop,nop,timestamp 236681334 236681316>
7 11:02:54.272375 IP 127.0.0.1.32936 > 127.0.0.1.22: . ack 23 win 8192 <nop,
nop,timestamp 236681334 236681334>
上表顯示的頭兩行是 tcpdump 的基本說明,然後:
第 3 行顯示的是『來自 client 端,帶有 SYN 主動連線的封包』,
第 4 行顯示的是『來自 server 端,除了回應 client 端之外(ACK),還帶有 SYN 主動連線的標誌;
第 5 行則顯示 client 端回應 server 確定連線建立 (ACK)
第 6 行以後則開始進入資料傳輸的步驟。
從第 3-5 行的流程來看,熟不熟悉啊?沒錯!那就是 三向交握 的基礎流程啦!夠有趣吧! 不過 tcpdump 之所以被稱為駭客軟體之一可不止上頭介紹的功能吶! 上面介紹的功能可以用來作為我們主機的封包連線與傳輸的流程分析, 這將有助於我們瞭解到封包的運作,同時瞭解到主機的防火牆設定規則是否有需要修訂的地方。
Also xff0c; a busy network host on xff0c; xff0c when you want a host that can easily access the package you need; xff0c xff0c; xff0c; xff0c; although xff01 is not easy to capture; xff0c; xff0c is not easy to capture xff0c; xff0c ; xffoc ; xff0c ; xdupm & ; xvf0 ; 2x1 ; 2x1 ;
更神奇的使用要來啦!如果我們使用 tcpdump 在 router 上面監聽『明碼』的傳輸資料時, 例如 FTP 傳輸協定,你覺得會發生什麼問題呢? 我們先在主機端下達『 tcpdump -i lo port 21 -nn -X 』然後再以 ftp 登入本機,並輸入帳號與密碼, 結果你就可以發現如下的狀況:
[root@linux ~]# tcpdump -i lo -nn -X 'port 21'
0x0000: 4500 0048 2a28 4000 4006 1286 7f00 0001 E..H*(@.@.......
0x0010: 7f00 0001 0015 80ab 8355 2149 835c d825 .........U!Ihttps://blog.csdn.net/bianchengjingling22/article/details/.%
0x0020: 8018 2000 fe3c 0000 0101 080a 0e2e 0b67 .....<.........g
0x0030: 0e2e 0b61 3232 3020 2876 7346 5450 6420 ...a220.(vsFTPd.
0x0040: 322e 302e 3129 0d0a 2.0.1)..
xff01; if we use tcpdump to monitor the transfer of the code & xff0c; e.g. FTP transfer protocol , xff1f; if we get xff1f; if we use tcpdump to iloport 21-nn-X' and then ftp to log in xff0c; xff0c; if we enter account and password xff0c; as a result, you can find the following conditions x460 ff1a; br/[root #64; linux ~ 39;
上面的輸出結果已經被簡化過了,你必須要自行在你的輸出結果當中搜尋相關的字串才行。 從上面輸出結果的特殊字體中,我們可以發現『該 FTP 軟體使用的是 vsftpd ,並且使用者輸入 dmtsai 這個帳號名稱,且密碼是 mypasswordisyou』 嘿嘿!你說可不可怕啊!如果使用的是明碼的方式來傳輸你的網路資料? 所以我們才常常在講啊,網路是很不安全低!
The above output has been simplified xff0c; you have to search for the relevant string in your output results on your own. xff0c; we can find that "the FTP software is using vsftpd & #xff0c; and the user has entered dmtsai, the account name xff0c; and the password is mypasswortisyou" Hey xff01; it's not scary xff01; it's using a code to transmit your network data xff1f; that's why we often talk about xff0c; the Internet is very insecure xff01;
另外你得瞭解,為了讓網路介面可以讓 tcpdump 監聽,所以執行 tcpdump 時網路介面會啟動在 『錯亂模式 (promiscuous)』,所以你會在 /var/log/messages 裡面看到很多的警告訊息, 通知你說你的網路卡被設定成為錯亂模式!別擔心,那是正常的。 至於更多的應用,請參考 man tcpdump 囉!
In addition, you need to understand #xff0c; in order for the Internet interface to allow tcpdump to listen to , so the tcpdump will activate the & #xff0c in the "promiscus" & #xff0c; so you will see a lot of warning messages in /var/log/messages & #xff0c; inform you that your Internet card is set to be xff01; don't worry about #xff0c; that's normal. For more applications #xff0c; see man tcpdump#xff01;
例題:如何使用 tcpdump 監聽 (1)來自 eth0 介面卡且 (2)通訊協定為 port 22 ,(3)目標來源為 192.168.1.100 的封包資料?
Case & #xff1a; how to use tcpdump listening (1) from the eth0 interface card and (2) communication protocol as port 22 & #xff0c; (3) package data from 192.1681.100 xff1f;
答:
tcpdump -i eth0 -nn 'port 22 and src host 192.168.1.100'
小標題的圖示ethereal
Answers #xff1a;
tcpdump-i eth0-nn & #39; port 22 and src host 192.168.1.100 #39;
icon
除了 tcpdump 這個軟體之外,其實你還可以使用 ethereal 這個好用的網路流量分析軟體吶! ethereal 分為文字介面與圖形介面,文字介面的用法與 tcpdump 相當的類似,不過他的指令名稱為 tethereal 就是了。因為用法差不多,所以建議您直接使用 man tethereal 查閱吧! 在 CentOS 上原本就有 ethereal 了,所以請拿出光碟來安裝即可喔! 需要安裝 ethereal 與 ethereal-gnome 才行吶!
In addition to tcpdump, , in fact, you can use etheal, a good network flow analysis software & #xff01; etheal divided into text interfaces and graphic interfaces & #xff0c; the use of text interfaces is similar to tcpdump & #xff0c; but his command is called tetheeal. Because it's used almost #xff0c; it is recommended that you use man technical search directly & #xff01; there are already othereals & #xff0c on Centos; so please provide CDs to install #xff01; require installation of etheeal and etheal-gnome #ff01;
啟動的方法很簡單,你必須要在 X Window 底下,先開啟一個終端機,然後直接輸入 ethereal 後, 就會出現如下的畫面了:
The starting method is simple xff0c; you have to open a terminal xff0c under XWindow; then type in directly after xff0c; the following images appear xff1a;
ethereal 使用範例圖
圖五、ethereal 使用範例圖
Use example diagram
, figure V, example diagram
簡單的作法,你可以點選如上圖顯示的那個按鈕,會出現挑選監聽的介面視窗,如下所示:
Simple & #xff0c; you can click on the button & #xff0c, as shown in the figure above; there will be a select listening interface & #xff0c; xff1a, as shown below;
ethereal 使用範例圖
圖六、ethereal 使用範例圖
Use example diagram
, figure VI, example diagram
你應該選擇要監聽的介面,在這裡因為是測試用的,所以鳥哥使用的是 lo 這個內部介面, 你當然應該要選擇你自己的網路介面才是。然後按下 start 後,就會出現開始偵測的畫面了:
You should choose the interface that you want to listen to xff0c; here, because it's a test xff0c; so Brother Bird uses lo, the internal interface xff0c; of course, you should choose your own network interface. Then press start after xff0c; there will be a start on xff1a;
ethereal 使用範例圖
圖七、ethereal 使用範例圖
Use example diagram
, figure VII, example diagram
在這個畫面當中你可以看到很多類型的封包協定,在等你處理完畢後,就可以按下『stop』結束監聽, 而開始進入如下的封包分析畫面。
In this view, you can see many types of package agreements xff0c; xff0c after you have finished processing; you can press "stop" to end listening xff0c; and you start entering the package analysis screen below.
ethereal 使用範例圖
圖八、ethereal 使用範例圖
Use example diagram
, figure VIII, use example diagram
封包分析畫面共分為三大區塊,如上圖所示,第一區塊主要顯示的是封包的標頭資料, 內容就有點類似 tcpdump 的顯示結果,第二區塊則是詳細的表頭資料, 包括訊框的內容、通訊協定的內容以及 socket pair 等等資訊。 第三區塊則是 16 進位與 ASCII 碼的顯示結果。透過這個 ethereal 您就可以一口氣得到所需要的所有封包內容啦! 而且還是圖形介面的,很方便吧!透過在第一區塊選擇不同的封包,就能夠查閱每個封包的資料內容囉!
Packet analysis is divided into three main sections & #xff0c; as shown in the figure above & #xff0c; block 1 shows mainly the header data of the package & #xff0c; content is similar to tcpdump & #xff0c; block 2 is the detailed header & #xff0c; includes the content of the message box, the content of the communication protocol and the information of the socket pair etc. Block 3 is the result of the 16 entry and the ASCII code. Through this ethemal, you can get all the contents of the package #xff01; it is also #xff0c on the side of the map; it is convenient #xff01; through block 1 to select different envelopes #xff0c; it is possible to access the contents of each envelope #xff01;
小標題的圖示nc, netcat
Icons for small titlesnc, netcat
這個 nc 可以用來作為某些服務的檢測,因為他可以連接到某個 port 來進行溝通, 此外,還可以自行啟動一個 port 來傾聽其他用戶的連線吶!非常的不錯用! 如果在編譯的時候給予『GAPING_SECURITY_HOLE』參數的話,嘿嘿! 這個軟體還可以用來取得用戶端的 bash 哩!可怕吧!我們的 CentOS 比較人性化,並沒有給予上面的參數,所以我們不能夠用來作為駭客軟體~ 但是用來取代 telnet 也是個很棒的功能了!(有的系統將執行檔改名為 netcat 啦!)
[root@linux ~]# nc [IP|host] [port]
[root@linux ~]# nc -l -p [port]
參數:
-l :作為監聽之用,亦即開啟一個 port 來監聽用戶的連線;
-p :開啟的這個 port number
This nc can be used as a detector for certain services xff0c; because he can connect to a port for communication xff0c; xff0c; also self-start a port to listen to the connection of other users xff01; very good xff01; if the compute is given to APING_SECURITY_HOLE's parameter xff0c; heyxff01; xff01; xff01; xff01; CentOS; #xff0c; if not given to the above parameter xff_HOLE's; xffff5e; but if the software is used to replace telnet l; < 範例一:連接本地端的 port 25 查閱相關訊息 Example 1 xff1a; connecting local port 25 access related information 然後在主機端的地方,也利用 nc 來連線到用戶端,並且輸入一些指令看看喔! xff0c; also use nc to connect to the client xff0c; and enter some instructions for xff01;
[root@linux ~]# nc localhost 25
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 pc.dm.tsai ESMTP Postfix
ehlo localhost
250-pc.dm.tsai
250-PIPELINING
250-SIZE 40000000
250-ETRN
quit
221 Bye
這個最簡單的功能與 telnet 幾乎一樣吧!可以去檢查某個服務啦!不過,更神奇的在後面, 我們可以建立兩個連線來傳訊喔!舉個例子來說,我們先在 client 端的地方啟動一個 port 來進行傾聽:
範例二:啟動一個 port 來監聽使用者的連線要求
[root@linux ~]# nc -l -p 20000
[root@ linux ~]# nc localhost 25
localhomain[127.0.1] 25 (smtp) open
220 pc.dm.tai ESMTP Postfix
ehlo localhost
; 250-dm.tsai
250-PIPELING
localdomain[127.0.01] 25 (smtp) open
220 pm.tsai ESMTP Postfix
> ; <2Bye
> > 250-pm
[root@linux ~]# nc localhost 20000
<==這裡可以開始輸入字串了!
此時,在主機端我們可以打入一些字,你會發現在 client 端會同時出現你輸入的字眼吶! 如果你同時給予一些額外的參數,例如利用標準輸入與輸出 (stdout, stdin) 的話, 那麼就可以透過這個連線來作很多事情了! 當然 nc 的功能不只如此,你還可以發現很多的用途喔! 請自行到您主機內的 /usr/share/doc/nc-1.10/scripts 目錄下看看這些 script ,有幫助的吶! 不過,如果你需要額外的編譯出含有 GAPING_SECURITY_HOLE 功能, 以使兩端
[root@ linux ~ #nc localhost 2000
< 61; here to enter xff01; br/>; at this point we can type xff0c; at the mainframe we can type xff0c; at the same time you will find xxxx_nc ncxxxx; at the same time you give some extra cross-references xff0c; at the same time, xxxxxx#pScrff #Strp Strp Stp Stp St St St St St St St St St St St St St St St St St T St St St St St St St St St St St St St St St St St St St St St St St St St St S S S
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论