All about unix linux freebsd and FAQ for Packetlove.com Web hosting , Mail hosting , VoIP + IP PBX server > command , shell script ,tool , crontab
tcpdump and tshark howto na ja
golfreeze:
วันนี้ ได้ลองใช้ tshark ดูครับ
การทำงานคล้ายๆ tcpdump แต่มีในส่วนของ data และก็ header packet ที่ค่อนข้างละเอียดกว่า tcpdump ครับ
การใช้งานก็คือ เริ่มลงไปก่อน ผมลงกับ debian นะครับ
#apt-get update
#apt-get install tshark
ก็เรียบร้อยครับผม
ต่อมาเริ่ม capture packet ที่มาจาก ip 192.168.33.1 port 25 แล้วก็เก็บไฟล์ ที่ capture ได้ที่ ไฟล์
ไฟล์หนึ่งเพื่อนำไปวิเคราะห์ ผลโดย
#tshark -i eth0 tcp port 25 and host 192.168.33.1 -w /tshark/tshark_19_20100217_03.cap
แต่ถ้าใช้เป็น tcpdump ก็ดูได้จาก command โดยที่จะ filter source ip ที่มาจาก 192.168.33.1 นี้นะครับ
แล้วเก็บไฟล์ไว้ที่ test.cap เพื่อไปวิเคราะห์ต่อไป
#tcpdump src host 192.168.33.1 and port 8080 -w test.cap
หรือต้องการ เก็บเป็นไฟล์ที่สามารถดูเป็นข้อมูลได้เลยก็
#tcpdump src host 192.168.33.1 and port 8080 > test.txt
ในกรณี ต้องออกจาก screen ก่อนนะครับ ไม่งั้นมันจะ print ข้อมูลออกมาเลย
golfreeze:
### มี tool อีกตัวครับมาแนะนำ ชื่อ
mtr
เป็นการผสมผสาน ระหว่าง traceroute และ ping ถ้าคุณชอบใช้ traceroute ในการเช๊ค hop ของ link แล้วละก็
น่าจะชอบตัวนี้ ครับ มันสามารถ ping ไปยัง node ที่ traceroute ไปถึงได้อีก
ลองดูน่ะครับ
### BSD
#mtr google.co.th
My traceroute [v0.72]
ns1.packetlove.com (0.0.0.0) Thu Feb 25 10:40:09 2010
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 203.146.215.124 0.0% 3 2.0 25.5 2.0 57.0 28.3
2. 210.1.0.164 0.0% 3 2.1 2.2 0.4 3.9 1.7
3. 210.1.3.225 0.0% 3 1.5 2.3 1.5 3.9 1.4
4. 210.1.46.228 0.0% 3 1.6 5.6 1.6 10.0 4.2
5. 202.183.136.134 0.0% 2 10.0 9.9 9.8 10.0 0.2
6. 202.183.136.77 0.0% 2 321.2 195.6 69.9 321.2 177.8
7. 202.183.136.82 0.0% 2 38.5 46.7 38.5 54.9 11.6
8. 202.183.136.98 0.0% 2 36.1 40.5 36.1 44.9 6.2
9. 209.85.243.156 0.0% 2 37.0 39.7 37.0 42.4 3.8
10. 209.85.254.179 0.0% 2 47.6 42.2 36.8 47.6 7.6
11. sin01s01-in-f104.1e100.net 0.0% 2 37.3 41.2 37.3 45.2 5.6
##Tshark for freebsd
command
#tshark -i bce0 -f "host xxx.xxx.xxx.xxx or host yyy.yyy.yyy.yyy " -w file.cap
golfreeze:
port 80
#tcpdump -i eth0 -w tcpdump.out -s 1520 port 80
golfreeze:
การใช้งาน tcpdump
#tcpdump -s 1500 -w /tmp/DUMP.pcap -c 5000 -i eth0 port 80 and host www.packetlove.com
การใช้งาน tcptrace เพื่ออ่านค่า output ของ tcpdump
#tcptrace /tmp/DUMP.pcap
1 arg remaining, starting with 'tcpdump.out'
Ostermann's tcptrace -- version 6.6.7 -- Thu Nov 4, 2004
52 packets seen, 52 TCP packets traced
elapsed wallclock time: 0:00:00.076702, 677 pkts/sec analyzed
trace file elapsed time: 0:00:00.615609
TCP connection info:
1: 10.0.x.14:64629 - abc.com:80 (a2b) 5> 6< (complete)
2: 10.0.x.14:64630 - abc.com:80 (c2d) 5> 6< (complete)
3: 10.0.x.14:64631 - abc.com:80 (e2f) 5> 5< (complete)
4: 10.0.x.14:64632 - abc.com:80 (g2h) 5> 5< (complete)
5: 10.0.x.14:64633 - abc.com:80 (i2j) 5> 5< (complete)
golfreeze:
First The Basics
Breaking down the Tcpdump Command Line
The following command uses common parameters often seen when wielding the tcpdump scalpel.
:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80
-i : Select interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter.
-nn : A single (n) will not resolve hostnames. A double (nn) will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture.
-s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic.
-v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often showing more protocol specific information.
port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually HTTP.
Display ASCII text
Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option.
:~$ sudo tcpdump -A -s0 port 80
Capture on Protocol
Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.
:~$ sudo tcpdump -i eth0 udp
:~$ sudo tcpdump -i eth0 proto 17
Capture Hosts based on IP address
Using the host filter will capture traffic going to (destination) and from (source) the IP address.
:~$ sudo tcpdump -i eth0 host 10.10.1.1
Alternatively capture only packets going one way using src or dst.
:~$ sudo tcpdump -i eth0 dst 10.10.1.20
Write a capture file
Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.
:~$ sudo tcpdump -i eth0 -s0 -w test.pcap
Line Buffered Mode
Without the option to force line (-l) buffered (or packet buffered -C) mode you will not always get the expected response when piping the tcpdump output to another command such as grep. By using this option the output is sent immediately to the piped command giving an immediate response when troubleshooting.
:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'
Combine Filters
Throughout these examples you can use standard logic to combine different filters.
and or &&
or or ||
not or !
Practical Examples
In many of these examples there are a number of ways that the result could be achieved. As seen in some of the examples it is possible to focus the capture right down to individual bits in the packet.
The method you will use will depend on your desired output and how much traffic is on the wire. Capturing on a busy gigabit link may force you to use specific low level packet filters.
When troubleshooting you often simply want to get a result. Filtering on the port and selecting ascii output in combination with grep, cut or awk will often get that result. You can always go deeper into the packet if required.
For example when capturing HTTP requests and responses you could filter out all packets except the data by removing SYN /ACK / FIN however if you are using grep the noise will be filtered anyway. Keep it simple.
This can be seen in the following examples, where the aim is to get a result in the simplest (and therefore fastest) manner.
1. Extract HTTP User Agents
Extract HTTP User Agent from HTTP request header.
:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"
By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.
:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'
2. Capture only HTTP GET and POST packets
Going deep on the filter we can specify only packets that match GET.
:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.
:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
The hexadecimal being matched in these expressions matches the ascii for GET and POST.
As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.
3. Extract HTTP Request URL's
Parse Host and HTTP Request location from traffic. By not targeting port 80 we may find these requests on any port such as HTTP services running on high ports.
:~$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"
tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
POST /wp-login.php HTTP/1.1
Host: dev.example.com
GET /wp-login.php HTTP/1.1
Host: dev.example.com
GET /favicon.ico HTTP/1.1
Host: dev.example.com
GET / HTTP/1.1
Host: dev.example.com
4. Extract HTTP Passwords in POST Requests
Lets get some passwords from the POST data. Will include Host: and request location so we know what the password is used for.
:~$ sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1
Host: dev.example.com
.....s..log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1
นำร่อง
[0] ดัชนีข้อความ
[#] หน้าถัดไป
Go to full version