How to use tcpdump and wireshark ?

219 篇文章 2 订阅

 

How to use tcpdump and wireshark ?

 SOLUTION 已验证 - 已更新 2018年五月24日05:32 - 

English 

环境

Red Hat Enterprise Linux 3 or later

问题

How to use tcpdump and wireshark ?

决议

What are tcpdump and wireshark?

tcpdump is a tool used to capture network traffic, and wireshark is a tool to help view captured network dumps. tcpdump captures the entire packet, and therefore all the information about the traffic.  Such information includes the source and destination of the packet, the port information, and the packet data.

These tools are useful for see if network traffic is being routed properly, and if the server is returning the correct information.  In some instances, it can be used to detect network problems such as retransmissions, or bad checksums.

tcpdump is provided by the tcpdump package, and the GUI for wireshark is provided by wireshark-gnome

Raw

yum -y install tcpdump wireshark-gnome

How do tcpdump and wireshark work?

Both tcpdump and wireshark use libpcap which is used for low-level packet capture. libpcap is in used space, and sets the card into promiscuous mode which passes all traffic to the CPU. In order for libpcap to capture the packet, it has to go "though" the system. This is because only non-routing nodes can see incoming and outgoing traffic. This is also true for the same collision domain or loop. Traffic going through a hub is monitorable because it rebroadcasts.

Wireshark can be used to capture the traffic, however it is really useful as a way to graphically display the information from the capture. After being pointed at a pcap file, wireshark can show all the packets, and can sort and filter packets.

When should (and shouldn't) tcpdump be used?

  1. Monitoring traffic
  2. Checking for abnormalities in packet flow
  3. Checking return codes from services, such as apache
  4. Should not be used to filter traffic. Filtering of traffic should be done in wireshark. This is because when analyzing the dump, you may not get to see something that may be important, requiring another tcpdump and repitition of the problem by the client.

Common flags

FlagDefinition
-wWrite packets to a raw format
-s

Snaplength.  The number of bytes of each data packet to capture.  Rather than the default 68 bytes

Here is a general example:

Capture all data

The following tcpdump command will capture all traffic on the selected interface to the file /tmp/dump.pcap. To stop the capture, hit ctrl+c.

Raw

tcpdump -s 0 -i <interface> -w /tmp/dump.pcap

Opening a capture file in wireshark

Start wireshark by running wireshark. When prompted, you can either enter your root password, or select Run Unprivileged. Since we are not capturing any data with wireshark, running unprivileged is enough. Then choose File -> Open and choose the pcap file. When using pcap files that exceed 100Mb Wireshark can be come slow when loading, filtering etc. Because of this, you can either split the pcap file with the script listed under additional tools. Or, you can look at the performance document under additional documentation.

Filtering with wireshark

After opening the pcap file you have the ability to filter packets. Below is a list of simple filter options. The filters, go in the filter box at the top of the GUI.

FilterDefinition
tcp.port == 80The packet is a tcp packet, and the port (source or dest) is 80
udp.port == 21The packet is a udp packet, and the port (source or dest) is 21
ip.addr == 192.168.0.1The ip address in the packet (source or dest) is 192.168.0.1
!(ip.addr == 192.168.0.1)The ip address (source or dest) is NOT 192.168.0.1

Combining filters

To make advanced filters, you can use the symbols && and || to and and or filters together.

Raw

ip.addr == 192.168.0.1 && tcp.port == 80 && !(ip.addr == 192.168.0.5

This filter gets all tcp port 80 traffic that involves 192.168.0.1 but does not involve 192.168.0.5.

Advanced filters

Below are some advanced items you can filter on.

FilterDefinition
eth.addr == 00:19:B9:1F:34:B6The packet has a hardware address of 00:19:B9:1F:34:B6
ip.dest == 192.168.0.1The destination ip address of the packet is 192.168.0.1
ip.src == 192.168.0.1The source ip address of the packet is 192.168.0.1
ip.addr == 192.168.0.0/24The ip address (source or dest) is in the 192.168.0.* range

tcp.analysis.flags

The packet has a analysis flag set.  This is a built in diagnostic tool in wireshark
tcp.checksum_badThe checksum on the tcp packet is incorrect *
udp.checksum_badThe checksum on the udp packet is incorrect *

NOTE: The checksum_bad flag can sometimes be a red herring. Some cards will do checksum offloading, and will cause the tcp.checksum to come out different, than what it is expecting. See the Additional Resources section for more on checksum offloading.

Advanced Wireshark usage

Setting a Time Reference

If you need to see information based on a reference time you can easily do that in Wireshark. A perfect example for the use of this, is "My webserver takes 20 minutes to return the data." For that example, we would first filter the pcap based on the addresses involved, and port 80:

Raw

ip.addr == 192.168.0.1 &amp;&amp; ip.addr == 192.168.0.22 &amp;&amp; tcp.proto == 80

Now that we have only the http traffic, we can see where the initial request is made, and set it as a time reference. Find the first packet, and right click on it. Then select "Set Time Reference (Toggle)"

Now, all the entries in the Time column will be relative to that packet. To clear the reference goto Edit -> Set Time Reference (toggle).

Protocol Hierarchy

To view the protocol hierarchy stats, start with an open pcap. Then click Statistics -> Protocol Hierarchy.

In this view, you can see what percentage of traffic you have. In the above map, you can see that 83.70% of the traffic was tcp, and that 33.92% of that was SSH traffic. This can be useful when trying to determine where most of the network traffic is being used.

Conversations

To view the conversation window, start with an open pcap. Then click Statistics -> Conversations.

After opening the conversation window, right-click on the conversation that you want to follow. Then select Apply as Filter -> Selected -> A <-> B. This will then apply a filter on the pcap showing all the conversation based on the on you chose. For example, the conversation above would be packets between 10.11.243.134 on port 80 and port 5591.

Changing the Time Zone of the Displayed Packets

The timestamps of the packets in the capture file are in UTC. If you're trying to compare the timestamps in wireshark with the timestamps in a log file from a system that uses a different time zone than your own, things can get confusing. The way to get around this is to invoke wireshark from the command line and use the TZ environment variable to set the timezone to correspond to the time zone of the machine that generated the capture file. For example, if the machine that generated the capture file is using the GMT time zone and your machine is using a different time zone:

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值