Jex’s Note

監聽封包

Tcpdump

監聽封包

sudo tcpdump -i lo -nn port 8080
13:45:48.703124 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [S], seq 2569649818, win 43690, options [mss 65495,sackOK,TS val 2431608 ecr 0,nop,wscale 6], length 0
13:45:48.703130 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [S.], seq 986657362, ack 2569649819, win 43690, options [mss 65495,sackOK,TS val 2431608 ecr 2431608,nop,wscale 6], length 0
13:45:48.703137 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [.], ack 1, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 0
13:45:48.703572 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [P.], seq 1:29, ack 1, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 28
13:45:48.703580 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [.], ack 29, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 0
13:45:48.703824 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [P.], seq 29:39, ack 1, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 10
13:45:48.703830 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [.], ack 39, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 0
13:45:48.704009 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [F.], seq 39, ack 1, win 683, options [nop,nop,TS val 2431609 ecr 2431608], length 0
13:45:48.743612 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [.], ack 40, win 683, options [nop,nop,TS val 2431619 ecr 2431609], length 0
  • -i :後面接要『監聽』的網路介面,例如 eth0, lo, ppp0 等等的介面;
  • -nn:直接以 IP 及 port number 顯示,而非主機名與服務名稱

監聽封包內容

sudo tcpdump -i lo -nn port 8080 -X
(...略...)
13:42:53.139609 IP 127.0.0.1.8080 > 127.0.0.1.42892: Flags [.], ack 40, win 683, options [nop,nop,TS val 2387718 ecr 2387708], length 0
        0x0000:  4500 0034 f30e 4000 4006 49b3 7f00 0001  E..4..@.@.I.....
        0x0010:  7f00 0001 1f90 a78c 0cc5 9df7 37a2 5c73  ............7.\s
        0x0020:  8010 02ab fe28 0000 0101 080a 0024 6f06  .....(.......$o.
        0x0030:  0024 6efc                                .$n.

-X :可以列出十六進位 (hex) 以及 ASCII 的封包內容,對於監聽封包內容很有用

監聽 post, 並且輸出成好閱讀模式

sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' -i eth0
(...略...)
E....   @.@..8..Of6......P.N$.Y...P..:....POST /oauth/authorize?client_id=a216481c HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: example.com
Accept: */*
Content-Length: 8
Content-Type: application/x-www-form-urlencoded

(tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354) 是監聽 post 的意思

如何使用 tcpdump 監聽 (1)來自 eth0 介面卡且 (2)通訊協定為 port 22 ,(3)封包來源為 192.168.1.101 的封包資料?

tcpdump -i eth0 -nn 'port 22 and src host 192.168.1.101'

Ngrep

聽 GET/POST/PUT 80 port

sudo ngrep -d eth0 -t '^(GET|POST|PUT)' 'port 80'

聽 GET/POST/PUT 特定 host 的 80 port

sudo ngrep -d eht0 -t '^(GET|POST|PUT)' "src host example.com and port 80"

聽 GET/POST/PUT 特定 host 的 80 port, TCP 協定

sudo ngrep -t '^(GET|POST|PUT)' "src host example.com and tcp and dst port 80"

Comments