Tcpdump
監聽封包
sudo tcpdump -i lo -nn port 8080
13:45:48.703124 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [S], seq 2569649818, win 43690, options [mss 65495,sackOK,TS val 2431608 ecr 0,nop,wscale 6], length 0
13:45:48.703130 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [S.], seq 986657362, ack 2569649819, win 43690, options [mss 65495,sackOK,TS val 2431608 ecr 2431608,nop,wscale 6], length 0
13:45:48.703137 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [.], ack 1, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 0
13:45:48.703572 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [P.], seq 1:29, ack 1, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 28
13:45:48.703580 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [.], ack 29, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 0
13:45:48.703824 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [P.], seq 29:39, ack 1, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 10
13:45:48.703830 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [.], ack 39, win 683, options [nop,nop,TS val 2431608 ecr 2431608], length 0
13:45:48.704009 IP 127.0.0.1.42893 > 127.0.0.1.8080: Flags [F.], seq 39, ack 1, win 683, options [nop,nop,TS val 2431609 ecr 2431608], length 0
13:45:48.743612 IP 127.0.0.1.8080 > 127.0.0.1.42893: Flags [.], ack 40, win 683, options [nop,nop,TS val 2431619 ecr 2431609], length 0
監聽封包內容
sudo tcpdump -i lo -nn port 8080 -X
(...略...)
13:42:53.139609 IP 127.0.0.1.8080 > 127.0.0.1.42892: Flags [.], ack 40, win 683, options [nop,nop,TS val 2387718 ecr 2387708], length 0
0x0000: 4500 0034 f30e 4000 4006 49b3 7f00 0001 E..4..@.@.I.....
0x0010: 7f00 0001 1f90 a78c 0cc5 9df7 37a2 5c73 ............7.\s
0x0020: 8010 02ab fe28 0000 0101 080a 0024 6f06 .....(.......$o.
0x0030: 0024 6efc .$n.
監聽 post, 並且輸出成好閱讀模式
sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' -i eth0
(...略...)
E.... @.@..8..Of6......P.N$.Y...P..:....POST /oauth/authorize?client_id=a216481c HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: example.com
Accept: */*
Content-Length: 8
Content-Type: application/x-www-form-urlencoded
(tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354) 是監聽 post 的意思
如何使用 tcpdump 監聽 (1)來自 eth0 介面卡且 (2)通訊協定為 port 22 ,(3)封包來源為 192.168.1.101 的封包資料?
tcpdump -i eth0 -nn -l 'port 22 and src host 192.168.1.101'
參數
-i: 後面接要『監聽』的網路介面,例如 eth0, lo, ppp0 等等的介面;-nn: 直接以 IP 及 port number 顯示,而非主機名與服務名稱-X: 可以列出十六進位 (hex) 以及 ASCII 的封包內容,對於監聽封包內容很有用-l: 使用標準輸出的 buffer, 顯示上比較即時
Ngrep
聽 GET/POST/PUT 80 port
sudo ngrep -W byline -d eth0 -t '^(GET|POST|PUT)' 'port 80'
聽 GET/POST/PUT 特定 host 的 80 port
sudo ngrep -d eht0 -t '^(GET|POST|PUT)' "src host example.com and port 80"
聽 GET/POST/PUT 特定 host 的 80 port, TCP 協定
sudo ngrep -t '^(GET|POST|PUT)' "src host example.com and tcp and dst port 80"
其他
ref: ngrep cheat sheet
Print udp packets
ngrep '' udp
Print packets passing eth0 device. Without -d ngrep listens to a default interface. ngrep -d eth0
Print packets for port 80 regardless of device
ngrep -d any port 80
Only print packets that contain “interesting-domain.com”
ngrep -d any “interesting-domain.com” port 80
You can use regex such as ‘.*’ in the search string
ngrep -d any “domain-.*.com” port 80
Or use regex to search for ‘pass’ or ‘USER’
ngrep -d any “pass|USER” port 80
And ignore case with -i to match for ‘user’ as well
ngrep -d any -i “pass|USER” port 80
If you’re logged in via SSH you might want to ignore your own traffic
ngrep -d any port not 22
Only print packet headers and payload (if relevant)
ngrep -q -d any “needle” port 80
Use -W byline for more readable output
ngrep -d any -W byline “needle” port 80
Limit the number of results with -n
ngrep -d any “needle” -n 3 port 80
Print empty packets with -e
ngrep -e -d any “needle” port 80