1. Common port number of HTTP proxy server: 80/8080/3128/8081/9098 2. Common port number of SOCKS proxy protocol server: 1080 3.FTP (File Transfer) Protocol Proxy Server Common Port Number: 21 4.Telnet (Remote Login) Protocol Proxy Server Common Port Number: 23 HTTP server, default port number is 80/tcp (Trojan Executor opens this port) HTTPS (securely transferring web pages) server, default port number 443/tcp 443/udp Telnet (unsafe text transfer), default port number is 23/tcp (open port of Trojan Tiny Telnet Server) FTP, the default port number is 21/tcp (ports opened by Trojan Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash and Blade Runner) TFTP (Trivial File Transfer Protocol), default port number 69/udp SSH (secure login), SCP (file transfer), port number redirection, the default port number is 22/tcp SMTP Simple Mail Transfer Protocol (E-mail), default port number is 25/tcp (Trojan Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, WinPC, WinSpy all open this port) POP3 Post Office Protocol (E-mail), default port number 110/tcp Webshpere application, default port number 9080 webshpere management tool, default port number 9090 JBOSS, default port number 8080 TOMCAT, default port number 8080 WIN2003 remote login, default port number 3389 Symantec AV/Filter for MSE, default port number 8081 Oracle database, default port number 1521 ORACLE EMCTL, default port number 1158 Oracle XDB (XML database), default port number 8080 Oracle XDB FTP service, default port number 2100 MS SQL*SERVER database server, default port number 1433/tcp 1433/udp MS SQL*SERVER database monitor, default port number 1434/tcp 1434/udp
First use ifconfig to view the network card
tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w./target.cap (1)tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the position of the first parameter to filter the type of datagram. (2)-i eth1: Grab only packets passing through interface eth1 (3)-t: No timestamp is displayed (4)-s 0: The default crawl length is 68 bytes when crawling data packets. Plus - S 0, you can grab the complete package (5)-c 100: Grab only 100 packets (6) DST port! 22: not grabbing data packets whose target port is 22 (7)src net 192.168.1.0/24: the source network address of the packet is 192.168.1.0/24 (8) - W. / target. cap: Save as a cap file for easy analysis with ethereal (wireshark) tcpdump -C 1 -w a.cap (1)-w a.cap writes the result of grabbing the package into a.cap. The storage path is the current path of the terminal command. (2)-C 1 If a.cap is larger than 1M, a new file, - C fileSize, in MB tcpdump -i eth0 -x -s 1024 port 1883 - x displays a packet - s 1024 output message size, if not specified, default display 68 bytes, application layer protocols often can not be displayed Filter host -------- - Grab all network data passing through eth1, destination or source address 192.168.1.1 # tcpdump -i eth1 host 192.168.1.1 - Source address # tcpdump -i eth1 src host 192.168.1.1 - Destination address # tcpdump -i eth1 dst host 192.168.1.1 Filter Port -------- - Grab all network data passing through eth1, destination or source port 25 # tcpdump -i eth1 port 25 - Source Port # tcpdump -i eth1 src port 25 - Destination Port # tcpdump -i eth1 dst port 25 Network filtering -------- # tcpdump -i eth1 net 192.168 # tcpdump -i eth1 src net 192.168 # tcpdump -i eth1 dst net 192.168 Protocol filtering -------- # tcpdump -i eth1 arp # tcpdump -i eth1 ip # tcpdump -i eth1 tcp # tcpdump -i eth1 udp # tcpdump -i eth1 icmp No:!or "not" (remove double quotation marks) And: & & or "and" Or: | | or "or" - Grab all TCP data passing eth1, destination address 192.168.1.254 or 192.168.1.200 port is 80 # tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))' - Grab all ICMP data passing eth1 with the target MAC address of 00:01:02:03:04:05 # tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))' - The destination network is 192.168, but the destination host is not 192.168.1.200 TCP data. # tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))' - Grab SYN Pack Only # tcpdump -i eth1 'tcp[tcpflags] = tcp-syn' - Grasp SYN, ACK # tcpdump -i eth1 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack != 0' Grasp SMTP Data ---------- # tcpdump -i eth1 '((port 25) and (tcp[(tcp[12]>>2):4] = 0x4d41494c))' The grabbing data area begins with the package of "MAIL", and the hexadecimal system of "MAIL" is 0x4d41494c. Grasp HTTP GET Data -------------- # tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x47455420' The hexadecimal number of "GET" is 47455420 Grab SSH Back --------- # tcpdump -i eth1 'tcp[(tcp[12]>>2):4] = 0x5353482D' The hexadecimal system of "SSH-" is 0x53482D. # tcpdump -i eth1 '(tcp[(tcp[12]>>2):4] = 0x5353482D) and (tcp[((tcp[12]>>2)+4):2] = 0x312E)'Grab the old version of SSH return information, such as "SSH-1.99." - Grasp DNS Request Data # tcpdump -i eth1 udp dst port 53 Other ---- - c parameter is also commonly used for operation and maintenance personnel, because the server with larger traffic depends on manual CTRL+C or not. Too many, so you can use the - c parameter to specify how many packages to grab. # time tcpdump -nn -i eth0 'tcp[tcpflags] = tcp-syn' -c 10000 > /dev/null The above command calculates how long it takes to grab 10,000 SYN packages, and can determine the approximate number of visits. Real-time grab the GET package of port number 8000 and write it to GET.log tcpdump -i eth0 '((port 8000) and (tcp[(tcp[12]>>2):4]=0x47455420))' -nnAl -w /tmp/GET.log
Practical tcpdump command
//Look at the local and mysql operation commands note - i any means to monitor all network interfaces, we also choose network interfaces according to their own circumstances
#tcpdump -i any -w - dst port 3306 |strings
//Look at the commands with mysql on the local 58895. Note - i any means to monitor all network interfaces. We need to select network interfaces according to our own circumstances.
#tcpdump -i any -w - dst port 3306 and src port 58895 |strings
//Similarly, you can also use the above commands to view the commands of kafka,etcd,redis,mc, etc., as long as it is a plaintext protocol.
tcpdump Command format
#tcpdump option filter
option Give an example -n, -i any etc.
filter Is the condition of the filter package, for example: tcp, portrange 1-1000, src port 58895, host www.itshouce.com.cn,
filter It can be combined, for example:
dst port 3306 and src port 58895
portrange 1-1000 or src port 58895
not dst port 3306
option filter
//Examples: tcpdump-i any-n portrange 1-3306 or portrange 10000-58895
tcpdump option
//In en2, if not specified, all network interfaces will be searched and monitored on the smallest number of network ports.
//That's the smallest number on the left of tcpdump-D.
#tcpdump -i en2
//linux 2.2 and above support - i any
#Tcpdump-i any can listen on all ports
-n Don't put it down ip Convert to machine name
#tcpdump -n
// - W - / - w to write content somewhere, - means standard output, that is, output to standard output.
#Tcpdump - W - | strings This is a super useful command to display package data in characters
// - w.a.cap writes the result of grabbing package into a.cap
// - C 1 If a.cap is larger than 1M, a new file, - C fileSize, is opened in MB.
#tcpdump -C 1 -w a.cap
#ll
-rw-r--r-- 1 root wheel 1000092 Apr 21 21:05 a.cap //Over 1MB
-rw-r--r-- 1 root wheel 849388 Apr 21 21:05 a.cap1
//- r Reads from a file
#tcpdump -n -r a.cap
#Tcpdump-X prints data in hexadecimal and ASCII formats
#Tcpdump-x prints not only the header, but also the data in the package (in hexadecimal form)
#Tcpdump-xx prints header, data content in hexadecimal form
// - A prints out each package in ASCII form
#tcpdump -A host www.itshouce.com.cn
// - c 3 indicates withdrawal after receiving three packet s
#tcpdump -A -c 3 host www.itshouce.com.cn
...
3 packets captured
65 packets received by filter
0 packets dropped by kernel
//Look at the network interfaces on the current machine
#tcpdump -D
1.en0
2.awdl0
3.bridge0
4.utun0
5.en1
6.en2
7.p2p0
8.lo0
//- e Prints out the head of the connection layer
#tcpdump -e
21:15:27.665159 *:*:60:dc:d0:d9 (oui Unknown) > *:*:07:10:81:36 (oui Unknown), ethertype IPv4 (0x0800), length 79: zj-db0355dembp.lan.51318 > hiwifi.lan.domain: 20430+ A? www.itshouce.com.cn. (37)
#Tcpdump-j timestamp type can modify the time format of the output, which seems to be not supported by CentOS 6.5
#Time format supported by tcpdump-J display
//- Live stdout bufferd. It's useful when you want to see the results on the screen and output them to a file.
#tcpdump -l
//tee is a command that displays dump content on the screen and outputs it to dump.log
#tcpdump -l |tee dump.log
#tcpdump -l > dump.log &tail -f dump.log
//- q is quiect output, printing as little information as possible
#tcpdump -q
//- S prints real, absolute tcp seq no
#tcpdump -S
21:33:06.569478 IP *dembp.lan.54864 > ***: Flags [P.], seq 3980049501:3980049596, ack 3916671858, win 4091, options [nop,nop,TS val 1201572125 ecr 1490447193], length 95
//The default crawl packet length is 65535.
#tcpdump //capture sieze 65535
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
//We set this parameter to 256 to reduce the size of the package capture file.
#tcpdump -s 256
listening on pktap, link-type PKTAP (Packet Tap), capture size 256 bytes
#tcpdump -t Don't Time Stamp
#Tcpudmp-tt calls timstamp, seconds since 1970-1-1, and microseconds
#Tcpdump-v prints out detailed results such as ttl
#Tcpdump-vv prints out more detailed results such as window, checksum, etc.
tcpdump Filter item
//The - i any option is available in all of the following tests to capture packets on all network interfaces just for testing convenience.
//Grab the package of the arp protocol, and then host 192.168.199 *. When testing, you need to make an ifconfig instruction in another session.
//arp can be replaced by tcp,udp, etc.
#tcpudmp -i any -n arp host 192.168.199
22:39:58.991043 ARP, Request who-has 192.168.199.125 tell 192.168.199.1, length 28
22:39:58.991059 ARP, Reply 192.168.199.125 is-at a4:5e:60:dc:d0:d9, length 28
//Grab the package that accesses destination 80 port, and then we do a curl www.baidu.com operation.
#tcpdump -i any -n dst port 80
22:53:06.041382 IP 192.168.199.125.63161 > 119.75.219.45.80: Flags [F.], seq 0, ack 1, win 65535, length 0
//Grab a packet with port 80 on the source
#tcpdump -i any -n src port 80
22:57:48.343422 IP 112.80.248.73.80 > 192.168.199.125.63275: Flags [.], seq 38478:39918, ack 78, win 193, length 1440
//Crawl packages with source or target ports of 80
#tcpdump -i any -n port 80
22:58:51.165333 IP 112.80.248.74.80 > 192.168.199.125.63298: Flags [F.], seq 100439, ack 79, win 193, length 0
22:58:51.165349 IP 192.168.199.125.63298 > 112.80.248.74.80: Flags [R], seq 703147494, win 0, length 0
//Represents data that grabs ports of destination prot between 1 and 80
#Tcpdump-i any-n DST portrange 1-80 curl www.baidu.com and telnet 192.168.21.1 on the other side
23:00:13.550006 IP 192.168.199.125.63310 > *.*.248.73.80: Flags [.], ack 71649, win 8012, length 0
23:01:27.363723 IP 192.168.199.125.63327 > 192.168.21.1.23: Flags [S], seq 621213649, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1240986522 ecr 0,sackOK,eol], length 0
//The port of grab source is 20-80 package
#tcpdump -i any -n src portrange 20-80
//Grab ports are 20-80 packages, regardless of source
#tcpdump -i any -n portrange 20-80
//Grab the package destination for www.baidu.com
#Tcpdump-i any DST www.baidu.com, then ping www.baidu.com, and accessing www.baidu.com in browsers
22:22:17.445872 IP *0355dembp.lan > 112.80.248.73: ICMP echo request, id 26478, seq 0, length 64
2:22:50.108236 IP *0355dembp.lan.62371 > 112.80.248.74.https: Flags [S], seq 2884215363, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1238683151 ecr 0,sackOK,eol], length 0
//Grab the package destination 192.168.1.2
#tcpdump -i any dst 192.168.1.2
22:26:46.808706 IP zj-db0355dembp.lan > 192.168.1.2: ICMP echo request, id 31854, seq 0, length 64
//Grab the package whose destination is 192.168.1. [0-255]
#Tcpdump-i any DST 192.168.1 can specify ranges
#ifconfig shows that my local ip is 192.168.199.125
//Crawl a package with source 192.168. *. * and use - n only to display ip, not host name.
#tcpdump -i any -n src 192.168
22:30:50.490355 IP 192.168.199.125.61086 > *.*.*.*.341: Flags [.], ack 56, win 8185, options [nop,nop,TS val 1239157627 ecr 1580310986], length 0
//Grab 192.168 packages (source or destination)
#tcpdump -i any -n host 192.168
22:38:07.580567 IP *.*.*.*.34186 > 192.168.199.125.61086: Flags [P.], seq 787907565:787907668, ack 871423065, win 126, options [nop,nop,TS val 1580748123 ecr 1239593243], length 103
22:38:08.453788 IP 192.168.199.125.61086 > *.*.*.*.34186: Flags [P.], seq 9481:10147, ack 5769, win 8179, options [nop,nop,TS val 1239594178 ecr 1580748994], length 666
//Grab packages less than 800 in length
#tcpudmp -i any -n less 800
21:09:17.687673 IP 192.168.199.1.50150 > *.*.*.*.1900: UDP, length 385
//Grab packages longer than 800
#tcpdump -i any -n greater 800
21:13:21.801351 IP 192.168.199.125.64826 > *.*.*.*.80: Flags [P.], seq 2155:3267, ack 44930, win 8192, length 1112
//Grab only tcp packets
#tcpdump -i any -n tcp
1:21:18.777815 IP 192.168.199.125.50249 > *.*.*.*.443: Flags [.], ack 75, win 4093, options [nop,nop,TS val 1269008649 ecr 44997038], length 0
//Grab only udp packages
#tcpdump -i any -n udp
21:22:48.434449 IP 192.168.199.1.50150 > *.*.*.*.1900: UDP, length 385
//Crawl only icmp packages, internet control packages
#tcpdump -i any -n icmp
21:25:42.550374 IP 192.168.199.1 > 192.168.199.125: ICMP *.*.*.* unreachable - need to frag (mtu 1480), length 556