文章目录
- .PCAP 文件
- Tcpdump 数据包过滤
- 过滤和高级语法选项
- 有用的 TCPDump 过滤器
- 主机过滤器
- 源/目标过滤器
- 使用源和端口作为过滤器
- 将目标与网络过滤器结合使用
- 协议过滤器 - 通用名称
- 协议过滤器 - 编号
- 端口过滤器
- 端口范围过滤器
- 小于/大于过滤器
- 利用更大的
- AND 过滤器
- 无滤镜的基本捕捉
- 或过滤器
- 非过滤器
- 预捕获过滤器 VS. 后捕获处理
- 口译技巧和窍门
- 技巧和窍门
- 通过管道将捕获内容传递给 Grep
- 寻找 TCP 协议标志
- 寻找 SYN 标志
- 协议 RFC 链接
.PCAP 文件
.PCAP 文件(全称是 Packet Capture 文件)是网络数据包的捕获文件,用于存储网络流量的原始数据。它记录了通过网络传输的各类数据包的详细信息,如源地址、目标地址、协议类型、端口号等。这些文件通常用于网络故障排除、性能分析、网络安全监控等领域。
你可以使用工具(如 Wireshark 或 tcpdump)来捕获并查看这些数据包,以帮助诊断网络问题或进行安全分析。
Tcpdump 数据包过滤
Tcpdump 提供了一种强大而高效的方法,可以通过数据包过滤器解析我们捕获的数据。本节将介绍这些过滤器,并简要了解它们是如何修改我们捕获的输出的。
过滤和高级语法选项
使用下面列出的更高级的过滤选项,我们可以减少打印输出或发送到文件的流量。通过减少捕获并写入磁盘的信息量,我们可以帮助减少写入文件所需的空间,并帮助缓冲区更快地处理数据。过滤器与标准 tcpdump 语法选项搭配使用时非常方便。我们可以根据需要捕获任意范围的数据包,也可以非常精确地仅捕获来自特定主机的数据包,甚至可以将 TCP 报头中的特定位设置为开启。强烈建议您探索更高级的过滤器并找到不同的组合。
这些过滤器和高级操作符并非详尽无遗的列表。之所以选择它们,是因为它们最常用,并且能够帮助我们快速上手。这些过滤器在实现后会检查捕获的所有数据包,并在协议头中查找指定的值进行匹配。
有用的 TCPDump 过滤器
使用这些过滤器,我们可以过滤大多数属性的网络流量,以便于分析。让我们看一些这些过滤器的示例,以及它们在使用时的样子。使用主机过滤器时,无论我们输入什么 IP,都会在源 IP 或目标 IP 字段中进行检查。这可以在下面的输出中看到。
主机过滤器
[!bash!]$ ### Syntax: host [IP]
[!bash!]$ sudo tcpdump -i eth0 host 172.16.146.2tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:50:53.072536 IP 172.16.146.2.48738 > ec2-52-31-199-148.eu-west-1.compute.amazonaws.com.https: Flags [P.], seq 3400465007:3400465044, ack 254421756, win 501, options [nop,nop,TS val 220968655 ecr 80852594], length 37
14:50:53.108740 IP 172.16.146.2.55606 > 172.67.1.1.https: Flags [P.], seq 4227143181:4227143273, ack 1980233980, win 21975, length 92
14:50:53.173084 IP 172.67.1.1.https > 172.16.146.2.55606: Flags [.], ack 92, win 69, length 0
14:50:53.175017 IP 172.16.146.2.35744 > 172.16.146.1.domain: 55991+ PTR? 148.199.31.52.in-addr.arpa. (44)
14:50:53.175714 IP 172.16.146.1.domain > 172.16.146.2.35744: 55991 1/0/0 PTR ec2-52-31-199-148.eu-west-1.compute.amazonaws.com. (107)
当我们只想检查特定主机或服务器时,通常会使用此过滤器。通过它,我们可以识别此主机或服务器与谁通信以及以何种方式通信。根据我们的网络配置,我们可以了解此连接是否合法。如果通信看起来异常,我们可以使用其他过滤器和选项来更详细地查看内容。除了单个主机之外,我们还可以定义源主机和目标主机。我们还可以定义整个网络及其端口。
源/目标过滤器
[!bash!]$ ### Syntax: src/dst [host|net|port] [IP|Network Range|Port]
[!bash!]$ sudo tcpdump -i eth0 src host 172.16.146.2tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:53:36.199628 IP 172.16.146.2.48766 > ec2-52-31-199-148.eu-west-1.compute.amazonaws.com.https: Flags [P.], seq 1428378231:1428378268, ack 3778572066, win 501, options [nop,nop,TS val 221131782 ecr 80889856], length 37
14:53:36.203166 IP 172.16.146.2.55606 > 172.67.1.1.https: Flags [P.], seq 4227144035:4227144103, ack 1980235221, win 21975, length 68
14:53:36.267059 IP 172.16.146.2.36424 > 172.16.146.1.domain: 40873+ PTR? 148.199.31.52.in-addr.arpa. (44)
14:53:36.267880 IP 172.16.146.2.51151 > 172.16.146.1.domain: 10032+ PTR? 2.146.16.172.in-addr.arpa. (43)
14:53:36.276425 IP 172.16.146.2.46588 > 172.16.146.1.domain: 28357+ PTR? 1.1.67.172.in-addr.arpa. (41)
14:53:36.337722 IP 172.16.146.2.48766 > ec2-52-31-199-148.eu-west-1.compute.amazonaws.com.https: Flags [.], ack 34, win 501, options [nop,nop,TS val 221131920 ecr 80899875], length 0
14:53:36.338841 IP 172.16.146.2.48766 > ec2-52-31-199-148.eu-west-1.compute.amazonaws.com.https: Flags [.], ack 65, win 501, options [nop,nop,TS val 221131921 ecr 80899875], length 0
14:53:36.339273 IP 172.16.146.2.48766 > ec2-52-31-199-148.eu-west-1.compute.amazonaws.com.https: Flags [P.], seq 37:68, ack 66, win 501, options [nop,nop,TS val 221131922 ecr 80899875], length 31
14:53:36.339334 IP 172.16.146.2.48766 > ec2-52-31-199-148.eu-west-1.compute.amazonaws.com.https: Flags [F.], seq 68, ack 66, win 501, options [nop,nop,TS val 221131922 ecr 80899875], length 0
14:53:36.370791 IP 172.16.146.2.32972 > 172.16.146.1.domain: 3856+ PTR? 1.146.16.172.in-addr.arpa. (43)
源和目标允许我们处理通信方向。例如,在最后一个输出中,我们指定源主机为 172.16.146.2,并且只拦截从该主机发送的数据包。端口和网络范围也可以这样做。使用源端口号的示例如下所示:
使用源和端口作为过滤器
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 tcp src port 8006:17:08.222534 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [S.], seq 290218379, ack 951057940, win 5840, options [mss 1380,nop,nop,sackOK], length 0
06:17:08.783340 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], ack 480, win 6432, length 0
06:17:08.993643 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 1:1381, ack 480, win 6432, length 1380: HTTP: HTTP/1.1 200 OK
06:17:09.123830 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 1381:2761, ack 480, win 6432, length 1380: HTTP
06:17:09.754737 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 2761:4141, ack 480, win 6432, length 1380: HTTP
06:17:09.864896 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [P.], seq 4141:5521, ack 480, win 6432, length 1380: HTTP
06:17:09.945011 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 5521:6901, ack 480, win 6432, length 1380: HTTP
现在注意到我们只看到了对话的一方吗?这是因为我们过滤了源端口 80(HTTP)。以这种方式使用,net 将抓取任何与网络 / 符号匹配的内容。在本例中,我们正在寻找发往 172.16.146.0/24 网络的任何内容。
将目标与网络过滤器结合使用
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 dest net 172.16.146.0/24tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:33:14.376003 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], ack 1486880537, win 316, options [nop,nop,TS val 2311579424 ecr 263866084], length 0
16:33:14.442123 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [P.], seq 0:385, ack 1, win 316, options [nop,nop,TS val 2311579493 ecr 263866084], length 385
16:33:14.442188 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [P.], seq 385:1803, ack 1, win 316, options [nop,nop,TS val 2311579493 ecr 263866084], length 1418
16:33:14.442223 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], seq 1803:4639, ack 1, win 316, options [nop,nop,TS val 2311579494 ecr 263866084], length 2836
16:33:14.443161 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [P.], seq 4639:5817, ack 1, win 316, options [nop,nop,TS val 2311579495 ecr 263866084], length 1178
16:33:14.443199 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], seq 5817:8653, ack 1, win 316, options [nop,nop,TS val 2311579495 ecr 263866084], length 2836
16:33:14.444407 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], seq 8653:10071, ack 1, win 316, options [nop,nop,TS val 2311579497 ecr 263866084], length 1418
16:33:14.445479 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], seq 10071:11489, ack 1, win 316, options [nop,nop,TS val 2311579497 ecr 263866084], length 1418
16:33:14.445531 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], seq 11489:12907, ack 1, win 316, options [nop,nop,TS val 2311579498 ecr 263866084], length 1418
16:33:14.446955 IP 64.233.177.103.443 > 172.16.146.2.36050: Flags [.], seq 12907:14325, ack 1, win 316, options [nop,nop,TS val 2311579498 ecr 263866084], length 1418
此过滤器可以使用任何 IP、IPv6 或以太网协议的通用协议名称或协议编号。常见示例包括 tcp[6]、udp[17] 或 icmp[1]。在下面的输出中,我们将同时使用通用名称(顶部)和协议编号(底部)。我们可以看到,输出结果相同。在大多数情况下,它们可以互换,但当您开始剖析 IP 或其他协议报头的特定部分时,使用 proto 会更有用。在本节后面讨论查找 TCP 标志时,这一点会更加明显。我们可以查看此资源,获取涵盖协议编号的有用列表。
协议过滤器 - 通用名称
Jackson310@htb[/htb]$ ### Syntax: [tcp/udp/icmp]
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 udp06:17:09.864896 IP dialin-145-254-160-237.pools.arcor-ip.net.3009 > 145.253.2.203.domain: 35+ A? pagead2.googlesyndication.com. (47)
06:17:10.225414 IP 145.253.2.203.domain > dialin-145-254-160-237.pools.arcor-ip.net.3009: 35 4/0/0 CNAME pagead2.google.com., CNAME pagead.google.akadns.net., A 216.239.59.104, A 216.239.59.99 (146)
协议过滤器 - 编号
Jackson310@htb[/htb]$ ### Syntax: proto [protocol number]
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 proto 1706:17:09.864896 IP dialin-145-254-160-237.pools.arcor-ip.net.3009 > 145.253.2.203.domain: 35+ A? pagead2.googlesyndication.com. (47)
06:17:10.225414 IP 145.253.2.203.domain > dialin-145-254-160-237.pools.arcor-ip.net.3009: 35 4/0/0 CNAME pagead2.google.com., CNAME pagead.google.akadns.net., A 216.239.59.104, A 216.239.59.99 (146)
使用端口过滤器时,我们应该牢记要查找的内容以及该协议的工作原理。某些标准协议(例如 HTTP 或 HTTPS)仅使用端口 80 和 443,并使用 TCP 传输协议。考虑到这一点,我们可以将端口视为建立连接的简单方法,并将 TCP 和 UDP 等协议视为确定它们是否使用既定方法的简单方法。端口本身可以用于任何用途,因此对端口 80 进行过滤将显示该端口号上的所有流量。但是 ,如果我们希望捕获所有 HTTP 流量,则使用 TCP 端口 80 将确保我们只看到 HTTP 流量。
对于同时使用 TCP 和 UDP 实现不同功能的协议(例如 DNS),我们可以过滤其中一个 TCP/UDP 端口 53,或者过滤端口 53。 这样,无论使用哪种传输协议,我们都能看到使用该端口的任何流量。
端口过滤器
Jackson310@htb[/htb]$ ### Syntax: port [port number]
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 tcp port 44306:17:07.311224 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [S], seq 951057939, win 8760, options [mss 1460,nop,nop,sackOK], length 0
06:17:08.222534 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [S.], seq 290218379, ack 951057940, win 5840, options [mss 1380,nop,nop,sackOK], length 0
06:17:08.222534 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 1, win 9660, length 0
06:17:08.222534 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [P.], seq 1:480, ack 1, win 9660, length 479: HTTP: GET /download.html HTTP/1.1
06:17:08.783340 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], ack 480, win 6432, length 0
06:17:08.993643 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 1:1381, ack 480, win 6432, length 1380: HTTP: HTTP/1.1 200 OK
06:17:09.123830 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 1381, win 9660, length 0
06:17:09.123830 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 1381:2761, ack 480, win 6432, length 1380: HTTP
06:17:09.324118 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 2761, win 9660, length 0
06:17:09.754737 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 2761:4141, ack 480, win 6432, length 1380: HTTP
06:17:09.864896 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [P.], seq 4141:5521, ack 480, win 6432, length 1380: HTTP
06:17:09.864896 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 5521, win 9660, length 0
06:17:09.945011 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 5521:6901, ack 480, win 6432, length 1380: HTTP
06:17:10.125270 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 6901, win 9660, length 0
06:17:10.205385 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], seq 6901:8281, ack 480, win 6432, length 1380: HTTP
06:17:10.295515 IP dialin-145-254-160-237.pools.arcor-ip.net.3371 > 216.239.59.99.http: Flags [P.], seq 918691368:918692089, ack 778785668, win 8760, length 721: HTTP: GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 HTTP/1.1
除了单个端口之外,我们还可以定义这些端口的特定范围,然后由 TCPdump 进行监听。当我们发现来自与服务器上运行的服务不匹配的端口的网络流量时,监听一系列端口会特别有用。例如,如果我们在网络的某个特定网段中运行着一个包含 TCP 端口 80 和 443 的 Web 服务器,而突然有来自 TCP 端口 10000 或其他端口的网络流量传出,则非常可疑。
如下所示的端口范围过滤器允许我们查看端口范围内的所有内容。在示例中,我们看到了一些 DNS 流量以及一些 HTTP Web 请求。
端口范围过滤器
Jackson310@htb[/htb]$ ### Syntax: portrange [portrange 0-65535]
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 portrange 0-1024tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:10:35.092477 IP 172.16.146.1.domain > 172.16.146.2.32824: 47775 1/0/0 CNAME autopush.prod.mozaws.net. (81)
13:10:35.093217 IP 172.16.146.2.48078 > 172.16.146.1.domain: 30234+ A? ocsp.pki.goog. (31)
13:10:35.093334 IP 172.16.146.2.48078 > 172.16.146.1.domain: 32024+ AAAA? ocsp.pki.goog. (31)
13:10:35.136255 IP 172.16.146.1.domain > 172.16.146.2.48078: 32024 2/0/0 CNAME pki-goog.l.google.com., AAAA 2607:f8b0:4002:c09::5e (94)
13:10:35.137348 IP 172.16.146.1.domain > 172.16.146.2.48078: 30234 2/0/0 CNAME pki-goog.l.google.com., A 172.217.164.67 (82)
13:10:35.137989 IP 172.16.146.2.55074 > atl26s18-in-f3.1e100.net.http: Flags [S], seq 1146136517, win 64240, options [mss 1460,sackOK,TS val 1337520268 ecr 0,nop,wscale 7], length 0
13:10:35.174443 IP atl26s18-in-f3.1e100.net.http > 172.16.146.2.55074: Flags [S.], seq 345110814, ack 1146136518, win 65535, options [mss 1430,sackOK,TS val 1000152427 ecr 1337520268,nop,wscale 8], length 0
13:10:35.174481 IP 172.16.146.2.55074 > atl26s18-in-f3.1e100.net.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1337520304 ecr 1000152427], length 0
13:10:35.174716 IP 172.16.146.2.55074 > atl26s18-in-f3.1e100.net.http: Flags [P.], seq 1:379, ack 1, win 502, options [nop,nop,TS val 1337520305 ecr 1000152427], length 378: HTTP: POST /gts1o1core HTTP/1.1
13:10:35.208007 IP atl26s18-in-f3.1e100.net.http > 172.16.146.2.55074: Flags [.], ack 379, win 261, options [nop,nop,TS val 1000152462 ecr 1337520305], length 0
接下来,我们查找小于 64 字节的数据包。从以下输出中我们可以看到,对于本次捕获,这些数据包主要由 SYN、FIN 或 KeepAlive 数据包组成。“小于”和“大于”可以作为有用的修饰符。例如,假设我们要捕获包含文件传输或文件集的流量。我们知道这些文件会比常规流量更大。为了演示,我们可以使用“大于 500”(或者“>500”),这将仅显示大小大于 500 字节的数据包。这将从视图中去除所有我们已经知道不关心的额外数据包。
小于/大于过滤器
Jackson310@htb[/htb]$ ### Syntax: less/greater [size in bytes]
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 less 6406:17:07.311224 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [S], seq 951057939, win 8760, options [mss 1460,nop,nop,sackOK], length 0
06:17:08.222534 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [S.], seq 290218379, ack 951057940, win 5840, options [mss 1380,nop,nop,sackOK], length 0
06:17:08.222534 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 1, win 9660, length 0
06:17:08.783340 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], ack 480, win 6432, length 0
06:17:09.123830 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 1381, win 9660, length 0
06:17:09.324118 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 2761, win 9660, length 0
06:17:09.864896 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 5521, win 9660, length 0
06:17:10.125270 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 6901, win 9660, length 0
06:17:10.325558 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 8281, win 9660, length 0
06:17:10.806249 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 11041, win 9660, length 0
06:17:10.956465 IP 216.239.59.99.http > dialin-145-254-160-237.pools.arcor-ip.net.3371: Flags [.], ack 918692089, win 31460, length 0
06:17:11.126710 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 12421, win 9660, length 0
06:17:11.266912 IP dialin-145-254-160-237.pools.arcor-ip.net.3371 > 216.239.59.99.http: Flags [.], ack 1590, win 8760, length 0
06:17:11.527286 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 13801, win 9660, length 0
06:17:11.667488 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 16561, win 9660, length 0
06:17:11.807689 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 17941, win 9660, length 0
06:17:12.088092 IP dialin-145-254-160-237.pools.arcor-ip.net.3371 > 216.239.59.99.http: Flags [.], ack 1590, win 8760, length 0
06:17:12.328438 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 18365, win 9236, length 0
06:17:25.216971 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [F.], seq 18365, ack 480, win 6432, length 0
06:17:25.216971 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [.], ack 18366, win 9236, length 0
06:17:37.374452 IP dialin-145-254-160-237.pools.arcor-ip.net.3372 > 65.208.228.223.http: Flags [F.], seq 480, ack 18366, win 9236, length 0
06:17:37.704928 IP 65.208.228.223.http > dialin-145-254-160-237.pools.arcor-ip.net.3372: Flags [.], ack 481, win 6432, length 0
上面是一个使用 less 的优秀示例。我们可以利用修饰符 greater 500 来仅显示大小为 500 或以上的数据包。它返回了一个唯一的 ASCII 响应。我们能看出这里发生了什么吗?
利用更大的
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 greater 50021:12:43.548353 IP 192.168.0.1.telnet > 192.168.0.2.1550: Flags [P.], seq 401695766:401696254, ack 2579866052, win 17376, options [nop,nop,TS val 2467382 ecr 10234152], length 488
E...;...@.................d.......C........
.%.6..)(Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999Welcome to OpenBSD: The proactively secure Unix-like operating system.Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
使用 AND 作为修饰符将显示满足两个条件的所有内容。例如,主机 10.12.1.122 和 TCP 端口 80 将查找来自源主机的任何包含端口 80 TCP 或 UDP 流量。过滤器必须同时满足这两个条件才能捕获数据包。我们可以在下面看到实际操作。这里我们使用主机 192.168.0.1 和端口 23 作为过滤器。因此,我们将只看到来自此特定主机且仅包含端口 23 流量的流量。
AND 过滤器
Jackson310@htb[/htb]$ ### Syntax: and [requirement]
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 host 192.168.0.1 and port 2321:12:38.387203 IP 192.168.0.2.1550 > 192.168.0.1.telnet: Flags [S], seq 2579865836, win 32120, options [mss 1460,sackOK,TS val 10233636 ecr 0,nop,wscale 0], length 0
21:12:38.389728 IP 192.168.0.1.telnet > 192.168.0.2.1550: Flags [S.], seq 401695549, ack 2579865837, win 17376, options [mss 1448,nop,wscale 0,nop,nop,TS val 2467372 ecr 10233636], length 0
21:12:38.389775 IP 192.168.0.2.1550 > 192.168.0.1.telnet: Flags [.], ack 1, win 32120, options [nop,nop,TS val 10233636 ecr 2467372], length 0
21:12:38.391363 IP 192.168.0.2.1550 > 192.168.0.1.telnet: Flags [P.], seq 1:28, ack 1, win 32120, options [nop,nop,TS val 10233636 ecr 2467372], length 27 [telnet DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, DO STATUS, WILL XDISPLOC]
21:12:38.537538 IP 192.168.0.1.telnet > 192.168.0.2.1550: Flags [P.], seq 1:4, ack 28, win 17349, options [nop,nop,TS val 2467372 ecr 10233636], length 3 [telnet DO AUTHENTICATION]
其他修饰符 OR 和 NOT 为我们提供了指定多个条件或否定某些条件的方法。现在让我们稍微练习一下。从这个输出中我们注意到了什么?
无滤镜的基本捕捉
Jackson310@htb[/htb]$ sudo tcpdump -i eth0tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:39:51.224071 IP 172.16.146.2 > dns.google: ICMP echo request, id 19623, seq 72, length 64
14:39:51.251635 IP dns.google > 172.16.146.2: ICMP echo reply, id 19623, seq 72, length 64
14:39:51.329340 IP 172.16.146.2.39003 > 172.16.146.1.domain: 8231+ PTR? 8.8.8.8.in-addr.arpa. (38)
14:39:51.330334 IP 172.16.146.1.domain > 172.16.146.2.39003: 8231 1/0/0 PTR dns.google. (62)
14:39:51.330613 IP 172.16.146.2.50633 > 172.16.146.1.domain: 65266+ PTR? 2.146.16.172.in-addr.arpa. (43)
14:39:51.331461 IP 172.16.146.1.domain > 172.16.146.2.50633: 65266 NXDomain* 0/0/0 (43)
14:39:51.399970 IP 172.16.146.2.54742 > 72.21.91.29.http: Flags [.], ack 358742210, win 501, options [nop,nop,TS val 1924174236 ecr 1068405332], length 0
14:39:51.420559 IP 72.21.91.29.http > 172.16.146.2.54742: Flags [.], ack 1, win 131, options [nop,nop,TS val 1068415563 ecr 1924143536], length 0
14:39:51.432107 IP 172.16.146.2.41928 > 172.16.146.1.domain: 7232+ PTR? 1.146.16.172.in-addr.arpa. (43)
14:39:51.432795 IP 172.16.146.1.domain > 172.16.146.2.41928: 7232 NXDomain* 0/0/0 (43)
14:39:51.433048 IP 172.16.146.2.47075 > 172.16.146.1.domain: 18932+ PTR? 29.91.21.72.in-addr.arpa. (42)
14:39:51.434374 IP 172.16.146.1.domain > 172.16.146.2.47075: 18932 NXDomain 0/1/0 (113)
14:39:52.225941 IP 172.16.146.2 > dns.google: ICMP echo request, id 19623, seq 73, length 64
14:39:52.252523 IP dns.google > 172.16.146.2: ICMP echo reply, id 19623, seq 73, length 64
14:39:52.683881 IP 172.16.146.2.47004 > 151.139.128.14.http: Flags [.], ack 2006616877, win 501, options [nop,nop,TS val 1585722998 ecr 2103316650], length 0
14:39:52.712283 IP 151.139.128.14.http > 172.16.146.2.47004: Flags [.], ack 1, win 507, options [nop,nop,TS val 2103326900 ecr 1585692473], length 0
我们混合了不同的源和目标以及多种协议类型。如果我们使用 OR(或者 ||)修饰符,我们可以请求来自特定主机的流量,或者仅请求 ICMP 流量作为示例。让我们重新运行该程序并添加一个 OR。
或过滤器
Jackson310@htb[/htb]$ ### Syntax: or/|| [requirement]
Jackson310@htb[/htb]$ sudo tcpdump -r sus.pcap icmp or host 172.16.146.1reading from file sus.pcap, link-type EN10MB (Ethernet), snapshot length 262144
14:54:03.659163 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 21, length 64
14:54:03.691278 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 21, length 64
14:54:03.879882 ARP, Request who-has 172.16.146.1 tell 172.16.146.2, length 28
14:54:03.880266 ARP, Reply 172.16.146.1 is-at 8a:66:5a:11:8d:64 (oui Unknown), length 46
14:54:04.661179 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 22, length 64
14:54:04.687120 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 22, length 64
14:54:05.663097 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 23, length 64
14:54:05.686092 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 23, length 64
14:54:06.664174 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 24, length 64
14:54:06.697469 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 24, length 64
14:54:07.666273 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 25, length 64
14:54:07.701475 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 25, length 64
14:54:08.668364 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 26, length 64
14:54:08.694948 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 26, length 64
14:54:09.670523 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 27, length 64
14:54:09.694974 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 27, length 64
14:54:10.672858 IP 172.16.146.2 > dns.google: ICMP echo request, id 51661, seq 28, length 64
14:54:10.697834 IP dns.google > 172.16.146.2: ICMP echo reply, id 51661, seq 28, length 64
现在我们的流量看起来有点不同了。这是因为很多数据包匹配了 ICMP 变量,而有些匹配了主机变量。所以在这个输出中,我们可以看到一些 ARP 流量和 ICMP 流量。过滤器起作用了,因为 172.16.146.2 匹配了另一个变量,并且在源或目标字段中显示为主机。现在,如果我们使用 NOT(或者!)修饰符会发生什么?
非过滤器
Jackson310@htb[/htb]$ ### Syntax: not/! [requirement]
Jackson310@htb[/htb]$ sudo tcpdump -r sus.pcap not icmp14:54:03.879882 ARP, Request who-has 172.16.146.1 tell 172.16.146.2, length 28
14:54:03.880266 ARP, Reply 172.16.146.1 is-at 8a:66:5a:11:8d:64 (oui Unknown), length 46
14:54:16.541657 IP 172.16.146.2.55592 > ec2-52-211-164-46.eu-west-1.compute.amazonaws.com.https: Flags [P.], seq 3569937476:3569937513, ack 2948818703, win 501, options [nop,nop,TS val 713252991 ecr 12282469], length 37
14:54:16.568659 IP 172.16.146.2.53329 > 172.16.146.1.domain: 24866+ A? app.hackthebox.eu. (35)
14:54:16.616032 IP 172.16.146.1.domain > 172.16.146.2.53329: 24866 3/0/0 A 172.67.1.1, A 104.20.66.68, A 104.20.55.68 (83)
14:54:16.616396 IP 172.16.146.2.56204 > 172.67.1.1.https: Flags [S], seq 2697802378, win 64240, options [mss 1460,sackOK,TS val 533261003 ecr 0,nop,wscale 7], length 0
14:54:16.637895 IP 172.67.1.1.https > 172.16.146.2.56204: Flags [S.], seq 752000032, ack 2697802379, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
14:54:16.637937 IP 172.16.146.2.56204 > 172.67.1.1.https: Flags [.], ack 1, win 502, length 0
14:54:16.644551 IP 172.16.146.2.56204 > 172.67.1.1.https: Flags [P.], seq 1:514, ack 1, win 502, length 513
14:54:16.667236 IP 172.67.1.1.https > 172.16.146.2.56204: Flags [.], ack 514, win 66, length 0
14:54:16.668307 IP 172.67.1.1.https > 172.16.146.2.56204: Flags [P.], seq 1:2766, ack 514, win 66, length 2765
14:54:16.668319 IP 172.16.146.2.56204 > 172.67.1.1.https: Flags [.], ack 2766, win 496, length 0
14:54:16.670536 IP ec2-52-211-164-46.eu-west-1.compute.amazonaws.com.https > 172.16.146.2.55592: Flags [P.], seq 1:34, ack 37, win 114, options [nop,nop,TS val 12294021 ecr 713252991], length 33
14:54:16.670559 IP 172.16.146.2.55592 > ec2-52-211-164-46.eu-west-1.compute.amazonaws.com.https: Flags [.], ack 34, win 501, options [nop,nop,TS val 713253120 ecr 12294021], length 0
现在看起来大不相同了。我们只看到一些 ARP 流量,然后还看到了一些之前没有看到的 HTTPS 流量。这是因为我们使用 not icmp 命令阻止了 ICMP 流量的显示。
预捕获过滤器 VS. 后捕获处理
使用过滤器时,我们可以直接将其应用于捕获数据,也可以在读取捕获文件时应用它们。将它们应用于捕获数据后,它会丢弃任何与过滤器不匹配的流量。这将减少捕获数据中的数据量,并可能清除我们以后可能需要的流量,因此请仅在查找特定内容(例如,排除网络连接问题)时使用它们。将过滤器应用于捕获数据时,我们已从文件中读取数据,过滤器将解析该文件并从终端输出中删除任何与指定过滤器不匹配的内容。以这种方式使用过滤器可以帮助我们进行调查,同时保存捕获数据中潜在的宝贵数据。它不会永久更改捕获文件,并且要从输出中更改或清除过滤器,我们需要重新运行命令并更改语法。
口译技巧和窍门
使用 -S 开关将显示绝对序列号,这些序列号可能非常长。通常,tcpdump 会显示相对序列号,这更容易跟踪和读取。但是,如果我们在其他工具或日志中查找这些值,我们只能根据绝对序列号找到数据包。例如,13245768092588 到 100。
-v、-X 和 -e 开关可以帮助您增加捕获的数据量,而 -c、-n、-s、-S 和 -q 开关可以帮助您减少和修改写入和查看的数据量。
-A 和 -l 开关是许多实用但并非对每个人都有用的选项。A 开关仅显示数据包行后的 ASCII 文本,而不是同时显示 ASCII 和十六进制文本。L 开关指示 tcpdump 以不同的模式输出数据包。L 开关将使用行缓冲区,而不是池化和分块推送。它允许我们使用管道符 | 将输出直接发送到其他工具(例如 grep)。
技巧和窍门
Jackson310@htb[/htb]$sudo tcpdump -Ar telnet.pcap21:12:43.528695 IP 192.168.0.1.telnet > 192.168.0.2.1550: Flags [P.], seq 157:217, ack 216, win 17376, options [nop,nop,TS val 2467382 ecr 10234022], length 60
E..p;...@..p..............c.......C........
.%.6..(.Last login: Sat Nov 27 20:11:43 on ttyp2 from bam.zing.org21:12:43.546441 IP 192.168.0.2.1550 > 192.168.0.1.telnet: Flags [.], ack 217, win 32120, options [nop,nop,TS val 10234152 ecr 2467382], length 0
E..4FP@.@.s...................d...}x.......
..)(.%.6
21:12:43.548353 IP 192.168.0.1.telnet > 192.168.0.2.1550: Flags [P.], seq 217:705, ack 216, win 17376, options [nop,nop,TS val 2467382 ecr 10234152], length 488
E...;...@.................d.......C........
.%.6..)(Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999Welcome to OpenBSD: The proactively secure Unix-like operating system.Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.21:12:43.566442 IP 192.168.0.2.1550 > 192.168.0.1.telnet: Flags [.], ack 705, win 32120, options [nop,nop,TS val 10234154 ecr 2467382], length 0
E..4FQ@.@.s...................e...}x.0.....
..)*.%.6
注意,由于我们使用了 -A 选项,所以每行输出下方都显示了 ASCII 值。这在快速查找输出中可读的内容时非常有用。
通过管道将捕获内容传递给 Grep
Jackson310@htb[/htb]$ sudo tcpdump -Ar http.cap -l | grep 'mailto:*'reading from file http.cap, link-type EN10MB (Ethernet), snapshot length 65535<a href="mailto:ethereal-web[AT]ethereal.com">ethereal-web[AT]ethereal.com</a><a href="mailto:free-support[AT]thewrittenword.com">free-support[AT]thewrittenword.com</a><a href="mailto:ethereal-users[AT]ethereal.com">ethereal-users[AT]ethereal.com</a><a href="mailto:ethereal-web[AT]ethereal.com">ethereal-web[AT]ethereal.com</a>
以这种方式使用 -l 选项使我们能够快速检查捕获的数据,并利用 grep 命令查找我们怀疑可能存在的关键字或格式。在本例中,我们使用 -l 选项将输出传递给 grep 命令,并查找任何包含 mailto:* 短语的实例。这会显示包含我们搜索的每一行,我们可以在上面看到结果。使用修饰符和重定向输出可以快速从网站上抓取电子邮件地址、命名标准等信息。
我们可以根据需要深入挖掘捕获的数据包。但是,这需要一些协议结构方面的知识。例如,如果我们只想查看设置了 TCP SYN 标志的数据包,可以使用以下命令:
寻找 TCP 协议标志
Jackson310@htb[/htb]$ tcpdump -i eth0 'tcp[13] &2 != 0'
这是计数到结构中的第 13 个字节并查看第 2 位。如果它设置为 1 或 ON,则设置 SYN 标志。
寻找 SYN 标志
Jackson310@htb[/htb]$ sudo tcpdump -i eth0 'tcp[13] &2 != 0'tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:18:14.630993 IP 172.16.146.2.56244 > 172.67.1.1.https: Flags [S], seq 122498858, win 64240, options [mss 1460,sackOK,TS val 534699017 ecr 0,nop,wscale 7], length 0
15:18:14.654698 IP 172.67.1.1.https > 172.16.146.2.56244: Flags [S.], seq 3728841459, ack 122498859, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
15:18:15.017464 IP 172.16.146.2.60202 > a23-54-168-81.deploy.static.akamaitechnologies.com.https: Flags [S], seq 777468939, win 64240, options [mss 1460,sackOK,TS val 1348555130 ecr 0,nop,wscale 7], length 0
15:18:15.021329 IP 172.16.146.2.49652 > 104.16.88.20.https: Flags [S], seq 1954080833, win 64240, options [mss 1460,sackOK,TS val 274098564 ecr 0,nop,wscale 7], length 0
15:18:15.022640 IP 172.16.146.2.45214 > 104.18.22.52.https: Flags [S], seq 1072203471, win 64240, options [mss 1460,sackOK,TS val 1445124063 ecr 0,nop,wscale 7], length 0
15:18:15.042399 IP 104.18.22.52.https > 172.16.146.2.45214: Flags [S.], seq 215464563, ack 1072203472, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
15:18:15.043646 IP a23-54-168-81.deploy.static.akamaitechnologies.com.https > 172.16.146.2.60202: Flags [S.], seq 1390108870, ack 777468940, win 28960, options [mss 1460,sackOK,TS val 3405787409 ecr 1348555130,nop,wscale 7], length 0
15:18:15.044764 IP 104.16.88.20.https > 172.16.146.2.49652: Flags [S.], seq 2086758283, ack 1954080834, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
15:18:16.131983 IP 172.16.146.2.45684 > ec2-34-255-145-175.eu-west-1.compute.amazonaws.com.https: Flags [S], seq 4017793011, win 64240, options [mss 1460,sackOK,TS val 933634389 ecr 0,nop,wscale 7], length 0
15:18:16.261855 IP ec2-34-255-145-175.eu-west-1.compute.amazonaws.com.https > 172.16.146.2.45684: Flags [S.], seq 106675091, ack 4017793012, win 26847, options [mss 1460,sackOK,TS val 12653884 ecr 933634389,nop,wscale 8], length 0
我们的结果仅包含上面显示设置了 TCP SYN 标志的数据包。
如果我们了解网络以及主机之间的交互方式,TCPDump 将会是一个强大的工具。花点时间理解典型的协议头结构,以便在需要时发现异常。以下是一些链接,可以帮助我们进一步研究标准协议及其结构。除了维基百科链接外,其他每个链接都可以直接跳转到制定相应标准的 RFC 文件。
协议 RFC 链接
IP协议
之后我会持续更新,如果喜欢我的文章,请记得一键三连哦,点赞关注收藏,你的每一个赞每一份关注每一次收藏都将是我前进路上的无限动力 !!!↖(▔▽▔)↗感谢支持!
)
)
)
并支持扩缩容的操作)
