How to use tcpdump and wireshark ?
SOLUTION 已验证 - 已更新 2018年五月24日05:32 -
环境
Red Hat Enterprise Linux 3 or later
问题
How to use tcpdump and wireshark ?
决议
What are tcpdump and wireshark?
tcpdump is a tool used to capture network traffic, and wireshark is a tool to help view captured network dumps. tcpdump captures the entire packet, and therefore all the information about the traffic. Such information includes the source and destination of the packet, the port information, and the packet data.
These tools are useful for see if network traffic is being routed properly, and if the server is returning the correct information. In some instances, it can be used to detect network problems such as retransmissions, or bad checksums.
tcpdump is provided by the tcpdump package, and the GUI for wireshark is provided by wireshark-gnome
yum -y install tcpdump wireshark-gnome
How do tcpdump and wireshark work?
Both tcpdump and wireshark use libpcap which is used for low-level packet capture. libpcap is in used space, and sets the card into promiscuous mode which passes all traffic to the CPU. In order for libpcap to capture the packet, it has to go "though" the system. This is because only non-routing nodes can see incoming and outgoing traffic. This is also true for the same collision domain or loop. Traffic going through a hub is monitorable because it rebroadcasts.
Wireshark can be used to capture the traffic, however it is really useful as a way to graphically display the information from the capture. After being pointed at a pcap file, wireshark can show all the packets, and can sort and filter packets.
When should (and shouldn't) tcpdump be used?
- Monitoring traffic
- Checking for abnormalities in packet flow
- Checking return codes from services, such as apache
- Should not be used to filter traffic. Filtering of traffic should be done in wireshark. This is because when analyzing the dump, you may not get to see something that may be important, requiring another tcpdump and repitition of the problem by the client.
Common flags
| Flag | Definition |
|---|---|
| -w | Write packets to a raw format |
| -s | Snaplength. The number of bytes of each data packet to capture. Rather than the default 68 bytes |
Here is a general example:
Capture all data
The following tcpdump command will capture all traffic on the selected interface to the file /tmp/dump.pcap. To stop the capture, hit ctrl+c.
tcpdump -s 0 -i <interface> -w /tmp/dump.pcap
Opening a capture file in wireshark
Start wireshark by running wireshark. When prompted, you can either enter your root password, or select Run Unprivileged. Since we are not capturing any data with wireshark, running unprivileged is enough. Then choose File -> Open and choose the pcap file. When using pcap files that exceed 100Mb Wireshark can be come slow when loading, filtering etc. Because of this, you can either split the pcap file with the script listed under additional tools. Or, you can look at the performance document under additional documentation.
Filtering with wireshark
After opening the pcap file you have the ability to filter packets. Below is a list of simple filter options. The filters, go in the filter box at the top of the GUI.
| Filter | Definition |
|---|---|
| tcp.port == 80 | The packet is a tcp packet, and the port (source or dest) is 80 |
| udp.port == 21 | The packet is a udp packet, and the port (source or dest) is 21 |
| ip.addr == 192.168.0.1 | The ip address in the packet (source or dest) is 192.168.0.1 |
| !(ip.addr == 192.168.0.1) | The ip address (source or dest) is NOT 192.168.0.1 |
Combining filters
To make advanced filters, you can use the symbols && and || to and and or filters together.
ip.addr == 192.168.0.1 && tcp.port == 80 && !(ip.addr == 192.168.0.5
This filter gets all tcp port 80 traffic that involves 192.168.0.1 but does not involve 192.168.0.5.
Advanced filters
Below are some advanced items you can filter on.
| Filter | Definition |
|---|---|
| eth.addr == 00:19:B9:1F:34:B6 | The packet has a hardware address of 00:19:B9:1F:34:B6 |
| ip.dest == 192.168.0.1 | The destination ip address of the packet is 192.168.0.1 |
| ip.src == 192.168.0.1 | The source ip address of the packet is 192.168.0.1 |
| ip.addr == 192.168.0.0/24 | The ip address (source or dest) is in the 192.168.0.* range |
| tcp.analysis.flags |
The packet has a analysis flag set. This is a built in diagnostic tool in wireshark |
| tcp.checksum_bad | The checksum on the tcp packet is incorrect * |
| udp.checksum_bad | The checksum on the udp packet is incorrect * |
NOTE: The checksum_bad flag can sometimes be a red herring. Some cards will do checksum offloading, and will cause the tcp.checksum to come out different, than what it is expecting. See the Additional Resources section for more on checksum offloading.
Advanced Wireshark usage
Setting a Time Reference
If you need to see information based on a reference time you can easily do that in Wireshark. A perfect example for the use of this, is "My webserver takes 20 minutes to return the data." For that example, we would first filter the pcap based on the addresses involved, and port 80:
ip.addr == 192.168.0.1 && ip.addr == 192.168.0.22 && tcp.proto == 80
Now that we have only the http traffic, we can see where the initial request is made, and set it as a time reference. Find the first packet, and right click on it. Then select "Set Time Reference (Toggle)"
Now, all the entries in the Time column will be relative to that packet. To clear the reference goto Edit -> Set Time Reference (toggle).
Protocol Hierarchy
To view the protocol hierarchy stats, start with an open pcap. Then click Statistics -> Protocol Hierarchy.
In this view, you can see what percentage of traffic you have. In the above map, you can see that 83.70% of the traffic was tcp, and that 33.92% of that was SSH traffic. This can be useful when trying to determine where most of the network traffic is being used.
Conversations
To view the conversation window, start with an open pcap. Then click Statistics -> Conversations.
After opening the conversation window, right-click on the conversation that you want to follow. Then select Apply as Filter -> Selected -> A <-> B. This will then apply a filter on the pcap showing all the conversation based on the on you chose. For example, the conversation above would be packets between 10.11.243.134 on port 80 and port 5591.
Changing the Time Zone of the Displayed Packets
The timestamps of the packets in the capture file are in UTC. If you're trying to compare the timestamps in wireshark with the timestamps in a log file from a system that uses a different time zone than your own, things can get confusing. The way to get around this is to invoke wireshark from the command line and use the TZ environment variable to set the timezone to correspond to the time zone of the machine that generated the capture file. For example, if the machine that generated the capture file is using the GMT time zone and your machine is using a different time zone:
