Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
This article describes how to use the packet capture tool in Linux and Windows.
Alibaba Cloud reminds you that:
- Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
- If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
- If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.
If an exception occurs when the source server accesses the target server, you can capture the packet to obtain the original interaction data for troubleshooting and analysis. Before introducing the commonly used packet capturing tools and details on how to capture packets, see the following documents for troubleshooting and analysis.
The TCPDump tool is usually used in Linux to capture and analyze packets. It is a packet capture and analysis tool pre-installed in all Linux releases. For more information about how to obtain and install the TCPDump tool, see the TCPDump official documentation.
The description of the tcpdump command is as follows (case sensitive).
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
Details on common usage and sample output of the tcpdump command.
tcpdump -s 0 -i eth0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:24:59.414951 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442372:442536, ack 53, win 141, length 164
20:24:59.415002 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442536:442700, ack 53, win 141, length 164
20:24:59.415052 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442700:442864, ack 53, win 141, length 164
20:24:59.415103 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164
tcpdump -s 0 -i eth1 -vvv port 22
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:24:20.991006 IP (tos 0x10, ttl 64, id 22747, offset 0, flags [DF], proto TCP (6), length 316)
172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], cksum 0x2504 (incorrect -> 0x270d), seq 133624:133900, ack 1, win 141, length 276
20:24:20.991033 IP (tos 0x0, ttl 53, id 2348, offset 0, flags [DF], proto TCP (6), length 92)
42.xx.xx.107.43414 > 172.xx.xx.226.ssh: Flags [P.], cksum 0x4759 (correct), seq 1:53, ack 129036, win 15472, length 52
tcpdump -s 0 -i eth1 -vvv dst 223.xx.xx.5 and icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:26:00.368958 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 341, length 64
20:26:01.369996 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 342, length 64
20:26:02.371058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 343, length 64
20:26:03.372181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 344, length 64
tcpdump -i any -s 0 -w test.cap
Note: If you run theThe following command output is returned.cat
orvim
command to view the saved file, the file is displayed as a garbled number. You can run thetcpdump-R test.cap
command to view the attack information. You can also use Wireshark to view information.
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
The most popular open-source Wireshark free tool is generally used in Windows to capture and analyze packets. Refer to Wireshark official website to obtain and install Wireshark, and then capture packets.
After capturing a sufficient amount of data packets, click capture>Stop.
Click a file>Save the captured packets to a specified file.
Capture data packets for analysis when an exception occurs. Ensure that concurrent operations are performed from the source and target servers at the same time to facilitate comparative analysis. The specific procedure is as follows: