Wireshark
Wireshark是一個免費開源的網路封包分析軟體。網路封包分析軟體的功能是截取網路封包,並盡可能顯示出最為詳細的網路封包資料。 在GNU通用公眾授權條款的保障範圍底下,使用者可以以免費的代價取得軟體與其程式碼,並擁有針對其原始碼修改及客製化的權利。
實用技巧
通用語法
條件語法:
==
!=
>
<
>=
<=
in
邏輯語法:
&& # AND
|| # OR
! # NOT
常用篩選:
- type: host, port
- dir: src, dst
- proto: tcp, udp, ftp, http
SIP 相關
tcpdump
timeout 6m tcpdump -i eth0 host <sip-trunk-ip> -n -s 0 -vvvv -w carrier.pcap
Wireshark
- 更多與 sip 有關的 filter 語法:https://www.wireshark.org/docs/dfref/s/sip.html
只顯示 REGISTER 行,Filter: sip.CSeq.method == REGISTER
其他
遠端監聽指令
ssh root@192.168.0.1 tcpdump -n -i any -w- 'not \( port 22 and host 192.168.0.1 \)' |etherape -r-
Filter 速查表
Learning
- Network Forensics, Wireshark Basics, Part 1
- 10 Tips On How to Use Wireshark to Analyze Network Packets (tecmint.com)
tcpdump
Capture All traffic
tcpdump -i eth0
tcpdump -i wlan0
To a File
tcpdump -i eth0 -w capture.pcap
# Set Timeout
timeout 6m tcpdump -i eth0 -w capture.pcap
Read a file (.pcap)
tcpdump -r capture.pcap
Filter
# Filter by Source IP
tcpdump src 192.168.0.1
# Filter by Destination IP
tcpdump dst 192.168.0.1
# Filter by Port
tcpdump port 80
# Filter by Protocol
tcpdump icmp
# Protocol and Port
tcpdump tcp port 443
# Source and Destination
tcpdump src 192.168.0.1 and dst 192.168.0.2
Display in ASCII
# Dispaly in ASCII
tcpdump -A
# Display in Hexadecimal
tcpdump -X
Specific Number of Packets
tcpdump -c 100
Display
# Capture and Display IPv6 Traffic
tcpdump -6
# Capture and Display Traffic in Timestamp Format
tcpdump -tttt
SSH Connections
# -l: real-time
# -e: including ethernet headers
tcpdump -i eth0 'tcp port 22' -l -e
HTTP Request and Response
tcpdump -i eth0 -s 0 -A -n 'tcp dst port 80'
IP Range and Protocol
tcpdump -i eth0 'net 192.168.0.0/24 and (tcp port 22 or icmp)'
DNS Traffic
tcpdump -i eth0 'udp port 53' -nnvvv
FTP Traffic
tcpdump -i eth0 -s 0 'tcp port 21'
遭受 DDos 攻擊時自動擷取封包
interface=ens1
dumpdir=/home/user/automatic-tcp-dump/
while /bin/true; do
pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
sleep 1
pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'`
pkt=$(( $pkt_new - $pkt_old ))
echo -ne "\r$pkt packets/s\033[0K"
if [ $pkt -gt 30000 ]; then
echo -e "\n`date` Under Attack. Capturing Packets..."
sudo tcpdump -n -i $interface -s0 -c 20000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.pcap
echo "`date` Packets Captured."
sleep 300 && pkill -HUP -f /usr/sbin/tcpdump
else
sleep 1
fi
done