Idan kana buƙatar nazarin ko sakonnin kwakwalwar sadarwa a cikin Linux, yana da mafi kyau don amfani da mai amfani da na'ura mai kwakwalwa don wannan. tcpdump. Amma matsala ta taso a cikin tsarin gudanar da rikitarwa. Zai zama abin ban sha'awa ga mai amfani na musamman don aiki tare da mai amfani, amma wannan shine kawai a kallon farko. Wannan labarin zai bayyana yadda aka shirya tcpump, abin da aka kwatanta da shi, da yadda za a yi amfani da shi, da kuma misalai masu yawa na amfani da su.
Duba kuma: Tutorials don kafa haɗin Intanet a Ubuntu, Debian, Ubuntu Server
Shigarwa
Yawancin masu ci gaba da tsarin aiki na Linux sun haɗa da mai amfani da tcpdump a cikin jerin wadanda aka riga aka shigar, amma idan don wasu dalilai ba a cikin rarraba ba, zaka iya saukewa da shigar da shi via "Ƙaddara". Idan OS ta dogara ne akan Debian, kuma wannan shi ne Ubuntu, Linux Mint, Kali Linux da sauransu, kana buƙatar tafiyar da wannan umurnin:
Sudo apt shigar tcpdump
Lokacin shigarwa kana buƙatar shigar da kalmar sirri. Lura cewa lokacin bugawa ba'a nuna ba, kuma don tabbatar da shigarwar, dole ne ka shigar da hali "D" kuma latsa Shigar.
Idan kana da Red Hat, Fedora ko CentOS, umurnin shigarwa zai yi kama da wannan:
Sudo yam shigar tcpdump
Bayan an shigar da mai amfani, zaka iya amfani da shi nan da nan. Za a tattauna wannan kuma mafi yawa a gaba a cikin rubutun.
Duba Har ila yau: Shirin Jagora na PHP don Ubuntu Server
Syntax
Kamar kowane umurni, tcpdump yana da nau'in haɗin kansa. Sanin shi, zaka iya saita dukkan sigogin da ake bukata wanda za a yi la'akari yayin aiwatar da umurnin. Haɗin aikin shine:
Zaɓuɓɓukan zaɓi na -i masu ɗawainiya
Lokacin amfani da umarnin, dole ne ka saka ɗawainiya don yin waƙa. Fassara da zaɓuɓɓuka ba mawuyacin canje-canje ba ne, amma suna ƙyale ƙarin sanyi.
Zabuka
Kodayake ba lallai ba ne a saka wani zaɓi, har yanzu wajibi ne a lissafa abubuwan da suke samuwa. Teburin ba ya nuna jerin sunayensu, amma kawai mafi yawan mashahuri, amma sun fi isa su warware mafi yawan ayyuka.
| Zaɓi | Definition |
|---|---|
| -A | Bayar da ku don kunshe kunshe a cikin tsarin ASCII |
| -l | Ƙara aikin gungurawa. |
| -i | Bayan shigar da buƙata don saka adireshin cibiyar sadarwa wanda za a kula. Don fara bin dukkan maganganu, rubuta kalmar "kowane" bayan an zaɓi. |
| -c | Ana kammala tsarin biyan bayan duba takunkumin da aka ƙayyade. |
| -w | Ya haifar da fayil din rubutu tare da rahoton tabbatarwa. |
| -e | Yana nuna hanyar haɗin yanar gizo na fakiti data. |
| -L | Nuna kawai waɗannan ladabi waɗanda ke goyan bayan ƙayyadadden cibiyar sadarwa. |
| -C | Ya ƙirƙira wani fayil yayin rubuta rubutun idan girmansa ya fi girma fiye da wanda aka ƙayyade. |
| -r | Ya buɗe fayil ɗin don karatun da aka halicce tare da zaɓi -w. |
| -j | Tsarin TimeStamp za a yi amfani dashi don rikodin kunshe. |
| -J | Ba ka damar duba dukkan lokutan TimeStamp masu samuwa |
| -G | An yi amfani da shi don ƙirƙirar fayil tare da rajistan ayyukan. Zabin kuma yana buƙatar matsayi na wucin gadi, bayan haka za'a ƙirƙira sabon saiti |
| -v, -vv, -vvv | Ya danganta da adadin haruffa a cikin wani zaɓi, ƙaddamar da umurnin zai zama cikakkun bayanai (haɓaka yana dacewa daidai da adadin harufa) |
| -f | Da fitarwa yana nuna sunan yankin na adireshin IP |
| -F | Ba ka damar karanta bayanai ba daga cibiyar sadarwa ba, amma daga fayil ɗin da aka ƙayyade |
| -D | Nuna duk hanyoyin sadarwa da za a iya amfani dashi. |
| -n | Deactivates nuni na yankin sunayen |
| -Z | Ya ƙayyade mai amfani a karkashin asusun da za a ƙirƙiri dukkan fayiloli. |
| -K | Tsallake nazarin bincike |
| -q | Bayyanaccen bayani |
| -H | Ya gano 802.11 na masu bugawa |
| -I | An yi amfani dashi a yayin da kake amfani da packets a yanayin kulawa. |
Bayan nazarin zaɓuɓɓuka, a ƙasa za mu juya kai tsaye zuwa ga aikace-aikace. A halin yanzu, za a bincika zazzabi.
Filters
Kamar yadda aka ambata a farkon labarin, zaka iya ƙara filtata zuwa ragowar tcpdump syntax. Yanzu mafi mashahuri daga cikinsu za a yi la'akari da su:
| Filter | Definition |
|---|---|
| Mai watsa shiri | Ya ƙayyade sunan mai masaukin. |
| net | Ya ƙayyade subnet da kuma cibiyar sadarwar IP |
| ip | Ya ƙayyade adreshin adireshin |
| src | Nuna aljihunan da aka aiko daga adireshin da aka adana |
| dst | Nuna aljihunan da aka karɓa ta adireshin da aka adana. |
| arp, udp, tcp | Tacewa ta daya daga cikin ladabi |
| tashar jiragen ruwa | Nuna bayanai game da takamaiman tashar jiragen ruwa. |
| da, ko | Ana amfani dashi don hada filfura masu yawa a cikin umurnin. |
| žasa, mafi girma | Kayan buƙatun ƙananan ya fi ƙanƙara ko ya fi girma fiye da ƙayyadadden ƙimar |
Dukkanin wadanda aka sama a sama zasu iya haɗuwa da juna, don haka a cikin bayar da umarni za ku kiyaye kawai bayanin da kuke son gani. Don fahimtar dalla-dalla game da yin amfani da samfurin da ke sama, yana da daraja ya ba misalai.
Duba kuma: Dokokin da ake amfani da su akai-akai a Linux Terminal
Misalan amfani
Ana amfani da jerin zaɓuɓɓukan rubutun tcpdump da yawa sau da yawa a yanzu. Ba za a iya lissafin su ba, tun da bambancin su na iya zama iyaka.
Duba jerin dubawa
An ba da shawarar cewa kowane mai amfani ya fara duba jerin jerin hanyoyin sadarwa na intanet wanda za'a iya ganowa. Daga tebur a sama mun san cewa saboda haka kana buƙatar amfani da zabin -D, sabili da haka a cikin m gudu da wadannan umurnin:
sudo tcpdump -D
Alal misali:
Kamar yadda ka gani, akwai sau takwas a cikin misalin da za a iya gani ta yin amfani da umarnin tcpdump. Wannan labarin zai ba da misalai na ppp0, zaka iya amfani da wani.
An kama hanya ta al'ada
Idan kana buƙatar yin waƙa da ƙirar cibiyar sadarwa guda ɗaya, zaka iya yin haka tare da zaɓi -i. Kar ka manta da za a shigar da sunan mai neman shiga bayan shigar da shi. Ga misali na aiwatar da irin wannan umurnin:
sudo tcpdump -i ppp0
Lura: kana buƙatar shigar da "sudo" kafin umurnin da kansa, tun da yake yana buƙatar izinin superuser.
Alal misali:
Lura: bayan latsa Shigar da "Terminal", za a nuna kwakwalwan da aka karɓa a gaba. Don dakatar da su, kuna buƙatar danna maɓallin haɗin Ctrl + C.
Idan ka gudu da umarnin ba tare da ƙarin zaɓuɓɓuka da zaɓuɓɓuka ba, za ka ga tsarin da ke biyowa don nuna saitunan da aka sa ido:
22: 18: 52.597573 IP vrrp-topf2.p.mail.ru.https> 10.0.6.67.35482: Hannuna [P.], guda 1: 595, a 1118, nasara 6494, zabin [nop, nop, TS val 257060077 ecr 697597623], tsawon 594
Inda aka nuna launi:
- blue - lokacin da aka samo kunshin;
- Orange - yarjejeniya;
- kore - adireshin mai aikawa;
- m - adireshin mai karɓa;
- m - ƙarin bayani game da tcp;
- red - girman fakiti (aka nuna a bytes).
Wannan haɗin yana da ikon fitarwa a cikin taga "Ƙaddara" ba tare da amfani da ƙarin zaɓuɓɓuka ba.
Ɗauki zirga-zirga tare da zaɓi -v
Kamar yadda aka sani daga teburin, zabin -v ba ka damar ƙara yawan bayanin. Bari muyi la'akari da misali. Duba wannan ƙirar:
sudo tcpdump -v -i ppp0
Alal misali:
A nan za ku ga cewa layin da ke gaba ya bayyana a cikin fitarwa:
IP (tos 0x0, ttl 58, id 30675, offset 0, flags [DF], yarjejeniya TCP (6), tsawon 52
Inda aka nuna launi:
- Orange - yarjejeniya;
- blue - rayuwa na yarjejeniya;
- kore - tsawon tsayin filin;
- purple - version of tcp kunshin;
- ja - girman fakiti.
Har ila yau a cikin umarni na umarni zaka iya rubuta wani zaɓi -vv ko -vvv, wanda zai ƙara ƙara adadin bayanin da aka nuna akan allon.
Zaɓin -w da -r
Teburin zaɓin ya ambata yiwuwar adana duk bayanan kayan aiki a cikin fayil ɗin raba don a iya ganin su daga baya. Zaɓin yana da alhakin wannan. -w. Yana da sauƙin amfani, kawai shigar da shi a cikin umurnin sannan kuma shigar da sunan fayil din gaba tare da tsawo ".pcap". Ka yi la'akari da dukan misalai:
sudo tcpdump -i ppp0 -w file.pcap
Alal misali:
Lura: yayin rubuta rubutun zuwa fayil, ba a nuna rubutu ba a kan allo "Terminal".
Lokacin da kake so ka duba samfurin rikodin, kana buƙatar amfani da zabin -rBayanan sunan fayil da aka rubuta a baya. An yi amfani da shi ba tare da wasu zaɓuɓɓuka ba.
sudo tcpdump -r file.pcap
Alal misali:
Duk waɗannan zaɓuɓɓuka sune cikakke a lokuta inda kana buƙatar ajiye adadi mai yawa don nazarin bayanan.
IP tacewa
Daga tebur tace, mun san haka dst ba ka damar nunawa a fuskar allo kawai waɗannan kunshe waɗanda aka karɓa ta adireshin da aka kayyade a cikin umarni na umarni. Saboda haka, yana da matukar dace don duba kwakwalwan da aka karɓa ta kwamfutarka. Don yin wannan, ƙungiyar kawai buƙatar saka adireshin IP naka:
sudo tcpdump -i ppp0 ip dst 10.0.6.67
Alal misali:
Kamar yadda kake gani, banda dst, a cikin tawagar, mun kuma rijista tace ip. A wasu kalmomi, mun gaya wa kwamfutar cewa lokacin da zaɓin fakiti, zai kula da adireshin IP ɗin su, ba ga sauran sigogi ba.
Ta IP, za ku iya tace kuma aika fakiti. A cikin misali mun sake ba da IP ɗinmu. Wato, yanzu za mu bi abin da aka aika daga cikin kwamfutarmu zuwa wasu adiresoshin. Don yin wannan, gudanar da umurnin mai biyowa:
sudo tcpdump -i ppp0 ip src 10.0.6.67
Alal misali:
Kamar yadda ka gani, mun canza tace a cikin rubutun umarni. dst a kan src, yana gaya wa inji don bincika mai aikawa da IP.
HOST tacewa
Ta hanyar kwatanta da IP a cikin tawagar, za mu iya saka tace Mai watsa shirito fitar da kwakwalwa tare da masu sha'awar sha'awa. Wato, a cikin haɗin, maimakon adireshin IP na mai aika da / mai karɓa, za ku buƙaci tantance mai karɓa. Yana kama da wannan:
sudo tcpdump -i ppp0 dst mai watsa shiri google-public-dns-a.google.com
Alal misali:
A hoton zaka iya ganin haka a "Ƙaddara" Abubuwan da aka aika daga IP ɗin mu zuwa google.com suna nunawa kawai. Kamar yadda kake gani, maimakon google host, zaka iya shigar da wani.
Kamar yadda aka gyara IP, rubutun shine: dst za a iya maye gurbinsu srcDon ganin saitunan da aka aika zuwa kwamfutarka:
sudo tcpdump -i ppp0 src rundunar google-public-dns-a.google.com
Lura: Mai watsa shiri ya kamata ya kasance bayan dst ko src, in ba haka ba umarni zai haifar da kuskure ba. A cikin yanayin saukan IP, a akasin haka, dst da src suna a gaban ip tace.
Filter da kuma ko
Idan kana buƙatar amfani da maɓuɓɓuka da yawa a lokaci daya a cikin umarnin daya, to kana buƙatar amfani da tace. kuma ko ko (ya dogara da yanayin). Ta hanyar ƙaddamar da maɓuɓɓuka a cikin haɗin gwiwa da kuma raba su da waɗannan maganganun, kuna "yin" aiki a matsayin ɗaya. A cikin misali, yana kama da wannan:
sudo tcpdump -i ppp0 ip dst 95.47.144.254 ko ip src 95.47.144.254
Alal misali:
Daga umarnin umurni zaka iya ganin cewa muna so mu nuna "Ƙaddara" duk buƙatun da aka aiko zuwa adireshin 95.47.144.254 da kuma saitunan da aka samu ta wannan adireshin. Hakanan zaka iya canza wasu canje-canje a cikin wannan magana. Alal misali, maimakon IP, saka HOST ko maye gurbin adireshin kansu kai tsaye.
Gidan tashar jiragen ruwa da kayan aiki
Filter tashar jiragen ruwa cikakke ga lokacin da kake buƙatar samun bayani game da fakitoci tare da takamaiman tashar. Don haka, idan kawai kuna bukatar ganin amsa ko tambayoyin DNS, kuna buƙatar saka tashar jiragen ruwa 53:
sudo tcpdump -vv -i ppp0 tashar jiragen ruwa 53
Alal misali:
Idan kana so ka duba http kunshe-kunshe, kana buƙatar shigar da tashar jiragen ruwa 80:
sudo tcpdump -vv -i ppp0 tashar jiragen ruwa 80
Alal misali:
Daga cikin wadansu abubuwa, yana yiwuwa a biye da hanzari nan gaba na tashar jiragen ruwa. Don yin wannan, amfani da tace shirin:
Sudo tcpdump shirin 50-80
Kamar yadda kake gani, tare da tace shirin Ba lallai ba ne don saka ƙarin zaɓuɓɓuka. Kamar saita zangon.
Tacewa ta hanyar sadarwa
Hakanan zaka iya nuna kawai ƙwayar da take dace da kowane yarjejeniya. Don yin wannan, yi amfani da sunan wannan yarjejeniya a matsayin tace. Bari mu dubi misali udp:
sudo tcpdump -vvv -i ppp0 udp
Alal misali:
Kamar yadda kake gani a cikin hoton, bayan aiwatar da umurnin a "Ƙaddara" kawai packets tare da yarjejeniyar da aka nuna udp. Saboda haka, zaku iya tace wasu, alal misali, arp:
sudo tcpdump -vvv -i ppp0 arp
ko tcp:
sudo tcpdump -vvv -i ppp0 tcp
Wizon Filter
Mai sarrafawa net taimaka tace fitar da fakitoci bisa ga zabin cibiyar sadarwa. Yana da sauƙin amfani da sauran - kana buƙatar saka sifa a cikin haɗin net, sa'an nan kuma shigar da adireshin cibiyar sadarwa. Ga misalin irin wannan umurni:
Sudo tcpdump -i ppp0 net 192.168.1.1
Alal misali:
Filta ta girman kunshin
Ba muyi la'akari da abubuwa biyu masu ban sha'awa ba: m kuma mafi girma. Daga teburin tare da filfura, mun san cewa suna aiki don samar da ƙarin saitunan bayanai (m) ko žasa (mafi girma) girman da aka ƙayyade bayan an shigar da alamar.
Idan dai muna so mu saka idanu fakitoci wanda bai wuce 50 raguwa ba, to, umurnin zai yi kama da wannan:
sudo tcpdump -i ppp0 kasa da 50
Alal misali:
Yanzu bari mu nuna a "Ƙaddara" buƙatun ya fi girma 50:
sudo tcpdump -i ppp0 mafi girma 50
Alal misali:
Kamar yadda kake gani, ana amfani dasu daidai, kawai bambanci shine a cikin sunan tace.
Kammalawa
A karshen wannan labarin mun iya cewa tawagar tcpdump - Wannan babban kayan aiki ne da za ku iya waƙa da duk wani fakitin bayanai da aka watsa akan Intanet. Amma saboda wannan bai isa ba kawai don shigar da umurnin kanta cikin "Ƙaddara". Don cimma sakamakon da aka so za a samu ne kawai idan kun yi amfani da dukkanin zaɓuɓɓuka da zaɓuɓɓuka, kazalika da haɗuwa.
