Uma udinga ukuhlaziya noma ukuvimbela amaphakethe wenethiwekhi ku-Linux, kungcono ukusebenzisa ubunikazi be-console ngalokhu. tcpdump. Kodwa inkinga ivela ekuphatheni kwayo okunzima kakhulu. Kuzobonakala kungenakwenzeka ukuba umsebenzisi ojwayelekile asebenze nesevisi, kodwa lokhu kuwukuqala kokuqala. Lesi sihloko sizochaza ukuthi i-tcpdump ihlelwe kanjani, yiliphi i-syntax, ukuthi lingayisebenzisa kanjani, futhi izibonelo eziningi zokusetshenziswa kwayo ziyonikezwa.
Bheka futhi: Izifundo zokusetha uxhumano lwe-intanethi ku-Ubuntu, Debian, Ubuntu Server
Ukufakwa
Iningi labathuthukisi bezinhlelo zokusebenza ezisuselwe ku-Linux zifaka uhlelo lokusebenza lwe-tcpdump ohlwini lwama-pre-efakwe, kodwa uma ngesizathu esithile akusikho ekusatshalalisweni kwakho, ungahlala ulanda futhi ulifake nge "Isikhumbuzo". Uma i-OS yakho isekelwe ku-Debian, futhi lokhu kuyi-Ubuntu, i-Linux Mint, i-Kali Linux nokunye okufanayo, udinga ukuqhuba lo myalo:
sudo kufanele ufake i-tcpdump
Uma ufaka udinga ukufaka iphasiwedi. Sicela uqaphele ukuthi uma ukuthayipha kungaboniswa, futhi ukuqinisekisa ukufakwa, kufanele ufake umlingisi "D" bese ucindezela Ngena.
Uma une-Red Hat, i-Fedora noma i-CentOS, umyalo wokufaka uzobukeka kanje:
sudo yam faka i-tcpdump
Ngemuva kokusetshenziswa kosizo, ungayisebenzisa ngokushesha. Lokhu nokunye okuningi kuzoxoxwa ngokuhamba kwesikhathi emibhalweni.
Bheka futhi: Umhlahlandlela wokufaka we-PHP we-Ubuntu Server
I-Syntax
Njengomunye umyalo, i-tcpdump ine-syntax yayo. Uma uyamazi, ungabeka yonke imingcele edingekayo ezocatshangelwa uma uqhuba umyalo. I-syntax yile:
Izinketho ze-tcpdump -izihlungi ze-interface
Uma usebenzisa umyalo, kumele ucacise isikhombimsebenzisi ukulandelela. Izihlungi nezinketho akuzona izinguquko ezigunyazayo, kodwa zivumela ukulungiswa okunamandla okuningi.
Izinketho
Yize kungadingekile ukuthi ucacise ukhetho, kusadingeka ukuthi uhlele uhlu olutholakalayo. Ithebula alibonisi uhlu lwabo lonke, kodwa kuphela abadumile kakhulu, kodwa baningi okwanele ukuxazulula iningi lemisebenzi.
| Okukhethwa kukho | Incazelo |
|---|---|
| -A | Ikuvumela ukuba uhlele amaphakheji kwifomethi ye-ASCII |
| -l | Yengeza umsebenzi wokupheqa. |
| -i | Emva kokungena udinga ukucacisa isikhombikubona senethiwekhi esizoqapha. Ukuze uqale ukulandelela wonke ama-interfaces, thayipha igama "noma yikuphi" ngemuva kokukhetha. |
| -c | Iqedela inqubo yokulandela ngemuva kokuhlola inombolo ecacisiwe yamaphakheji. |
| -w | Idala ifayela lombhalo ngombiko wokuqinisekisa. |
| -e | Ibonisa izinga lokuxhumeka kwe-intanethi yepakethe yedatha. |
| -L | Ibonisa kuphela lezo zinqubo ezisekelwa yisibonisi esibonakalayo senethiwekhi. |
| -C | Idala elinye ifayela ngenkathi ibhala iphakheji uma isayizi layo likhulu kunelo elicacisiwe. |
| -r | Ivula ifayela lokufunda eladalwe nge--w inketho. |
| -j | I-TimeStamp ifomethi izosetshenziselwa ukurekhoda amaphakheji. |
| -J | Ikuvumela ukuba ubuke wonke amafomethi atholakalayo TimeStamp |
| -G | Isetshenziselwe ukwakha ifayela ngamalogi. Okukhethwa kukho kudinga futhi inani lesikhashana, emva kwalokho i-log entsha izokwenziwa |
| -v, -vv, -vvv | Kuye ngenani labalingiswa ekukhethweni, ukukhishwa komyalo kuzoba okuningiliziwe (ukukhuphuka kuyahambisana ngqo nenani labalingiswa) |
| -f | Okukhiphayo kubonisa igama lesizinda lekheli le-IP |
| -F | Ikuvumela ukuba ufunde ulwazi hhayi kusuka esibonakalayo senethiwekhi, kodwa kusuka efonini ecacisiwe |
| -D | Ibonisa zonke izixhumanisi zenethiwekhi ezingasetshenziswa. |
| -n | Ikhubaza ukuboniswa kwamagama wesizinda |
| -Z | Icacisa umsebenzisi ngaphansi kwe-akhawunti wonke amafayela azokwenziwa. |
| -K | Yeqa ukuhlolwa kokuhlola |
| -q | Ukuboniswa kolwazi olufushane |
| -H | Ithola izihloko ze-802.11s |
| -I | Isetshenziswe lapho kufakwa amaphakethe kumodi yokuqapha. |
Ngemva kokuhlola okukhethwa kukho, ngezansi siphendukela ngqo kuzicelo zabo. Okwamanje, izihlungi zizocatshangelwa.
Izihlungi
Njengoba kushiwo ekuqaleni kwalesi sihloko, ungangeza izihlungi kwi-tcpdump syntax. Manje ethandwa kakhulu kubo kuzocatshangelwa:
| Hlunga | Incazelo |
|---|---|
| bamba | Icacisa igama lomphathi. |
| inetha | Icacisa i-subnet ye-IP nenethiwekhi |
| ip | Icacisa ikheli leprotocol |
| src | Ibonisa amaphakethe athunyelwe kusuka ekhelini elichaziwe |
| i-dst | Ibonisa amaphakethe atholakala ngekheli elichaziwe. |
| i-arp, u-udp, i-tcp | Ukuhlunga ngezinye zezivumelwano |
| ichweba | Ibonisa ulwazi oluhlobene nendawo ethile. |
| futhi, noma | Isetshenziselwa ukuhlanganisa izihlungi eziningi ngomyalo. |
| kancane, ngaphezulu | Amaphakheji wokukhipha amancane noma amakhulu kunesayizi ecacisiwe |
Zonke izihlungi ezingenhla zingahlanganiswa, ngakho-ke ekukhipheni umyalo uzogcina ulwazi olufunayo kuphela. Ukuze uqonde ngokuningiliziwe ukusetshenziswa kwezihlungi ezingenhla, kufanelekile ukunikeza izibonelo.
Bheka futhi: Izimiso ezisetshenziswa njalo kwi-Linux Terminal
Izibonelo zokusetshenziswa
Izinketho ze-tcpdump syntax ezivame ukusetshenziswa manje zizofakwa ohlwini. Zonke azikwazi ukufakwa ohlwini, ngoba ukuhluka kwazo kungabi nakuphela.
Buka uhlu lwama-interface
Kunconywa ukuthi umsebenzisi ngamunye uqale uhlole uhlu lwazo zonke izixhumanisi zenethiwekhi zakhe ezingalandelwa. Kusuka etafuleni ngenhla siyazi ukuthi kulokhu udinga ukusebenzisa inketho -D, ngakho-ke ku-terminal ugijima umyalo olandelayo:
sudo tcpdump -D
Isibonelo:
Njengoba ubona, kukhona ukuxhumana okuyisishiyagalombili kusibonelo esingabonwa usebenzisa umyalo we-tcpdump. Lesi sihloko sizohlinzeka ngezibonelo ze ppp0, ungasebenzisa noma yikuphi.
Ukuthuthwa kwe-traffic evamile
Uma udinga ukulandelela isikhombikubona esisodwa senethiwekhi, ungakwenza lokhu ngenketho -i. Ungakhohlwa ukungena igama lesikhangiso ngemva kokungena. Nasi isibonelo sokwenza umyalo onjalo:
sudo tcpdump -i ppp0
Sicela uqaphele: udinga ukungena ku- "sudo" ngaphambi komyalo ngokwawo, ngoba udinga ilungelo lomqaphi.
Isibonelo:
Qaphela: emva kokucindezela ukungena ku "Terminal", amaphakethe atholakalayo azoboniswa ngokuqhubekayo. Ukumisa ukugeleza kwabo, udinga ukucindezela inhlanganisela eyinhloko Ctrl + C.
Uma ugijima umyalo ngaphandle kokukhethwa okungeziwe nokuhlunga, uzobona ifomethi elandelayo yokubonisa amaphakethe alandelwe:
22: 18: 52.597573 IP vrrp-topf2.p.mail.ru.https> 10.0.6.67.35482: Amafulegi [P.], seq 1: 595, ack 1118, iwina 6494, izinketho [nop, nop, TS val 257060077 ecr 697597623], ubude 594
Lapho kubonakala khona umbala:
- okwesibhakabhaka - isikhathi sokuthola iphakheji;
- inguqulo ye-orange - protocol;
- i-green - ikheli lomthumeli;
- elibomvu - ikheli lomamukeli;
- grey - ulwazi olungeziwe mayelana ne-tcp;
- usayizi wepakethe obomvu (oboniswe ngama-byte).
Le syntax inamandla okukhipha efasiteleni "Isikhumbuzo" ngaphandle kokusebenzisa izinketho ezengeziwe.
Thatha ithrafikhi nge--v inketho
Njengoba kuyaziwa kusukela etafuleni, ukhetho -v ikuvumela ukuthi ukwandise inani lemininingwane. Ake sicabangele isibonelo. Hlola isikhombimsebenzisi esifanayo:
sudo tcpdump -v -i i-ppp0
Isibonelo:
Lapha ungabona ukuthi umugqa olandelayo ubonakale ekuphumeni:
I-IP (kuya ku-0x0, i-ttl 58, i-id 30675, i-offset 0, amafulege [DF], i-proto TCP (6), ubude be-52
Lapho kubonakala khona umbala:
- inguqulo ye-orange - protocol;
- okwesibhakabhaka - impilo ye-protocol;
- oluhlaza - ubude bekhanda lomkhakha;
- i-purple - version yephakheji le-tcp;
- usayizi wepakethe obomvu.
Futhi ku-syntax yomyalo ungabhala inketho -vv noma -vvv, okuzoqhubeka nokwandisa inani lemininingwane ekhonjisiwe esikrinini.
Inketho ye--w ne--r
Ithebula lokukhethwa kukho lisho ukuthi kungenzeka ukuthi ulondoloze yonke idatha ephumayo efayeleni elihlukile ukuze libukwe kamuva. Okukhethwa kukho kubhekene nalokhu. -w. Kulula kakhulu ukuyisebenzisa, vele ungene emlayweni bese ufaka igama lefayela elizayo nesandiso ".pcap". Cabanga ngalesi sibonelo:
sudo tcpdump -i ppp0 -w file.pcap
Isibonelo:
Sicela uqaphele: ngenkathi ubhala izingodo kufayela, akukho umbhalo okhonjiswa kusikrini "Terminal".
Uma ufuna ukubuka okukhipha okuqoshiwe, udinga ukusebenzisa inketho -rkulandelwa igama lefayela elirekhodiwe ngaphambilini. It isetshenziswa ngaphandle kokunye okukhethwa kukho kanye nezihlungi:
sudo tcpdump -r file.pcap
Isibonelo:
Zombili lezi zikhetho ziphelele lapho kunesidingo sokulondoloza amanani amaningi ombhalo wokuhlaziywa okulandelayo.
Ukuhlunga i-IP
Kusuka etafuleni lokuhlunga, siyazi ukuthi i-dst ikuvumela ukuthi ubonise kusikrini se-console kuphela lezo amaphakheji ezamukelwe ikheli elichazwe ku-syntax yomyalo. Ngakho-ke, kulula kakhulu ukubuka amaphakethe athola ikhompyutha yakho. Ukwenza lokhu, ithimba lidinga ukucacisa ikheli lakho le-IP:
sudo tcpdump -i ppp0 ip dst 10.0.6.67
Isibonelo:
Njengoba ungabona, ngaphandle kwalokho i-dst, eqenjini, sibuye sibhalise isihlungi ip. Ngamanye amazwi, sitshele ikhompyutha ukuthi uma ukhetha amaphakethe, uzobheka ikheli le-IP, hhayi kwezinye izimpendulo.
Nge-IP, ungakwazi ukuhlunga nokuthumela amaphakethe. Esibonelo sinikezela i-IP yethu futhi. Okusho ukuthi, manje sizokulandela ukuthi yiziphi amapakethe ezithunyelwa kusuka kwikhompyutha yethu kuya kwamanye amakheli. Ukuze wenze lokhu, sebenzisa umyalo olandelayo:
sudo tcpdump -i ppp0 ip src 10.0.6.67
Isibonelo:
Njengoba ungabona, sashintsha isihlungi ku-syntax yomyalo. i-dst kuqhubeke src, ngaleyo ndlela utshele umshini ukuthi useshe umthumeli nge-IP.
Ukuhlunga kwe-HOST
Ngokufana ne-IP eqenjini, singacacisa isihlungi bambaukuze ukhule amaphakethe nomuntu onentshisekelo. Okusho ukuthi, ku-syntax, esikhundleni sekheli le-IP lomthumeli / umamukeli, kuzodingeka ucacise umphathi walo. Kubonakala kanje:
sudo tcpdump -i ppp0 dst host host google-public-dns-a.google.com
Isibonelo:
Esithombeni ungabona lokho "Isikhumbuzo" Kuphela kuphela amaphakethe athunyelwe kusuka ku-IP yethu kuya ku-host.com ye-google.com ayaboniswa. Njengoba ungabona, esikhundleni se-google host, ungangena noma yikuphi.
Njengokuhlunga i-IP, i-syntax yile: i-dst kungenziwa esikhundleni srcUkuze ubone amaphakethe athunyelwa kwikhompyutha yakho:
sudo tcpdump -i ppp0 src umphathi we-google-public-dns-a.google.com
Qaphela: isihlungi se-host kumele sibe ngemuva kwe-dst noma i-src, ngaphandle kwalokho umyalo uzokhipha iphutha. Endabeni yokuhlunga i-IP, ngokuphambene nalokho, i-dst ne-src ingaphambi kwesikrini se-ip.
Hlunga kanye nokunye
Uma udinga ukusebenzisa izihlungi eziningana ngesikhathi esisodwa ngomyalo owodwa, kuzomele usebenzise isihlungi. futhi noma noma (kuncike ecaleni). Ngokucacisa izihlungi ku-syntax futhi uzihlukanise nalaba baqhubi, "wenza" zisebenze njengenye. Esibonelo, kubonakala kanje:
sudo tcpdump -i ppp0 ip dst 95.47.144.254 noma ip src 95.47.144.254
Isibonelo:
Kusuka ku-syntax yomyalo ungabona ukuthi sifuna ukubonisa "Isikhumbuzo" wonke amaphakethe athunyelwe ekhelini 95.47.144.254 namaphakethe athola ikheli elifanayo. Ungashintsha futhi ezinye izinguquko kule nkulumo. Isibonelo, esikhundleni se-IP, cacisa i-HOST noma ubeke ngokuqondile amakheli ngokwabo.
Hlunga i-port ne-portrange
Hlunga ichweba ephelele uma udinga ukuthola ulwazi mayelana namaphakethe ngechweba elithile. Ngakho-ke, uma nje udinga ukubona izimpendulo noma imibuzo ye-DNS, udinga ukucacisa i-port 53:
sudo tcpdump -vv -i ppp0 port 53
Isibonelo:
Uma ufuna ukubuka i-http amaphakheji, udinga ukungena ku-port 80:
sudo tcpdump -vv -i ppp0 port 80
Isibonelo:
Phakathi kwezinye izinto, kungenzeka ukulandelela ngokushesha ububanzi bamachweba. Ukwenza lokhu, sebenzisa isihlungi portrange:
sudo tcpdump portrange 50-80
Njengoba ungabona, ngokuhambisana nesihlungi portrange Akudingekile ukuthi ucacise izinketho ezengeziwe. Vele ubeke ibanga.
Ukuhlunga i-Protocol
Ungabonisa kuphela ithrafikhi ehambisana nanoma yikuphi ukulandelwa kwemithetho. Ukuze wenze lokhu, sebenzisa igama le protocol njengesihlungi. Ake sibheke isibonelo udp:
sudo tcpdump -vvv -i ppp0 udp
Isibonelo:
Njengoba ungabona esithombeni, ngemuva kokusebenzisa umyalo "Isikhumbuzo" amaphakethe kuphela aneprotholothi abonisiwe udp. Ngakho-ke, ungahlunga abanye, isibonelo, i-arp:
sudo tcpdump -vvv -i ppp0 arp
noma tcp:
sudo tcpdump -vvv -i ppp0 tcp
Hlunga inetha
I-Operator inetha kusiza ukuhlunga amaphakethe ngokususelwa ekudalweni kwenethiwekhi yabo. Kulula ukuyisebenzisa njengalokhu okunye - udinga ukucacisa umphumela ku-syntax inetha, bese ufaka ikheli lenethiwekhi. Nasi isibonelo somyalo onjalo:
sudo tcpdump -i ppp0 net 192.168.1.1
Isibonelo:
Hlunga ngosayizi wephakethe
Asizange sicabangele izihlungi ezimbili ezithakazelisayo: kancane futhi okukhulu. Kusuka etafuleni enezihlungi, siyazi ukuthi bakhonza ukukhipha amaphakethe amaningi wedatha (kancane) noma ngaphansi (okukhulu) ubukhulu obucacisiwe ngemuva kokungena ngemvume.
Ake sithi sifuna ukuqapha amaphakethe angadluli ama-bits angu-50, khona-ke umyalo uzobukeka kanje:
sudo tcpdump -i ppp0 engaphansi kwangu-50
Isibonelo:
Manje ake sibonise ngaphakathi "Isikhumbuzo" amaphakethe amakhulu kunama-bits angu-50:
sudo tcpdump -i ppp0 ngaphezulu 50
Isibonelo:
Njengoba ungabona, zisetshenziswe ngokulinganayo, umehluko kuphela egameni lesihlungi.
Isiphetho
Ekupheleni kwalesi sihloko singaphetha ngokuthi iqembu tcpdump - Lena ithuluzi elihle ongalandela noma iyiphi iphakethe ledatha elidluliselwe phezu kwe-Intanethi. Kodwa ngenxa yalokhu akwanele nje ukufaka umyalo ngokwawo "Isikhumbuzo". Ukuze ufeze umphumela oyifunayo uzotholakala kuphela uma usebenzisa zonke izinhlobo zokukhetha kanye nezihlungi, kanye nokuhlanganiswa kwazo.
