11.3. Traffic related

11.3.1. TCPDump

TCPDump is a data packet capture and analysis tool, which can completely intercept the data packets transmitted in the network and provide analysis. It supports filtering for network layer, protocol, host, network or port, and provides logical statements to filter packets.

11.3.1.1. Common Command Line Options

• -B <buffer_size> The size of the buffer for capturing traffic. If it is too small, packets may be lost. The unit is KB.

• -c <count> Exit after grabbing n packets

• -C <file_size> After the currently recorded package exceeds a certain size, another file is recorded, the unit is MB

• -i <interface> Specify the traffic that the network card passes through

• -n Do not translate addresses

• -r <file> Read the saved pcap file

• -s <snaplen> Intercept the data of snaplen bytes from each message, 0 is all data

• -q Output brief protocol-related information, with short output lines.

• -W <cnt> No more writing after cnt files are filled

• -w <file> Save traffic to file

  • When sub-packaging by time, it can be named in the format of strftime, for example %Y_%m_%d_%H_%M_%S.pcap

• -G <seconds> subcontract by time

• -v produces verbose output,``-vv`` -vvv which produces more verbose output

• -X Output the content of the header and packet

• -Z <user> Convert users before writing files

11.3.2. Bro

Bro is an open source network traffic analysis tool that supports multiple protocols and can analyze traffic in real time or offline.

11.3.2.1. Command Line

• Real time monitoring bro -i <interface> <list of script to load>

• Analyze local traffic bro -r <pcapfile> <scripts...>

• Logs after splitting and parsing traffic bro-cut

11.3.2.2. Scripts

In order to be able to extend and customize Bro’s functionality, Bro provides an event-driven scripting language.

11.3.3. tcpflow

tcpflow is also a packet capture tool. Its feature is to display data content in units of streams. When analyzing data of protocols such as HTTP, it is more convenient to use tcpflow.

11.3.3.1. Common Command Line Options

• -b max_bytes Define maximum crawl traffic

• -e name Specify the scanner for parsing

• -i interface Specify the grab interface

• -o outputdir Specify the output folder

• -r file read file

• -R file Read the file, but only read the complete file

11.3.4. tshark

WireShark’s command line tool can extract the data you want through commands, redirect it to a file, or call the command line in combination with the upper-level language to process data.

11.3.4.1. Input interface

• -i <interface> Specifies the capture interface, the default is the first non-local loop interface

• -f <capture filter> Set the packet capture filter expression, follow the libpcap filter syntax, this option is filtered during the packet capture process, if it is analyzing local files, it is not used

• -s <snaplen> Set the snapshot length to read the complete data packet, because the transmission in the network has a limit of 65535, the value 0 represents the snapshot length of 65535, and the default is 65535

• -p Work in non-promiscuous mode, i.e. only care about traffic related to the machine

• -B <buffer size> Set the size of the buffer, only valid for windows, the default is 2M

• -y <link type> link layer type (default: first appropriate)

• -D print list of interfaces and exit

• -L print list of link-layer types of iface and exit

• -r <infile> set the filename to read from (or ‘-’ for stdin)

11.3.4.2. Capture stop conditions

• -c <packet count> stop after n packets (def: infinite)

• -a <autostop cond>

  • duration:NUM stop after NUM seconds

  • filesize:NUM stop this file after NUM KB

  • files:NUM stop after NUM files

  • packets:NUM stop after NUM packets

11.3.4.3. Processing

• -Y <display filter> packet displaY filter in Wireshark display filter syntax

• -n disable all name resolutions (def: all enabled)

• -N enable specific name resolution(s): mnNtdv, m MAC layer， n network layer， t transport layer, C asynchronous DNS lookup

• -d “Decode As”, see the man page for details,Example: tcp.port==8888,http

11.3.4.4. Output

• -w <outfile> write packets to a pcapng-format file named “outfile”,(or ‘-’ for stdout)

• -F <output file type> set the output file type, default is pcapng, an empty “-F” option will list the file types

• -V add output of packet tree (Packet Details)

• -O <protocols> Only show packet details of these protocols, comma separated

• -P print packet summary even when writing to a file

• -S <separator> the line separator to print between packets

• -x add output of hex and ASCII dump (Packet Bytes)

• -T pdml|ps|text|fields|psml format of text output (def: text)

• -e field to print if -Tfields selected (e.g. tcp.port,_ws.col.Info),this option can be repeated to print multiple fields

• -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)

• -u s|hms output format of seconds (def: s: seconds)

• -l flush standard output after each packet

• -q be more quiet on stdout (e.g. when using statistics)

• -X <key>:<value> eXtension options, see the man page for details

• -z various statistics, see the man page for details

11.3.4.5. Miscellaneous

• -h display this help and exit

• -v display version info and exit