All Products
Search
Document Center

How to capture data packets when a network exception occurs

Last Updated: Dec 15, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Overview

This article describes how to use the packet capture tool in Linux and Windows.

Background

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

If an exception occurs when the source server accesses the target server, you can capture the packet to obtain the original interaction data for troubleshooting and analysis. Before introducing the commonly used packet capturing tools and details on how to capture packets, see the following documents for troubleshooting and analysis.

A tool for capturing packets in Linux

The TCPDump tool is usually used in Linux to capture and analyze packets. It is a packet capture and analysis tool pre-installed in all Linux releases. For more information about how to obtain and install the TCPDump tool, see the TCPDump official documentation.

The description of the tcpdump command is as follows (case sensitive).

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] 
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
  • -s: specifies the packet capture length. If-s is 0, it indicates that the data packet is automatically captured based on the selected length.
  • -w: exports the captured results to a file, rather than analyzing and printing out the results in the console.
  • -i: Used to specify the IP address of the listened interface (network interface controller)
  • -vvv: Used to output detailed interactive data.
  • expression: is a regular expression used to filter packets. It mainly includes the following categories:
    • You can specify keywords of the type, including host, net, and port.
    • Keywords that specify the direction of transmission: src (source), dst (destination), dst or src (source or destination), and dst and src (source and destination).
    • Keyword: ICMP, IP, ARP, RARP, TCP, and UDP protocol type.
  • For more information about the other parameters and how to use them, see tcpdump's Manpage.

Details on common usage and sample output of the tcpdump command.

  • Run the following command to capture the interaction data of port 22 of eth0 network interface controller.
    tcpdump -s 0 -i eth0 port 22
    The following command output is returned.
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:24:59.414951 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442372:442536, ack 53, win 141, length 164
    20:24:59.415002 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442536:442700, ack 53, win 141, length 164
    20:24:59.415052 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442700:442864, ack 53, win 141, length 164
    20:24:59.415103 IP 172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164
  • Run the following command to capture the interaction data sent by eth1 network interface controller to port 22, and output detailed interaction information in the console.
    tcpdump -s 0 -i eth1 -vvv port 22
    The following command output is returned.
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:24:20.991006 IP (tos 0x10, ttl 64, id 22747, offset 0, flags [DF], proto TCP (6), length 316)
    172.xx.xx.226.ssh > 42.xx.xx.107.43414: Flags [P.], cksum 0x2504 (incorrect -> 0x270d), seq 133624:133900, ack 1, win 141, length 276
    20:24:20.991033 IP (tos 0x0, ttl 53, id 2348, offset 0, flags [DF], proto TCP (6), length 92)
    42.xx.xx.107.43414 > 172.xx.xx.226.ssh: Flags [P.], cksum 0x4759 (correct), seq 1:53, ack 129036, win 15472, length 52
  • Run the following command to capture the data sent by eth1 network interface controller to the specified IP address, and output detailed information.
    tcpdump -s 0 -i eth1 -vvv dst 223.xx.xx.5 and icmp
    The following command output is returned.
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    20:26:00.368958 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 341, length 64
    20:26:01.369996 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 342, length 64
    20:26:02.371058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 343, length 64
    20:26:03.372181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    172.xx.xx.226 > public1.alidns.com: ICMP echo request, id 55097, seq 344, length 64
  • Run the following command to capture the data of all interfaces in the system and save the data to the specified file:
    tcpdump -i any -s 0 -w test.cap
    Note: If you run the cat or vim command to view the saved file, the file is displayed as a garbled number. You can run the tcpdump-R test.cap command to view the attack information. You can also use Wireshark to view information.
    The following command output is returned.
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

A packet capture tool in Windows

The most popular open-source Wireshark free tool is generally used in Windows to capture and analyze packets. Refer to Wireshark official website to obtain and install Wireshark, and then capture packets.

  1. Install and open Wireshark.
  2. Click capture>Options.
  3. On the Wireshark interface page, select the network interface controller packet capture based on the interface name or the corresponding IP address, and then click start.
  4. After capturing a sufficient amount of data packets, click capture>Stop.

  5. Click a file>Save the captured packets to a specified file.

  6. For more information about Wireshark and data analysis methods, see Wireshark official website.

Analysis process of packet capture

Capture data packets for analysis when an exception occurs. Ensure that concurrent operations are performed from the source and target servers at the same time to facilitate comparative analysis. The specific procedure is as follows:

  1. Check the network interface controller that is used for data transmission between the source and destination servers.
  2. If the source server accesses the public network through NAT sharing, visit the Taobao IP Address Library to obtain the public IP address corresponding to the local network.
  3. Use the preceding tools to capture packets on the target Port and network interface controller of the target server from the source server, or perform complete packet capture.
  4. Use the preceding tools to capture packets from the source server address and network interface controller, or completely capture packets from the target server and then analyze the packets.
  5. If the problem persists, you can create a ticket and attach the packet capture file. After you submit the ticket, Alibaba Cloud technical support personnel will troubleshoot the issue and receive feedback from you.

Application scope

  • Elastic Compute Service