TCPflow - Bincika da zame Traffic na hanyar sadarwa a cikin Linux


TCPflow kyauta ne, tushen budewa, kayan aiki mai ƙarfi na tushen layin umarni don nazarin zirga-zirgar hanyar sadarwa akan tsarin Unix-kamar Linux kamar Linux. Yana ɗaukar bayanan da aka karɓa ko canjawa wuri ta hanyar haɗin TCP, kuma yana adana su a cikin fayil don bincike na gaba, a cikin tsari mai amfani wanda ke ba da izinin bincike na yarjejeniya da lalata.

Haƙiƙa kayan aikin tcpdump ne kamar yadda yake sarrafa fakiti daga waya ko daga fayil ɗin da aka adana. Yana goyan bayan kalaman tacewa masu ƙarfi iri ɗaya waɗanda takwarorinsu ke tallafawa. Bambanci kawai shine tcpflow yana sanya duk fakitin TCP cikin tsari kuma yana tattara kowane kwarara a cikin fayil daban (fayil don kowane shugabanci na kwarara) don bincike na gaba.

Saitin fasalinsa ya haɗa da na'urar filogi na ci-gaba don rage matsawa hanyoyin haɗin HTTP, sokewa MIME rufaffiyar, ko kiran shirye-shiryen ɓangare na uku don aiwatarwa da ƙari mai yawa.

Akwai lokuttan amfani da yawa don tcpflow waɗanda suka haɗa da fahimtar fakitin hanyar sadarwa da kuma tallafawa don aiwatar da binciken bincike na cibiyar sadarwa da bayyana abubuwan da ke cikin zaman HTTP.

Yadda ake Sanya TCPflow a cikin Linux Systems

Ana samun TCPflow a cikin ma'ajiyar hukuma ta GNU/Linux na yau da kullun, zaku iya shigar da shi ta amfani da manajan kunshin ku kamar yadda aka nuna.

$ sudo apt install tcpflow	#Debian/Ubuntu
$ sudo yum install tcpflow	#CentOS/RHEL
$ sudo dnf install tcpflow	#Fedora 22+

Bayan shigar da tcpflow, zaku iya gudanar da shi tare da gatan mai amfani, in ba haka ba amfani da umarnin sudo. Lura cewa yana saurara akan hanyar sadarwa mai aiki (misali enp0s3).

$ sudo tcpflow

tcpflow: listening on enp0s3

Ta hanyar tsoho tcpflow yana adana duk bayanan da aka kama a cikin fayiloli waɗanda ke da sunaye a cikin tsari (wannan na iya bambanta idan kuna amfani da wasu zaɓuɓɓuka kamar tambarin lokaci).

sourceip.sourceport-destip.destport
192.168.043.031.52920-216.058.210.034.00443

Yanzu bari mu yi jerin kundin adireshi don ganin idan an kama kwararar tcp a cikin kowane fayiloli.

$ ls -1

total 20
-rw-r--r--. 1 root    root     808 Sep 19 12:49 192.168.043.031.52920-216.058.210.034.00443
-rw-r--r--. 1 root    root      59 Sep 19 12:49 216.058.210.034.00443-192.168.043.031.52920

Kamar yadda muka ambata a baya akan, kowane kwararar TCP ana adana shi a cikin nasa fayil. Daga fitowar da ke sama, zaku iya ganin cewa akwai fayil ɗin kwafi guda uku, waɗanda ke nuna tcpflow a cikin kwatance guda biyu, inda tushen IP a cikin fayil na farko da IP ɗin da ake nufi a cikin fayil na biyu kuma akasin haka.

Fayil na farko 192.168.043.031.52920-216.058.210.034.00443 ya ƙunshi bayanan da aka canjawa wuri daga mai watsa shiri 192.168.043.031 (gidan gida wanda tcpflow ya gudana) ta hanyar tashar jiragen ruwa 52920, don karɓar bakuncin 5382.1 tashar jiragen ruwa ta hanyar tashar jiragen ruwa 0416.1.

Kuma fayil na biyu 216.058.210.034.00443-192.168.043.031.52920 ya ƙunshi bayanan da aka aika daga mai watsa shiri 216.058.210.034 (mai watsa shiri mai nisa) ta hanyar tashar jiragen ruwa 443 don karbar bakuncin 192.168.043.03 ta hanyar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar tashar 2.

Akwai kuma rahoton XML da aka samar, wanda ya ƙunshi bayanai game da shirin kamar yadda aka haɗa shi, da kwamfutar da aka sarrafa ta da kuma rikodin kowane haɗin tcp.

Kamar yadda wataƙila kun lura, tcpflow yana adana fayilolin kwafin a cikin kundin adireshi na yanzu ta tsohuwa. Zaɓin -o na iya taimaka maka ƙayyade wurin fitarwa inda za a rubuta fayilolin kwafin.

$ sudo tcpflow -o tcpflow_files
$ sudo ls -l tcpflow_files

total 32
-rw-r--r--. 1 root root 1665 Sep 19 12:56 157.240.016.035.00443-192.168.000.103.45986
-rw-r--r--. 1 root root   45 Sep 19 12:56 169.044.082.101.00443-192.168.000.103.55496
-rw-r--r--. 1 root root 2738 Sep 19 12:56 172.217.166.046.00443-192.168.000.103.39954
-rw-r--r--. 1 root root   68 Sep 19 12:56 192.168.000.102.00022-192.168.000.103.42436
-rw-r--r--. 1 root root  573 Sep 19 12:56 192.168.000.103.39954-172.217.166.046.00443
-rw-r--r--. 1 root root 4067 Sep 19 12:56 192.168.000.103.45986-157.240.016.035.00443
-rw-r--r--. 1 root root   38 Sep 19 12:56 192.168.000.103.55496-169.044.082.101.00443
-rw-r--r--. 1 root root 3159 Sep 19 12:56 report.xml

Hakanan zaka iya buga abubuwan da ke cikin fakiti zuwa stdout kamar yadda aka karɓa, ba tare da adana duk wani bayanan da aka kama a cikin fayiloli ba, ta amfani da alamar -c kamar haka.

Don gwada wannan yadda ya kamata, buɗe tasha ta biyu kuma gudanar da ping, ko bincika intanit. Ya kamata ku iya ganin cikakkun bayanan ping ko cikakkun bayanan bincikenku ana kama ta tcpflow.

$ sudo tcpflow -c

Yana yiwuwa a kama duk zirga-zirga a kan wani tashar jiragen ruwa, misali tashar jiragen ruwa 80 (HTTP). A cikin yanayin zirga-zirgar HTTP, za ku iya ganin masu kai HTTP da ke biye da abubuwan da ke cikin stdout ko a cikin fayil ɗaya idan an cire maɓallin -c.

$ sudo tcpflow port 80

Don ɗaukar fakiti daga takamaiman hanyar sadarwa na cibiyar sadarwa, yi amfani da alamar -i don tantance sunan dubawa.

$ sudo tcpflow -i eth0 port 80

Hakanan zaka iya ƙididdige mai watsa shiri mai niyya (ƙimar da aka karɓa sune adireshin IP, sunan mai masauki ko yanki), kamar yadda aka nuna.

$ sudo tcpflow -c host 192.68.43.1
OR
$ sudo tcpflow -c host www.google.com 

Kuna iya kunna duk aiki ta amfani da duk na'urori tare da alamar -a, wannan yayi daidai da -e duk sauyawa.

$ sudo tcpflow -a  
OR
$ sudo tcpflow -e all

Hakanan za'a iya kunna takamaiman na'urar daukar hotan takardu; Scanners ɗin da ake da su sun haɗa da md5, http, netviz, tcpdemux da wifiviz (gudanar tcpflow -H don duba cikakken bayani game da kowane na'urar daukar hotan takardu).

$ sudo tcpflow -e http
OR
$ sudo tcpflow -e md5
OR
$ sudo tcpflow -e netviz
OR
$ sudo tcpflow -e tcpdemux
OR
$ sudo tcpflow -e wifiviz

Misali mai zuwa yana nuna yadda ake kunna duk na'urorin daukar hoto ban da tcpdemux.

$ sudo tcpflow -a -x tcpdemux 

TCPflow yawanci yana ƙoƙarin sanya hanyar sadarwa ta hanyar sadarwa zuwa yanayin lalata kafin ɗaukar fakiti. Kuna iya hana wannan ta amfani da alamar -p kamar yadda aka nuna.

$ sudo tcpflow -p -i eth0

Don karanta fakiti daga fayil ɗin pcap tcpdump, yi amfani da tutar -r.

$ sudo tcpflow -f file.pcap

Kuna iya kunna yanayin magana ta amfani da zaɓuɓɓukan -v ko -d 10 zažužžukan.

$ sudo tcpflow -v
OR
$ sudo tcpflow -d 10

Mahimmanci: Iyakar tcpflow ɗaya shine, a halin yanzu baya fahimtar gutsuttsarin IP, don haka bayanan da aka watsa a matsayin ɓangare na haɗin TCP masu ɗauke da gutsuttsarin IP ba za a kama su da kyau ba.

Don ƙarin bayani da zaɓuɓɓukan amfani, duba shafin tcpflow man.

$ man tcpflow 

TCPflow Github wurin ajiya: https://github.com/simsong/tcpflow

Wannan ke nan a yanzu! TCPflow shine mai rikodin kwararar TCP mai ƙarfi wanda ke da amfani don fahimtar fakitin cibiyar sadarwa da aiwatar da binciken binciken cibiyar sadarwa, da ƙari. Gwada shi kuma ku raba ra'ayoyinku game da shi tare da mu a cikin sharhi.