refirio.org

Memo

メモ > サーバ > 各論: ネットワーク > パケットキャプチャを行う

■パケットキャプチャを行う
■tcpdump
# tcpdump -nli eth0 port 80 … 80番ポートへの通信を監視 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes … いったんこの状態で監視中になる 19:51:41.603374 IP 202.229.34.200.61910 > 153.121.33.84.http: Flags [S], seq 994394370, win 8192, options [mss 1414,nop,wscale 8,nop,nop,sackOK], length 0 19:51:41.603475 IP 153.121.33.84.http > 202.229.34.200.61910: Flags [S.], seq 3988310290, ack 994394371, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
19:51:41 に 202.229.34.200 から 153.121.33.84 に対してhttpリクエストがあったことが判る
# tcpdump -X -i eth0 -n port 80 … 80番ポートへの通信内容を監視(16進数とASCII文字で表示) tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes … いったんこの状態で監視中になる 19:57:03.458221 IP 202.229.34.200.62029 > 153.121.33.84.http: Flags [S], seq 1535838550, win 8192, options [mss 1414,nop,wscale 8,nop,nop,sackOK], length 0 0x0000: 4500 0034 7893 4000 7506 e4b5 cae5 22c8 E..4x.@.u.....". 0x0010: 9979 2154 f24d 0050 5b8b 0956 0000 0000 .y!T.M.P[..V.... 0x0020: 8002 2000 4f44 0000 0204 0586 0103 0308 ....OD.......... 0x0030: 0101 0402 .... 19:57:03.458313 IP 153.121.33.84.http > 202.229.34.200.62029: Flags [S.], seq 4017208096, ack 1535838551, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 0x0000: 4500 0034 0000 4000 4006 9249 9979 2154 E..4..@.@..I.y!T 0x0010: cae5 22c8 0050 f24d ef71 bb20 5b8b 0957 .."..P.M.q..[..W 0x0020: 8012 3908 8b6c 0000 0204 05b4 0101 0402 ..9..l.......... 0x0030: 0103 0306 .... 19:57:03.458763 IP 202.229.34.200.62031 > 153.121.33.84.http: Flags [S], seq 928033904, win 8192, options [mss 1414,nop,wscale 8,nop,nop,sackOK], length 0 0x0000: 4500 0034 7895 4000 7506 e4b3 cae5 22c8 E..4x.@.u.....". 0x0010: 9979 2154 f24f 0050 3750 ac70 0000 0000 .y!T.O.P7P.p.... 0x0020: 8002 2000 d062 0000 0204 0586 0103 0308 .....b.......... 0x0030: 0101 0402 .... 19:57:03.458788 IP 153.121.33.84.http > 202.229.34.200.62031: Flags [S.], seq 3101697651, ack 928033905, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 0x0000: 4500 0034 0000 4000 4006 9249 9979 2154 E..4..@.@..I.y!T 0x0010: cae5 22c8 0050 f24f b8e0 2673 3750 ac71 .."..P.O..&s7P.q 0x0020: 8012 3908 d7c9 0000 0204 05b4 0101 0402 ..9............. 0x0030: 0103 0306 .... 19:57:03.458916 IP 202.229.34.200.62032 > 153.121.33.84.http: Flags [S], seq 4220921428, win 8192, options [mss 1414,nop,wscale 8,nop,nop,sackOK], length 0 0x0000: 4500 0034 7896 4000 7506 e4b2 cae5 22c8 E..4x.@.u.....". 0x0010: 9979 2154 f250 0050 fb96 2654 0000 0000 .y!T.P.P..&T.... 0x0020: 8002 2000 9237 0000 0204 0586 0103 0308 .....7.......... 0x0030: 0101 0402 .... 19:57:03.458927 IP 153.121.33.84.http > 202.229.34.200.62032: Flags [S.], seq 1978207803, ack 4220921429, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 0x0000: 4500 0034 0000 4000 4006 9249 9979 2154 E..4..@.@..I.y!T 0x0010: cae5 22c8 0050 f250 75e9 0e3b fb96 2655 .."..P.Pu..;..&U 0x0020: 8012 3908 f4cd 0000 0204 05b4 0101 0402 ..9............. 0x0030: 0103 0306 .... 19:57:03.470209 IP 202.229.34.200.62030 > 153.121.33.84.http: Flags [S], seq 4289352827, win 8192, options [mss 1414,nop,wscale 8,nop,nop,sackOK], length 0 0x0000: 4500 0034 7894 4000 7506 e4b4 cae5 22c8 E..4x.@.u.....". 0x0010: 9979 2154 f24e 0050 ffaa 547b 0000 0000 .y!T.N.P..T{.... 0x0020: 8002 2000 5ffe 0000 0204 0586 0103 0308 ...._........... 0x0030: 0101 0402 .... 19:57:03.470244 IP 153.121.33.84.http > 202.229.34.200.62030: Flags [S.], seq 3159110353, ack 4289352828, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0 0x0000: 4500 0034 0000 4000 4006 9249 9979 2154 E..4..@.@..I.y!T 0x0010: cae5 22c8 0050 f24e bc4c 32d1 ffaa 547c .."..P.N.L2...T| 0x0020: 8012 3908 579b 0000 0204 05b4 0101 0402 ..9.W........... 0x0030: 0103 0306 .... 19:57:03.497385 IP 202.229.34.200.62029 > 153.121.33.84.http: Flags [.], ack 1, win 64, length 0 0x0000: 4500 0028 7897 4000 7506 e4bd cae5 22c8 E..(x.@.u.....". 0x0010: 9979 2154 f24d 0050 5b8b 0957 ef71 bb21 .y!T.M.P[..W.q.! 0x0020: 5010 0040 0506 0000 P..@.... 19:57:03.497746 IP 202.229.34.200.62029 > 153.121.33.84.http: Flags [P.], seq 1:623, ack 1, win 64, length 622 0x0000: 4500 0296 7898 4000 7506 e24e cae5 22c8 E...x.@.u..N..". 0x0010: 9979 2154 f24d 0050 5b8b 0957 ef71 bb21 .y!T.M.P[..W.q.! 0x0020: 5018 0040 e614 0000 4745 5420 2f20 4854 P..@....GET./.HT 0x0030: 5450 2f31 2e31 0d0a 486f 7374 3a20 7265 TP/1.1..Host:.re 0x0040: 6669 7269 6f2e 6e65 740d 0a43 6f6e 6e65 firio.net..Conne 0x0050: 6374 696f 6e3a 206b 6565 702d 616c 6976 ction:.keep-aliv 0x0060: 650d 0a43 6163 6865 2d43 6f6e 7472 6f6c e..Cache-Control 0x0070: 3a20 6d61 782d 6167 653d 300d 0a41 6363 :.max-age=0..Acc 0x0080: 6570 743a 2074 6578 742f 6874 6d6c 2c61 ept:.text/html,a 0x0090: 7070 6c69 6361 7469 6f6e 2f78 6874 6d6c pplication/xhtml 0x00a0: 2b78 6d6c 2c61 7070 6c69 6361 7469 6f6e +xml,application 0x00b0: 2f78 6d6c 3b71 3d30 2e39 2c69 6d61 6765 /xml;q=0.9,image 0x00c0: 2f77 6562 702c 2a2f 2a3b 713d 302e 380d /webp,*/*;q=0.8. 0x00d0: 0a55 7067 7261 6465 2d49 6e73 6563 7572 .Upgrade-Insecur 0x00e0: 652d 5265 7175 6573 7473 3a20 310d 0a55 e-Requests:.1..U 0x00f0: 7365 722d 4167 656e 743a 204d 6f7a 696c ser-Agent:.Mozil 0x0100: 6c61 2f35 2e30 2028 5769 6e64 6f77 7320 la/5.0.(Windows. 0x0110: 4e54 2031 302e 303b 2057 4f57 3634 2920 NT.10.0;.WOW64). 0x0120: 4170 706c 6557 6562 4b69 742f 3533 372e AppleWebKit/537. 0x0130: 3336 2028 4b48 544d 4c2c 206c 696b 6520 36.(KHTML,.like. 0x0140: 4765 636b 6f29 2043 6872 6f6d 652f 3530 Gecko).Chrome/50
■Wireshark ※未検証 Wireshark によるパケット解析講座 1: Wiresharkの表示列をカスタマイズする https://unit42.paloaltonetworks.jp/unit42-customizing-wireshark-changing-column-display/

Advertisement