じゃあ、おうちで学べる

思考を呼び覚ます このコードに、君は抗えるか。

tcpdumpより人に優しい tshark の遊び方

tcpdumpを見ても全く理解できないという我儘な君へ。

概要

tsharkはwiresharkCUI版でありありとあらゆる場面で役に立つ。基本的なパケット解析、統計データーの取得、ファイルへの書き込みそれらが容易に実現できる。tcpdumpより多くの有益な情報を取得することができる。

インストール

$sudo apt install -y tshark

インターフェースを調べる。

$tshark -D

1. wlp2s0
2. vmnet1
3. vmnet8
4. any
5. lo (Loopback)
6. docker0
7. enp0s25
8. nflog
9. nfqueue
10. usbmon1
11. usbmon2

キャプチャするインターフェースを指定する。

$tshark -i 5

  1 0.000000000 192.168.179.4 -> 239.255.255.250 SSDP 213 M-SEARCH * HTTP/1.1 
  2 0.983522653 199.59.148.139 -> 192.168.179.4 TLSv1.2 100 Application Data
  3 0.983614028 192.168.179.4 -> 199.59.148.139 TCP 66 59982 → 443 [ACK] Seq=1 Ack=35 Win=1444 Len=0 TSval=96211917 TSecr=4069275393
  4 0.986559798 199.59.148.139 -> 192.168.179.4 TLSv1.2 1138 Application Data

フィルターの設定

$tshark -i 5 -f 'port 80 and tcp'

  1 0.000000000 192.168.179.4 -> 104.244.42.133 TCP 68 46202 → 80 [FIN, ACK] Seq=1 Ack=1 Win=275 Len=0 TSval=96256597 TSecr=1048955429
  2 0.108406853 192.168.179.4 -> 104.16.25.235 TCP 76 40784 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=96256624 TSecr=0 WS=128
  3 0.111467821 104.244.42.133 -> 192.168.179.4 TCP 68 80 → 46202 [ACK] Seq=1 Ack=2 Win=137 Len=0 TSval=1048996368 TSecr=96256597
  4 0.236930698 104.16.25.235 -> 192.168.179.4 TCP 68 80 → 40784 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1360 SACK_PERM=1 WS=1024

パケット詳細表示

$tshark -i 5 -f 'port 80 and tcp'

Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0
    Interface id: 0 (any)
    Encapsulation type: Linux cooked-mode capture (25)
    Arrival Time: Dec 25, 2016 13:09:38.432388738 JST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1482638978.432388738 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 89 bytes (712 bits)
    Capture Length: 89 bytes (712 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ethertype:ip:udp:dns]
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 772
    Link-layer address length: 6
    Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.1.1
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 73
    Identification: 0x3f0b (16139)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0xfc96 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 127.0.0.1
    Destination: 127.0.1.1
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 37936 (37936), Dst Port: 53 (53)
    Source Port: 37936
    Destination Port: 53
    Length: 53
    Checksum: 0xff48 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [Stream index: 0]
Domain Name System (query)
    Transaction ID: 0x0056
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        googleads.g.doubleclick.net: type A, class IN
            Name: googleads.g.doubleclick.net
            [Name Length: 27]
            [Label Count: 4]
            Type: A (Host Address) (1)
            Class: IN (0x0001)

パケットの中身を16進数で表示(-x)

$tshark -i 4 -x -f 'port 53'

パケットのファイルへの書き込み(-w)

$tshark -i 4 -f 'port 53' w -w packet

ファイルの読み出し(-r)

$tshark -r packet

統計データを取る(-z)

-z に使えるフィルタ

     afp,srt
     ancp,tree
     ansi_a,bsmap
     ansi_a,dtap
     ansi_map
     bacapp_instanceid,tree
     bacapp_ip,tree
     bacapp_objectid,tree
     bacapp_service,tree
     bootp,stat
     camel,counter
     camel,srt
     collectd,tree
     compare
     conv,bluetooth
     conv,eth
     conv,fc
     conv,fddi
     conv,ip
     conv,ipv6
     conv,ipx
     conv,jxta
     conv,mptcp
     conv,ncp
     conv,rsvp
     conv,sctp
     conv,tcp
     conv,tr
     conv,udp
     conv,usb
     conv,wlan
     dcerpc,srt
     dests,tree
     diameter,avp
     diameter,srt
     dns,tree
     endpoints,bluetooth
     endpoints,eth
     endpoints,fc
     endpoints,fddi
     endpoints,ip
     endpoints,ipv6
     endpoints,ipx
     endpoints,jxta
     endpoints,mptcp
     endpoints,ncp
     endpoints,rsvp
     endpoints,sctp
     endpoints,tcp
     endpoints,tr
     endpoints,udp
     endpoints,usb
     endpoints,wlan
     expert
     fc,srt
     follow,ssl
     follow,tcp
     follow,udp
     gsm_a
     gsm_a,bssmap
     gsm_a,dtap_cc
     gsm_a,dtap_gmm
     gsm_a,dtap_mm
     gsm_a,dtap_rr
     gsm_a,dtap_sacch
     gsm_a,dtap_sm
     gsm_a,dtap_sms
     gsm_a,dtap_ss
     gsm_a,dtap_tp
     gsm_map,operation
     gtp,srt
     h225,counter
     h225_ras,rtd
     hart_ip,tree
     hosts
     hpfeeds,tree
     http,stat
     http,tree
     http2,tree
     http_req,tree
     http_srv,tree
     icmp,srt
     icmpv6,srt
     io,phs
     io,stat
     ip_hosts,tree
     ip_srcdst,tree
     ipv6_dests,tree
     ipv6_hosts,tree
     ipv6_ptype,tree
     ipv6_srcdst,tree
     isup_msg,tree
     lbmr_queue_ads_queue,tree
     lbmr_queue_ads_source,tree
     lbmr_queue_queries_queue,tree
     lbmr_queue_queries_receiver,tree
     lbmr_topic_ads_source,tree
     lbmr_topic_ads_topic,tree
     lbmr_topic_ads_transport,tree
     lbmr_topic_queries_pattern,tree
     lbmr_topic_queries_pattern_receiver,tree
     lbmr_topic_queries_receiver,tree
     lbmr_topic_queries_topic,tree
     ldap,srt
     mac-lte,stat
     megaco,rtd
     mgcp,rtd
     mtp3,msus
     ncp,srt
     plen,tree
     proto,colinfo
     ptype,tree
     radius,rtd
     rlc-lte,stat
     rpc,programs
     rpc,programs
     rpc,srt
     rtp,streams
     rtsp,stat
     rtsp,tree
     sametime,tree
     scsi,srt
     sctp,stat
     sip,stat
     sip,stat
     smb,sids
     smb,srt
     smb2,srt
     smpp_commands,tree
     sv
     ucp_messages,tree
     wsp,stat
     wsp,stat

キャプチャの自動停止(-a)

3秒間だけパケットを取得

$tshark -i 4 -a duration:3

ファイルサイズが100キロバイトに達すると次のファイルに記録。ファイル数が5つになったら停止する

$tshark -i 4 -f 'port 53' -w packet filesize:100 -a files:5

キャプチャパケットの数(-c)

tshark -i 4 -c 1 -f 'port 53'

  1 0.000000000    127.0.0.1 -> 127.0.1.1    DNS 84 Standard query 0xc414 A analytics.fs-bdash.com
1 packet captured

最後に

tsharkが基本的なパケット解析、統計データーの取得、ファイルへの書き込みを容易に実現できることを示した。既存のフィルター機能で満足できない場合はpythonのscapyなどを使うことで解決できる。