tcpdumpを見ても全く理解できないという我儘な君へ。
概要
tsharkはwiresharkのCUI版でありありとあらゆる場面で役に立つ。基本的なパケット解析、統計データーの取得、ファイルへの書き込みそれらが容易に実現できる。tcpdumpより多くの有益な情報を取得することができる。
インストール
$sudo apt install -y tshark
インターフェースを調べる。
$tshark -D 1. wlp2s0 2. vmnet1 3. vmnet8 4. any 5. lo (Loopback) 6. docker0 7. enp0s25 8. nflog 9. nfqueue 10. usbmon1 11. usbmon2
キャプチャするインターフェースを指定する。
$tshark -i 5 1 0.000000000 192.168.179.4 -> 239.255.255.250 SSDP 213 M-SEARCH * HTTP/1.1 2 0.983522653 199.59.148.139 -> 192.168.179.4 TLSv1.2 100 Application Data 3 0.983614028 192.168.179.4 -> 199.59.148.139 TCP 66 59982 → 443 [ACK] Seq=1 Ack=35 Win=1444 Len=0 TSval=96211917 TSecr=4069275393 4 0.986559798 199.59.148.139 -> 192.168.179.4 TLSv1.2 1138 Application Data
フィルターの設定
$tshark -i 5 -f 'port 80 and tcp' 1 0.000000000 192.168.179.4 -> 104.244.42.133 TCP 68 46202 → 80 [FIN, ACK] Seq=1 Ack=1 Win=275 Len=0 TSval=96256597 TSecr=1048955429 2 0.108406853 192.168.179.4 -> 104.16.25.235 TCP 76 40784 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=96256624 TSecr=0 WS=128 3 0.111467821 104.244.42.133 -> 192.168.179.4 TCP 68 80 → 46202 [ACK] Seq=1 Ack=2 Win=137 Len=0 TSval=1048996368 TSecr=96256597 4 0.236930698 104.16.25.235 -> 192.168.179.4 TCP 68 80 → 40784 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1360 SACK_PERM=1 WS=1024
パケット詳細表示
$tshark -i 5 -f 'port 80 and tcp' Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0 Interface id: 0 (any) Encapsulation type: Linux cooked-mode capture (25) Arrival Time: Dec 25, 2016 13:09:38.432388738 JST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1482638978.432388738 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 89 bytes (712 bits) Capture Length: 89 bytes (712 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:ethertype:ip:udp:dns] Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 772 Link-layer address length: 6 Source: 00:00:00_00:00:00 (00:00:00:00:00:00) Protocol: IPv4 (0x0800) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.1.1 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 73 Identification: 0x3f0b (16139) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (17) Header checksum: 0xfc96 [validation disabled] [Good: False] [Bad: False] Source: 127.0.0.1 Destination: 127.0.1.1 [Source GeoIP: Unknown] [Destination GeoIP: Unknown] User Datagram Protocol, Src Port: 37936 (37936), Dst Port: 53 (53) Source Port: 37936 Destination Port: 53 Length: 53 Checksum: 0xff48 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [Stream index: 0] Domain Name System (query) Transaction ID: 0x0056 Flags: 0x0100 Standard query 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries googleads.g.doubleclick.net: type A, class IN Name: googleads.g.doubleclick.net [Name Length: 27] [Label Count: 4] Type: A (Host Address) (1) Class: IN (0x0001)
パケットの中身を16進数で表示(-x)
$tshark -i 4 -x -f 'port 53'
パケットのファイルへの書き込み(-w)
$tshark -i 4 -f 'port 53' w -w packet
ファイルの読み出し(-r)
$tshark -r packet
統計データを取る(-z)
-z に使えるフィルタ
afp,srt ancp,tree ansi_a,bsmap ansi_a,dtap ansi_map bacapp_instanceid,tree bacapp_ip,tree bacapp_objectid,tree bacapp_service,tree bootp,stat camel,counter camel,srt collectd,tree compare conv,bluetooth conv,eth conv,fc conv,fddi conv,ip conv,ipv6 conv,ipx conv,jxta conv,mptcp conv,ncp conv,rsvp conv,sctp conv,tcp conv,tr conv,udp conv,usb conv,wlan dcerpc,srt dests,tree diameter,avp diameter,srt dns,tree endpoints,bluetooth endpoints,eth endpoints,fc endpoints,fddi endpoints,ip endpoints,ipv6 endpoints,ipx endpoints,jxta endpoints,mptcp endpoints,ncp endpoints,rsvp endpoints,sctp endpoints,tcp endpoints,tr endpoints,udp endpoints,usb endpoints,wlan expert fc,srt follow,ssl follow,tcp follow,udp gsm_a gsm_a,bssmap gsm_a,dtap_cc gsm_a,dtap_gmm gsm_a,dtap_mm gsm_a,dtap_rr gsm_a,dtap_sacch gsm_a,dtap_sm gsm_a,dtap_sms gsm_a,dtap_ss gsm_a,dtap_tp gsm_map,operation gtp,srt h225,counter h225_ras,rtd hart_ip,tree hosts hpfeeds,tree http,stat http,tree http2,tree http_req,tree http_srv,tree icmp,srt icmpv6,srt io,phs io,stat ip_hosts,tree ip_srcdst,tree ipv6_dests,tree ipv6_hosts,tree ipv6_ptype,tree ipv6_srcdst,tree isup_msg,tree lbmr_queue_ads_queue,tree lbmr_queue_ads_source,tree lbmr_queue_queries_queue,tree lbmr_queue_queries_receiver,tree lbmr_topic_ads_source,tree lbmr_topic_ads_topic,tree lbmr_topic_ads_transport,tree lbmr_topic_queries_pattern,tree lbmr_topic_queries_pattern_receiver,tree lbmr_topic_queries_receiver,tree lbmr_topic_queries_topic,tree ldap,srt mac-lte,stat megaco,rtd mgcp,rtd mtp3,msus ncp,srt plen,tree proto,colinfo ptype,tree radius,rtd rlc-lte,stat rpc,programs rpc,programs rpc,srt rtp,streams rtsp,stat rtsp,tree sametime,tree scsi,srt sctp,stat sip,stat sip,stat smb,sids smb,srt smb2,srt smpp_commands,tree sv ucp_messages,tree wsp,stat wsp,stat
キャプチャの自動停止(-a)
3秒間だけパケットを取得
$tshark -i 4 -a duration:3
ファイルサイズが100キロバイトに達すると次のファイルに記録。ファイル数が5つになったら停止する
$tshark -i 4 -f 'port 53' -w packet filesize:100 -a files:5
キャプチャパケットの数(-c)
tshark -i 4 -c 1 -f 'port 53' 1 0.000000000 127.0.0.1 -> 127.0.1.1 DNS 84 Standard query 0xc414 A analytics.fs-bdash.com 1 packet captured
最後に
tsharkが基本的なパケット解析、統計データーの取得、ファイルへの書き込みを容易に実現できることを示した。既存のフィルター機能で満足できない場合はpythonのscapyなどを使うことで解決できる。