tcpdumpを見ても全く理解できないという我儘な君へ。
概要
tsharkはwiresharkのCUI版でありありとあらゆる場面で役に立つ。基本的なパケット解析、統計データーの取得、ファイルへの書き込みそれらが容易に実現できる。tcpdumpより多くの有益な情報を取得することができる。
インストール
$sudo apt install -y tshark
インターフェースを調べる。
$tshark -D 1. wlp2s0 2. vmnet1 3. vmnet8 4. any 5. lo (Loopback) 6. docker0 7. enp0s25 8. nflog 9. nfqueue 10. usbmon1 11. usbmon2
キャプチャするインターフェースを指定する。
$tshark -i 5 1 0.000000000 192.168.179.4 -> 239.255.255.250 SSDP 213 M-SEARCH * HTTP/1.1 2 0.983522653 199.59.148.139 -> 192.168.179.4 TLSv1.2 100 Application Data 3 0.983614028 192.168.179.4 -> 199.59.148.139 TCP 66 59982 → 443 [ACK] Seq=1 Ack=35 Win=1444 Len=0 TSval=96211917 TSecr=4069275393 4 0.986559798 199.59.148.139 -> 192.168.179.4 TLSv1.2 1138 Application Data
フィルターの設定
$tshark -i 5 -f 'port 80 and tcp' 1 0.000000000 192.168.179.4 -> 104.244.42.133 TCP 68 46202 → 80 [FIN, ACK] Seq=1 Ack=1 Win=275 Len=0 TSval=96256597 TSecr=1048955429 2 0.108406853 192.168.179.4 -> 104.16.25.235 TCP 76 40784 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=96256624 TSecr=0 WS=128 3 0.111467821 104.244.42.133 -> 192.168.179.4 TCP 68 80 → 46202 [ACK] Seq=1 Ack=2 Win=137 Len=0 TSval=1048996368 TSecr=96256597 4 0.236930698 104.16.25.235 -> 192.168.179.4 TCP 68 80 → 40784 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1360 SACK_PERM=1 WS=1024
パケット詳細表示
$tshark -i 5 -f 'port 80 and tcp'
Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0
Interface id: 0 (any)
Encapsulation type: Linux cooked-mode capture (25)
Arrival Time: Dec 25, 2016 13:09:38.432388738 JST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1482638978.432388738 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 89 bytes (712 bits)
Capture Length: 89 bytes (712 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: sll:ethertype:ip:udp:dns]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 772
Link-layer address length: 6
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.1.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 73
Identification: 0x3f0b (16139)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xfc96 [validation disabled]
[Good: False]
[Bad: False]
Source: 127.0.0.1
Destination: 127.0.1.1
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 37936 (37936), Dst Port: 53 (53)
Source Port: 37936
Destination Port: 53
Length: 53
Checksum: 0xff48 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 0]
Domain Name System (query)
Transaction ID: 0x0056
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
googleads.g.doubleclick.net: type A, class IN
Name: googleads.g.doubleclick.net
[Name Length: 27]
[Label Count: 4]
Type: A (Host Address) (1)
Class: IN (0x0001)
パケットの中身を16進数で表示(-x)
$tshark -i 4 -x -f 'port 53'
パケットのファイルへの書き込み(-w)
$tshark -i 4 -f 'port 53' w -w packet
ファイルの読み出し(-r)
$tshark -r packet
統計データを取る(-z)
-z に使えるフィルタ
afp,srt
ancp,tree
ansi_a,bsmap
ansi_a,dtap
ansi_map
bacapp_instanceid,tree
bacapp_ip,tree
bacapp_objectid,tree
bacapp_service,tree
bootp,stat
camel,counter
camel,srt
collectd,tree
compare
conv,bluetooth
conv,eth
conv,fc
conv,fddi
conv,ip
conv,ipv6
conv,ipx
conv,jxta
conv,mptcp
conv,ncp
conv,rsvp
conv,sctp
conv,tcp
conv,tr
conv,udp
conv,usb
conv,wlan
dcerpc,srt
dests,tree
diameter,avp
diameter,srt
dns,tree
endpoints,bluetooth
endpoints,eth
endpoints,fc
endpoints,fddi
endpoints,ip
endpoints,ipv6
endpoints,ipx
endpoints,jxta
endpoints,mptcp
endpoints,ncp
endpoints,rsvp
endpoints,sctp
endpoints,tcp
endpoints,tr
endpoints,udp
endpoints,usb
endpoints,wlan
expert
fc,srt
follow,ssl
follow,tcp
follow,udp
gsm_a
gsm_a,bssmap
gsm_a,dtap_cc
gsm_a,dtap_gmm
gsm_a,dtap_mm
gsm_a,dtap_rr
gsm_a,dtap_sacch
gsm_a,dtap_sm
gsm_a,dtap_sms
gsm_a,dtap_ss
gsm_a,dtap_tp
gsm_map,operation
gtp,srt
h225,counter
h225_ras,rtd
hart_ip,tree
hosts
hpfeeds,tree
http,stat
http,tree
http2,tree
http_req,tree
http_srv,tree
icmp,srt
icmpv6,srt
io,phs
io,stat
ip_hosts,tree
ip_srcdst,tree
ipv6_dests,tree
ipv6_hosts,tree
ipv6_ptype,tree
ipv6_srcdst,tree
isup_msg,tree
lbmr_queue_ads_queue,tree
lbmr_queue_ads_source,tree
lbmr_queue_queries_queue,tree
lbmr_queue_queries_receiver,tree
lbmr_topic_ads_source,tree
lbmr_topic_ads_topic,tree
lbmr_topic_ads_transport,tree
lbmr_topic_queries_pattern,tree
lbmr_topic_queries_pattern_receiver,tree
lbmr_topic_queries_receiver,tree
lbmr_topic_queries_topic,tree
ldap,srt
mac-lte,stat
megaco,rtd
mgcp,rtd
mtp3,msus
ncp,srt
plen,tree
proto,colinfo
ptype,tree
radius,rtd
rlc-lte,stat
rpc,programs
rpc,programs
rpc,srt
rtp,streams
rtsp,stat
rtsp,tree
sametime,tree
scsi,srt
sctp,stat
sip,stat
sip,stat
smb,sids
smb,srt
smb2,srt
smpp_commands,tree
sv
ucp_messages,tree
wsp,stat
wsp,stat
キャプチャの自動停止(-a)
3秒間だけパケットを取得
$tshark -i 4 -a duration:3
ファイルサイズが100キロバイトに達すると次のファイルに記録。ファイル数が5つになったら停止する
$tshark -i 4 -f 'port 53' -w packet filesize:100 -a files:5
キャプチャパケットの数(-c)
tshark -i 4 -c 1 -f 'port 53' 1 0.000000000 127.0.0.1 -> 127.0.1.1 DNS 84 Standard query 0xc414 A analytics.fs-bdash.com 1 packet captured
最後に
tsharkが基本的なパケット解析、統計データーの取得、ファイルへの書き込みを容易に実現できることを示した。既存のフィルター機能で満足できない場合はpythonのscapyなどを使うことで解決できる。
