tcpdump速査

basic

tcpdump -nvvv -i any

-n:hostnameではなくip portを印刷します.portname-v:verbose、-vvv 3レベルverbose-i:ネットワークinterfaceを指定します.

IP portに対するフィルタリング

tcpdump -nvvv -i any -c 20 '(port 80 or port 443) and host 10.0.3.169'

パッケージ内容の印刷、hex and ascII

tcpdump -nvvv -i any -c 1 -XX 'port 80 and host 10.0.3.1'

-X:hex and ascIIでパッケージ内容を印刷
次のような出力があります(極めて醜い):

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:51:15.697640 IP (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 483)
    10.0.3.1.45732 > 10.0.3.246.80: Flags [P.], cksum 0x1ccc (incorrect -> 0x2ce8), seq 3920159713:3920160144, ack 969855140, win 245, options [nop,nop,TS val 624122099 ecr 624117334], length 431
        0x0000:  0000 0001 0006 fe0a e2d1 8785 0000 0800  ................
        0x0010:  4500 01e3 d429 4000 4006 49f5 0a00 0301  E....)@[email protected].....
        0x0020:  0a00 03f6 b2a4 0050 e9a8 e3e1 39ce d0a4  .......P....9...
        0x0030:  8018 00f5 1ccc 0000 0101 080a 2533 58f3  ............%3X.
        0x0040:  2533 4656 4745 5420 2f73 6f6d 6570 6167  %3FVGET./somepag
        0x0050:  6520 4854 5450 2f31 2e31 0d0a 486f 7374  e.HTTP/1.1..Host
        0x0060:  3a20 3130 2e30 2e33 2e32 3436 0d0a 436f  :.10.0.3.246..Co
        0x0070:  6e6e 6563 7469 6f6e 3a20 6b65 6570 2d61  nnection:.keep-a
        0x0080:  6c69 7665 0d0a 4361 6368 652d 436f 6e74  live..Cache-Cont
        0x0090:  726f 6c3a 206d 6178 2d61 6765 3d30 0d0a  rol:.max-age=0..
        0x00a0:  4163 6365 7074 3a20 7465 7874 2f68 746d  Accept:.text/htm
        0x00b0:  6c2c 6170 706c 6963 6174 696f 6e2f 7868  l,application/xh
        0x00c0:  746d 6c2b 786d 6c2c 6170 706c 6963 6174  tml+xml,applicat
        0x00d0:  696f 6e2f 786d 6c3b 713d 302e 392c 696d  ion/xml;q=0.9,im
        0x00e0:  6167 652f 7765 6270 2c2a 2f2a 3b71 3d30  age/webp,*/*;q=0
        0x00f0:  2e38 0d0a 5573 6572 2d41 6765 6e74 3a20  .8..User-Agent:.
        0x0100:  4d6f 7a69 6c6c 612f 352e 3020 284d 6163  Mozilla/5.0.(Mac
        0x0110:  696e 746f 7368 3b20 496e 7465 6c20 4d61  intosh;.Intel.Ma
        0x0120:  6320 4f53 2058 2031 305f 395f 3529 2041  c.OS.X.10_9_5).A
        0x0130:  7070 6c65 5765 624b 6974 2f35 3337 2e33  ppleWebKit/537.3
        0x0140:  3620 284b 4854 4d4c 2c20 6c69 6b65 2047  6.(KHTML,.like.G
        0x0150:  6563 6b6f 2920 4368 726f 6d65 2f33 382e  ecko).Chrome/38.
        0x0160:  302e 3231 3235 2e31 3031 2053 6166 6172  0.2125.101.Safar
        0x0170:  692f 3533 372e 3336 0d0a 4163 6365 7074  i/537.36..Accept
        0x0180:  2d45 6e63 6f64 696e 673a 2067 7a69 702c  -Encoding:.gzip,
        0x0190:  6465 666c 6174 652c 7364 6368 0d0a 4163  deflate,sdch..Ac
        0x01a0:  6365 7074 2d4c 616e 6775 6167 653a 2065  cept-Language:.e
        0x01b0:  6e2d 5553 2c65 6e3b 713d 302e 380d 0a49  n-US,en;q=0.8..I
        0x01c0:  662d 4d6f 6469 6669 6564 2d53 696e 6365  f-Modified-Since
        0x01d0:  3a20 5375 6e2c 2031 3220 4f63 7420 3230  :.Sun,.12.Oct.20
        0x01e0:  3134 2031 393a 3430 3a32 3020 474d 540d  14.19:40:20.GMT.
        0x01f0:  0a0d 0a  

ASCIIのみでパッケージ内容を印刷

tcpdump -nvvv -i any -c 1 -A 'port 80 and host 10.0.3.1'

実験例

完全なhttpリクエストと戻りをキャプチャします.

httpサーバを起動

python 3で
cgi scriptの準備

cat < cgi-bin/helloworld.py
#!/usr/bin/env python
print('Content-type: text/html')
print()
print('hello world')
eof

httpを起動します.serverは9899ポートでcgiモードをオンにします

python -m http.server --cgi 9899

Ncatで

nc -vl 9899 -c 'echo -e "HTTP/1.1 200 OK

hello world"'

httpリクエストはcurlで

python cgiのリクエスト

curl -d'{"A": a, "B": b}' http://localhost:9899/cgi-bin/helloworld.py 

要求Ncat server

curl -d'{"A": a, "B": b}' http://localhost:9899

tcpdumpパッケージ

sudo tcpdump -iany -nvvv -A 'port 9899'

次の出力は完全に1を含む.tcp 3回の握手過程、2.リクエスト送信httpリクエストheadとbodyデータ,3.httpはheadとbodyのデータを返し、4.tcpは4回手を振る過程である.

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:55:16.172743 IP (tos 0x0, ttl 64, id 2001, offset 0, flags [DF], proto TCP (6), length 60)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [S], cksum 0xfe30 (incorrect -> 0xa737), seq 2474881011, win 43690, options [mss 65495,sackOK,TS val 65447970 ecr 0,nop,wscale 7], length 0
E..<.. ...="" ip="" ttl="" id="" offset="" flags="" proto="" tcp="" length=""> 127.0.0.1.59340: Flags [S.], cksum 0xfe30 (incorrect -> 0x7eab), seq 4251746053, ack 2474881012, win 43690, options [mss 65495,sackOK,TS val 65447970 ecr 65447970,nop,wscale 7], length 0
E..<.. ...="" ip="" ttl="" id="" offset="" flags="" proto="" tcp="" length=""> 127.0.0.1.9899: Flags [.], cksum 0xfe28 (incorrect -> 0x50f0), seq 1, ack 1, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.....V.(.....
..."..."................
11:55:16.172800 IP (tos 0x0, ttl 64, id 2003, offset 0, flags [DF], proto TCP (6), length 216)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [P.], cksum 0xfecc (incorrect -> 0x44a1), seq 1:165, ack 1, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 164
E.....@[email protected]..........&......l.....V.......
..."..."POST / HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:9899
Accept: */*
Content-Length: 16
Content-Type: application/x-www-form-urlencoded

{"A": a, "B": b}................
11:55:16.172805 IP (tos 0x0, ttl 64, id 55076, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [.], cksum 0xfe28 (incorrect -> 0x5044), seq 1, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.$@[email protected].........&....l.........^.(.....
..."..."................
11:55:16.174520 IP (tos 0x0, ttl 64, id 55077, offset 0, flags [DF], proto TCP (6), length 81)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [P.], cksum 0xfe45 (incorrect -> 0xb7ca), seq 1:30, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 29
E..Q.%@[email protected].........&....l.........^.E.....
..."..."HTTP/1.1 200 OK

hello world
................
11:55:16.174529 IP (tos 0x0, ttl 64, id 2004, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [.], cksum 0xfe28 (incorrect -> 0x502f), seq 165, ack 30, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.#...V.(.....
..."..."................
11:55:16.174608 IP (tos 0x0, ttl 64, id 55078, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [F.], cksum 0xfe28 (incorrect -> 0x5026), seq 30, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.&@[email protected].........&....l.#.......^.(.....
..."..."................
11:55:16.174650 IP (tos 0x0, ttl 64, id 2005, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.59340 > 127.0.0.1.9899: Flags [F.], cksum 0xfe28 (incorrect -> 0x502d), seq 165, ack 31, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.$...V.(.....
..."..."................
11:55:16.174661 IP (tos 0x0, ttl 64, id 55079, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.9899 > 127.0.0.1.59340: Flags [.], cksum 0xfe28 (incorrect -> 0x5025), seq 31, ack 166, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.'@[email protected].........&....l.$.......^.(.....
..."..."................