tcpdump速査
basic
tcpdump -nvvv -i any
-n:hostnameではなくip portを印刷します.portname-v:verbose、-vvv 3レベルverbose-i:ネットワークinterfaceを指定します.
IP portに対するフィルタリング
tcpdump -nvvv -i any -c 20 '(port 80 or port 443) and host 10.0.3.169'
パッケージ内容の印刷、hex and ascII
tcpdump -nvvv -i any -c 1 -XX 'port 80 and host 10.0.3.1'
-X:hex and ascIIでパッケージ内容を印刷
次のような出力があります(極めて醜い):
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:51:15.697640 IP (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 483)
10.0.3.1.45732 > 10.0.3.246.80: Flags [P.], cksum 0x1ccc (incorrect -> 0x2ce8), seq 3920159713:3920160144, ack 969855140, win 245, options [nop,nop,TS val 624122099 ecr 624117334], length 431
0x0000: 0000 0001 0006 fe0a e2d1 8785 0000 0800 ................
0x0010: 4500 01e3 d429 4000 4006 49f5 0a00 0301 E....)@[email protected].....
0x0020: 0a00 03f6 b2a4 0050 e9a8 e3e1 39ce d0a4 .......P....9...
0x0030: 8018 00f5 1ccc 0000 0101 080a 2533 58f3 ............%3X.
0x0040: 2533 4656 4745 5420 2f73 6f6d 6570 6167 %3FVGET./somepag
0x0050: 6520 4854 5450 2f31 2e31 0d0a 486f 7374 e.HTTP/1.1..Host
0x0060: 3a20 3130 2e30 2e33 2e32 3436 0d0a 436f :.10.0.3.246..Co
0x0070: 6e6e 6563 7469 6f6e 3a20 6b65 6570 2d61 nnection:.keep-a
0x0080: 6c69 7665 0d0a 4361 6368 652d 436f 6e74 live..Cache-Cont
0x0090: 726f 6c3a 206d 6178 2d61 6765 3d30 0d0a rol:.max-age=0..
0x00a0: 4163 6365 7074 3a20 7465 7874 2f68 746d Accept:.text/htm
0x00b0: 6c2c 6170 706c 6963 6174 696f 6e2f 7868 l,application/xh
0x00c0: 746d 6c2b 786d 6c2c 6170 706c 6963 6174 tml+xml,applicat
0x00d0: 696f 6e2f 786d 6c3b 713d 302e 392c 696d ion/xml;q=0.9,im
0x00e0: 6167 652f 7765 6270 2c2a 2f2a 3b71 3d30 age/webp,*/*;q=0
0x00f0: 2e38 0d0a 5573 6572 2d41 6765 6e74 3a20 .8..User-Agent:.
0x0100: 4d6f 7a69 6c6c 612f 352e 3020 284d 6163 Mozilla/5.0.(Mac
0x0110: 696e 746f 7368 3b20 496e 7465 6c20 4d61 intosh;.Intel.Ma
0x0120: 6320 4f53 2058 2031 305f 395f 3529 2041 c.OS.X.10_9_5).A
0x0130: 7070 6c65 5765 624b 6974 2f35 3337 2e33 ppleWebKit/537.3
0x0140: 3620 284b 4854 4d4c 2c20 6c69 6b65 2047 6.(KHTML,.like.G
0x0150: 6563 6b6f 2920 4368 726f 6d65 2f33 382e ecko).Chrome/38.
0x0160: 302e 3231 3235 2e31 3031 2053 6166 6172 0.2125.101.Safar
0x0170: 692f 3533 372e 3336 0d0a 4163 6365 7074 i/537.36..Accept
0x0180: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip,
0x0190: 6465 666c 6174 652c 7364 6368 0d0a 4163 deflate,sdch..Ac
0x01a0: 6365 7074 2d4c 616e 6775 6167 653a 2065 cept-Language:.e
0x01b0: 6e2d 5553 2c65 6e3b 713d 302e 380d 0a49 n-US,en;q=0.8..I
0x01c0: 662d 4d6f 6469 6669 6564 2d53 696e 6365 f-Modified-Since
0x01d0: 3a20 5375 6e2c 2031 3220 4f63 7420 3230 :.Sun,.12.Oct.20
0x01e0: 3134 2031 393a 3430 3a32 3020 474d 540d 14.19:40:20.GMT.
0x01f0: 0a0d 0a
ASCIIのみでパッケージ内容を印刷
tcpdump -nvvv -i any -c 1 -A 'port 80 and host 10.0.3.1'
実験例
完全なhttpリクエストと戻りをキャプチャします.
httpサーバを起動
python 3で
cgi scriptの準備
cat < cgi-bin/helloworld.py
#!/usr/bin/env python
print('Content-type: text/html')
print()
print('hello world')
eof
httpを起動します.serverは9899ポートでcgiモードをオンにします
python -m http.server --cgi 9899
Ncatで
nc -vl 9899 -c 'echo -e "HTTP/1.1 200 OK
hello world"'
httpリクエストはcurlで
python cgiのリクエスト
curl -d'{"A": a, "B": b}' http://localhost:9899/cgi-bin/helloworld.py
要求Ncat server
curl -d'{"A": a, "B": b}' http://localhost:9899
tcpdumpパッケージ
sudo tcpdump -iany -nvvv -A 'port 9899'
次の出力は完全に1を含む.tcp 3回の握手過程、2.リクエスト送信httpリクエストheadとbodyデータ,3.httpはheadとbodyのデータを返し、4.tcpは4回手を振る過程である.
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:55:16.172743 IP (tos 0x0, ttl 64, id 2001, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.59340 > 127.0.0.1.9899: Flags [S], cksum 0xfe30 (incorrect -> 0xa737), seq 2474881011, win 43690, options [mss 65495,sackOK,TS val 65447970 ecr 0,nop,wscale 7], length 0
E..<.. ...="" ip="" ttl="" id="" offset="" flags="" proto="" tcp="" length=""> 127.0.0.1.59340: Flags [S.], cksum 0xfe30 (incorrect -> 0x7eab), seq 4251746053, ack 2474881012, win 43690, options [mss 65495,sackOK,TS val 65447970 ecr 65447970,nop,wscale 7], length 0
E..<.. ...="" ip="" ttl="" id="" offset="" flags="" proto="" tcp="" length=""> 127.0.0.1.9899: Flags [.], cksum 0xfe28 (incorrect -> 0x50f0), seq 1, ack 1, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.....V.(.....
..."..."................
11:55:16.172800 IP (tos 0x0, ttl 64, id 2003, offset 0, flags [DF], proto TCP (6), length 216)
127.0.0.1.59340 > 127.0.0.1.9899: Flags [P.], cksum 0xfecc (incorrect -> 0x44a1), seq 1:165, ack 1, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 164
E.....@[email protected]..........&......l.....V.......
..."..."POST / HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:9899
Accept: */*
Content-Length: 16
Content-Type: application/x-www-form-urlencoded
{"A": a, "B": b}................
11:55:16.172805 IP (tos 0x0, ttl 64, id 55076, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.9899 > 127.0.0.1.59340: Flags [.], cksum 0xfe28 (incorrect -> 0x5044), seq 1, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.$@[email protected].........&....l.........^.(.....
..."..."................
11:55:16.174520 IP (tos 0x0, ttl 64, id 55077, offset 0, flags [DF], proto TCP (6), length 81)
127.0.0.1.9899 > 127.0.0.1.59340: Flags [P.], cksum 0xfe45 (incorrect -> 0xb7ca), seq 1:30, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 29
E..Q.%@[email protected].........&....l.........^.E.....
..."..."HTTP/1.1 200 OK
hello world
................
11:55:16.174529 IP (tos 0x0, ttl 64, id 2004, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.59340 > 127.0.0.1.9899: Flags [.], cksum 0xfe28 (incorrect -> 0x502f), seq 165, ack 30, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.#...V.(.....
..."..."................
11:55:16.174608 IP (tos 0x0, ttl 64, id 55078, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.9899 > 127.0.0.1.59340: Flags [F.], cksum 0xfe28 (incorrect -> 0x5026), seq 30, ack 165, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.&@[email protected].........&....l.#.......^.(.....
..."..."................
11:55:16.174650 IP (tos 0x0, ttl 64, id 2005, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.59340 > 127.0.0.1.9899: Flags [F.], cksum 0xfe28 (incorrect -> 0x502d), seq 165, ack 31, win 342, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4..@[email protected]...........&......l.$...V.(.....
..."..."................
11:55:16.174661 IP (tos 0x0, ttl 64, id 55079, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.9899 > 127.0.0.1.59340: Flags [.], cksum 0xfe28 (incorrect -> 0x5025), seq 31, ack 166, win 350, options [nop,nop,TS val 65447970 ecr 65447970], length 0
E..4.'@[email protected].........&....l.$.......^.(.....
..."..."................