Tcpdumpでパケットキャプチャする!(フィルタリング)

Tcpdumpでフィルタリングしながらパケットキャプチャします。

ネットワークインターフェースを確認する!

「-D」オプションで、指定できるネットワークインターフェースを確認します。

# tcpdump -D
1.enp0s3 [Up, Running]
2.lo [Up, Running, Loopback]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.bluetooth-monitor (Bluetooth Linux Monitor) [none]
5.nflog (Linux netfilter log (NFLOG) interface) [none]
6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
7.usbmon0 (Raw USB traffic, all USB buses) [none]
8.usbmon1 (Raw USB traffic, bus number 1)
9.usbmon2 (Raw USB traffic, bus number 2)

ネットワークインターフェースを指定してキャプチャする!

「-i」オプションで、ネットワークインターフェースを指定してキャプチャします。

# tcpdump -c 3 -i enp0s3
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:12:12.686568 IP vmsrhe11.loc.lab4ict.com.ssh > dpc001p1.loc.lab4ict.com.38984: Flags [P.], seq 2854369762:2854369982, ack 3637069513, win 341, options [nop,nop,TS val 1336800761 ecr 3911764049], length 220
06:12:12.686786 IP dpc001p1.loc.lab4ict.com.38984 > vmsrhe11.loc.lab4ict.com.ssh: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3911764060 ecr 1336800761], length 0
06:12:12.687309 IP vmsrhe11.loc.lab4ict.com.ssh > dpc001p1.loc.lab4ict.com.38984: Flags [P.], seq 220:640, ack 1, win 341, options [nop,nop,TS val 1336800761 ecr 3911764060], length 420
3 packets captured
4 packets received by filter
0 packets dropped by kernel

ポート番号を指定してキャプチャする!

「port」オプションで、ポート番号を指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 port 22
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:15:29.809648 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854373942:2854374162, ack 3637072125, win 341, options [nop,nop,TS val 1336997884 ecr 3911961167], length 220
06:15:29.809853 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3911961173 ecr 1336997884], length 0
06:15:29.810206 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1336997884 ecr 3911961173], length 356
3 packets captured
4 packets received by filter
0 packets dropped by kernel

送信元ポート番号を指定してキャプチャする!

「src port」オプションで、送信元ポート番号を指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 src port 22
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:16:53.706258 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854375538:2854375758, ack 3637073021, win 341, options [nop,nop,TS val 1337081780 ecr 3912045059], length 220
06:16:53.706825 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:440, ack 1, win 341, options [nop,nop,TS val 1337081781 ecr 3912045064], length 220
06:16:53.706926 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 440:636, ack 1, win 341, options [nop,nop,TS val 1337081781 ecr 3912045064], length 196
3 packets captured
3 packets received by filter
0 packets dropped by kernel

送信先ポート番号を指定してキャプチャする!

「dest port」オプションで、送信先ポート番号を指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 dst port 22
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:18:23.826471 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 2854378382, win 9612, options [nop,nop,TS val 3912135179 ecr 1337171900], length 0
06:18:23.826937 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 189, win 9612, options [nop,nop,TS val 3912135179 ecr 1337171901], length 0
06:18:23.827096 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 369, win 9612, options [nop,nop,TS val 3912135179 ecr 1337171901], length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel

ホストを指定してキャプチャする!

「host」オプションで、ホストを指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 host 10.1.1.1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:19:31.209734 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854381298:2854381518, ack 3637077013, win 341, options [nop,nop,TS val 1337239284 ecr 3912202554], length 220
06:19:31.209907 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3912202559 ecr 1337239284], length 0
06:19:31.210249 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1337239284 ecr 3912202559], length 356
3 packets captured
4 packets received by filter
0 packets dropped by kernel

送信元ホストを指定してキャプチャする!

「src host」オプションで、送信元ホストを指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 src host 10.1.1.1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:20:34.834617 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 2854383402, win 9612, options [nop,nop,TS val 3912266180 ecr 1337302909], length 0
06:20:34.835040 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 189, win 9612, options [nop,nop,TS val 3912266181 ecr 1337302909], length 0
06:20:34.835157 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 369, win 9612, options [nop,nop,TS val 3912266181 ecr 1337302909], length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel

送信先ホストを指定してキャプチャする!

「dst host」オプションで、送信先ホストを指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 dst host 10.1.1.1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:21:25.281702 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854385174:2854385394, ack 3637079333, win 341, options [nop,nop,TS val 1337353356 ecr 3912316620], length 220
06:21:25.282218 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:440, ack 1, win 341, options [nop,nop,TS val 1337353356 ecr 3912316626], length 220
06:21:25.282313 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 440:636, ack 1, win 341, options [nop,nop,TS val 1337353356 ecr 3912316626], length 196
3 packets captured
3 packets received by filter
0 packets dropped by kernel

送信先ホストを指定してキャプチャする!

「and」オプションで、複数条件を指定してキャプチャします。

# tcpdump -c 3 -nn -i enp0s3 host 10.1.1.1 and port 22
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:23:20.353842 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854389046:2854389266, ack 3637082505, win 341, options [nop,nop,TS val 1337468428 ecr 3912431688], length 220
06:23:20.354016 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3912431693 ecr 1337468428], length 0
06:23:20.354368 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1337468429 ecr 3912431693], length 356
3 packets captured
4 packets received by filter
0 packets dropped by kernel

「or」条件も使用できます。

# tcpdump -c 3 -nn -i enp0s3 host 10.1.1.1 or 10.1.12.11
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:24:44.065894 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854393170:2854393390, ack 3637084661, win 341, options [nop,nop,TS val 1337552140 ecr 3912515397], length 220
06:24:44.066103 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3912515403 ecr 1337552140], length 0
06:24:44.066448 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1337552141 ecr 3912515403], length 356
3 packets captured
4 packets received by filter
0 packets dropped by kernel

おわりに

tcpdumpでは、必要となるフィルタ条件が一通り指定できるので、条件をうまく絞って調査に活かすようにしましょう。

関連記事