Tcpdumpでフィルタリングしながらパケットキャプチャします。
記事の目次
ネットワークインターフェースを確認する!
「-D」オプションで、指定できるネットワークインターフェースを確認します。
# tcpdump -D 1.enp0s3 [Up, Running] 2.lo [Up, Running, Loopback] 3.any (Pseudo-device that captures on all interfaces) [Up, Running] 4.bluetooth-monitor (Bluetooth Linux Monitor) [none] 5.nflog (Linux netfilter log (NFLOG) interface) [none] 6.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none] 7.usbmon0 (Raw USB traffic, all USB buses) [none] 8.usbmon1 (Raw USB traffic, bus number 1) 9.usbmon2 (Raw USB traffic, bus number 2)
ネットワークインターフェースを指定してキャプチャする!
「-i」オプションで、ネットワークインターフェースを指定してキャプチャします。
# tcpdump -c 3 -i enp0s3 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:12:12.686568 IP vmsrhe11.loc.lab4ict.com.ssh > dpc001p1.loc.lab4ict.com.38984: Flags [P.], seq 2854369762:2854369982, ack 3637069513, win 341, options [nop,nop,TS val 1336800761 ecr 3911764049], length 220 06:12:12.686786 IP dpc001p1.loc.lab4ict.com.38984 > vmsrhe11.loc.lab4ict.com.ssh: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3911764060 ecr 1336800761], length 0 06:12:12.687309 IP vmsrhe11.loc.lab4ict.com.ssh > dpc001p1.loc.lab4ict.com.38984: Flags [P.], seq 220:640, ack 1, win 341, options [nop,nop,TS val 1336800761 ecr 3911764060], length 420 3 packets captured 4 packets received by filter 0 packets dropped by kernel
ポート番号を指定してキャプチャする!
「port」オプションで、ポート番号を指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 port 22 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:15:29.809648 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854373942:2854374162, ack 3637072125, win 341, options [nop,nop,TS val 1336997884 ecr 3911961167], length 220 06:15:29.809853 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3911961173 ecr 1336997884], length 0 06:15:29.810206 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1336997884 ecr 3911961173], length 356 3 packets captured 4 packets received by filter 0 packets dropped by kernel
送信元ポート番号を指定してキャプチャする!
「src port」オプションで、送信元ポート番号を指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 src port 22 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:16:53.706258 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854375538:2854375758, ack 3637073021, win 341, options [nop,nop,TS val 1337081780 ecr 3912045059], length 220 06:16:53.706825 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:440, ack 1, win 341, options [nop,nop,TS val 1337081781 ecr 3912045064], length 220 06:16:53.706926 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 440:636, ack 1, win 341, options [nop,nop,TS val 1337081781 ecr 3912045064], length 196 3 packets captured 3 packets received by filter 0 packets dropped by kernel
送信先ポート番号を指定してキャプチャする!
「dest port」オプションで、送信先ポート番号を指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 dst port 22 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:18:23.826471 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 2854378382, win 9612, options [nop,nop,TS val 3912135179 ecr 1337171900], length 0 06:18:23.826937 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 189, win 9612, options [nop,nop,TS val 3912135179 ecr 1337171901], length 0 06:18:23.827096 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 369, win 9612, options [nop,nop,TS val 3912135179 ecr 1337171901], length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel
ホストを指定してキャプチャする!
「host」オプションで、ホストを指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 host 10.1.1.1 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:19:31.209734 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854381298:2854381518, ack 3637077013, win 341, options [nop,nop,TS val 1337239284 ecr 3912202554], length 220 06:19:31.209907 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3912202559 ecr 1337239284], length 0 06:19:31.210249 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1337239284 ecr 3912202559], length 356 3 packets captured 4 packets received by filter 0 packets dropped by kernel
送信元ホストを指定してキャプチャする!
「src host」オプションで、送信元ホストを指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 src host 10.1.1.1 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:20:34.834617 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 2854383402, win 9612, options [nop,nop,TS val 3912266180 ecr 1337302909], length 0 06:20:34.835040 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 189, win 9612, options [nop,nop,TS val 3912266181 ecr 1337302909], length 0 06:20:34.835157 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 369, win 9612, options [nop,nop,TS val 3912266181 ecr 1337302909], length 0 3 packets captured 3 packets received by filter 0 packets dropped by kernel
送信先ホストを指定してキャプチャする!
「dst host」オプションで、送信先ホストを指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 dst host 10.1.1.1 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:21:25.281702 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854385174:2854385394, ack 3637079333, win 341, options [nop,nop,TS val 1337353356 ecr 3912316620], length 220 06:21:25.282218 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:440, ack 1, win 341, options [nop,nop,TS val 1337353356 ecr 3912316626], length 220 06:21:25.282313 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 440:636, ack 1, win 341, options [nop,nop,TS val 1337353356 ecr 3912316626], length 196 3 packets captured 3 packets received by filter 0 packets dropped by kernel
送信先ホストを指定してキャプチャする!
「and」オプションで、複数条件を指定してキャプチャします。
# tcpdump -c 3 -nn -i enp0s3 host 10.1.1.1 and port 22 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:23:20.353842 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854389046:2854389266, ack 3637082505, win 341, options [nop,nop,TS val 1337468428 ecr 3912431688], length 220 06:23:20.354016 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3912431693 ecr 1337468428], length 0 06:23:20.354368 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1337468429 ecr 3912431693], length 356 3 packets captured 4 packets received by filter 0 packets dropped by kernel
「or」条件も使用できます。
# tcpdump -c 3 -nn -i enp0s3 host 10.1.1.1 or 10.1.12.11 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 06:24:44.065894 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 2854393170:2854393390, ack 3637084661, win 341, options [nop,nop,TS val 1337552140 ecr 3912515397], length 220 06:24:44.066103 IP 10.1.1.1.38984 > 10.1.12.11.22: Flags [.], ack 220, win 9612, options [nop,nop,TS val 3912515403 ecr 1337552140], length 0 06:24:44.066448 IP 10.1.12.11.22 > 10.1.1.1.38984: Flags [P.], seq 220:576, ack 1, win 341, options [nop,nop,TS val 1337552141 ecr 3912515403], length 356 3 packets captured 4 packets received by filter 0 packets dropped by kernel
おわりに
tcpdumpでは、必要となるフィルタ条件が一通り指定できるので、条件をうまく絞って調査に活かすようにしましょう。
関連記事
