wireshark on Linux (tshark)

by

WiresharkはGUIベースですが、コマンド版でtsharkが準備されています。
LinuxのCUIで利用する場合や、バッチ連携したりGUIだと重いと言った場合に便利かもしれません。

[root@CentOS64VM tools]# yum install wireshark
Loaded plugins: fastestmirror, presto
Determining fastest mirrors
 * base: ftp.jaist.ac.jp
 * extras: ftp.jaist.ac.jp
 * updates: ftp.jaist.ac.jp
base
extras
updates
updates/primary_db
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package wireshark.x86_64 0:1.2.15-2.el6_2.1 will be installed
--> Processing Dependency: libgnutls.so.26(GNUTLS_1_4)(64bit) for package: wireshark-1.2.15-2.el6_2.1.x86_64
--> Processing Dependency: libsmi.so.2()(64bit) for package: wireshark-1.2.15-2.el6_2.1.x86_64
--> Processing Dependency: libpcap.so.1()(64bit) for package: wireshark-1.2.15-2.el6_2.1.x86_64
--> Processing Dependency: libgnutls.so.26()(64bit) for package: wireshark-1.2.15-2.el6_2.1.x86_64
--> Running transaction check
---> Package gnutls.x86_64 0:2.8.5-4.el6_2.2 will be installed
--> Processing Dependency: libtasn1.so.3(LIBTASN1_0_3)(64bit) for package: gnutls-2.8.5-4.el6_2.2.x86_64
--> Processing Dependency: libtasn1.so.3()(64bit) for package: gnutls-2.8.5-4.el6_2.2.x86_64
---> Package libpcap.x86_64 14:1.0.0-6.20091201git117cb5.el6 will be installed
---> Package libsmi.x86_64 0:0.4.8-4.el6 will be installed
--> Running transaction check
---> Package libtasn1.x86_64 0:2.3-3.el6_2.1 will be installed
--> Finished Dependency Resolution

wireshark

tsharkとtcpdumpでのパケットキャプチャー

[root@CentOS64VM tools]# /usr/sbin/tshark -n -i eth0 tcp port 80
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.137.1 -> 192.168.137.128 TCP 50018 > 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
  0.114130 192.168.137.1 -> 192.168.137.128 TCP 50019 > 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
  0.250229 192.168.137.1 -> 192.168.137.128 TCP 50020 > 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
  2.999452 192.168.137.1 -> 192.168.137.128 TCP 50018 > 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
  3.111388 192.168.137.1 -> 192.168.137.128 TCP 50019 > 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
  3.251262 192.168.137.1 -> 192.168.137.128 TCP 50020 > 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
^C6 packets captured
[root@CentOS64VM tools]# /usr/sbin/tcpdump -n -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:24:35.773723 IP 192.168.137.1.50022 > 192.168.137.128.http: Flags [S], seq 3779509450, win 8192, options [mss 1460,nop,wscale 2,nop
19:24:36.784314 IP 192.168.137.1.50023 > 192.168.137.128.http: Flags [S], seq 1774179078, win 8192, options [mss 1460,nop,wscale 2,nop
19:24:37.055527 IP 192.168.137.1.50024 > 192.168.137.128.http: Flags [S], seq 1893589663, win 8192, options [mss 1460,nop,wscale 2,nop
19:24:39.783694 IP 192.168.137.1.50023 > 192.168.137.128.http: Flags [S], seq 1774179078, win 8192, options [mss 1460,nop,wscale 2,nop
19:24:40.063879 IP 192.168.137.1.50024 > 192.168.137.128.http: Flags [S], seq 1893589663, win 8192, options [mss 1460,nop,wscale 2,nop
19:24:41.795255 IP 192.168.137.1.50022 > 192.168.137.128.http: Flags [S], seq 3779509450, win 8192, options [mss 1460,nop,nop,sackOK],
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@CentOS64VM tools]#

tshark

[root@CentOS64VM tools]# /usr/sbin/tshark -help
TShark 1.2.15
Dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2011 Gerald Combs and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: tshark [options] …

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: 65535)
-p don’t capture in promiscuous mode
-y link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a … duration:NUM – stop after NUM seconds
filesize:NUM – stop this file after NUM KB
files:NUM – stop after NUM files
Capture output:
-b … duration:NUM – switch to next file after NUM secs
filesize:NUM – switch to next file after NUM KB
files:NUM – ringbuffer: replace after NUM files
Input file:
-r set the filename to read from (no pipes or stdin!)

Processing:
-R packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): “mntC”
-d ==,
“Decode As”, see the man page for details
Example: tcp.port==8888,http
Output:
-w set the output filename (or ‘-‘ for stdout)
-C start with specified configuration profile
-F set the output file type, default is libpcap
an empty “-F” option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E= set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s| select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X : eXtension options, see the man page for details
-z various statistics, see the man page for details

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o : … override preference setting
-K keytab file to use for kerberos decryption
[root@CentOS64VM tools]#

関連ページ
Wireshark (旧 Ethereal)によるネットワーク解析

参考ページ
tshark (WiresharkのCLI版) の使い方
WireSharkの裏技 〜 コマンドラインで実行できる「TShark」
tcpdump ネットワーク上を流れるパケットを監視する

Linuxとnetwork

by

名前解決順序

[root@localhost ~]# cat /etc/host.conf
order hosts,bind
[root@localhost ~]#

[root@localhost ~]# more /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the “db” in front of “files” for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis

passwd:     files
shadow:     files
group:      files

#hosts:     db files nisplus nis dns
hosts:      files dns

名前解決

[root@localhost ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 192.168.1.1
search localdomain
[root@localhost ~]#

 

[root@localhost ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
[root@localhost ~]#

 

ホスト名,ホスト名,GW,使用/不使用

[root@localhost ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
GATEWAY=192.168.1.1
[root@localhost ~]#

 

IPアドレスの設定

(以下:DHCPの場合)

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# ADMtek NC100 Network Everywhere Fast Ethernet 10/100
DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:90:CC:E0:0C:C5
ONBOOT=yes
[root@localhost ~]#

(以下:IP指定の場合)

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# ADMtek NC100 Network Everywhere Fast Ethernet 10/100
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:90:CC:E0:0C:C5
BROADCAST=192.168.1.255
IPADDR=192.168.1.10
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
[root@localhost ~]#

※ NETWORK,BROADCASTなどは記入しなくても良い場合は多い。

 

コマンド色々:

hostコマンド

[root@localhost ~]# host yahoo.co.jp
yahoo.co.jp has address 203.216.227.176
yahoo.co.jp has address 124.83.139.192
yahoo.co.jp mail is handled by 10 mx5.mail.yahoo.co.jp.
yahoo.co.jp mail is handled by 10 mx1.mail.yahoo.co.jp.
yahoo.co.jp mail is handled by 10 mx2.mail.yahoo.co.jp.
yahoo.co.jp mail is handled by 10 mx3.mail.yahoo.co.jp.
[root@localhost ~]#

[root@localhost ~]# host 203.216.227.176
176.227.216.203.in-addr.arpa domain name pointer f1.top.vip.tnz.yahoo.co.jp.
[root@localhost ~]#

netstatコマンド

[root@localhost ~]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 *:838                       *:*                         LISTEN
tcp        0      0 *:mysql                     *:*                         LISTEN
tcp        0      0 *:sunrpc                    *:*                         LISTEN
tcp        1      0 192.168.11.4:46259          ftp4.ncnu.edu.tw:http       CLOSE_WAIT
tcp        1      0 192.168.11.4:46262          ftp4.ncnu.edu.tw:http       CLOSE_WAIT
tcp        1      0 192.168.11.4:40359          centos.at.multacom.com:http CLOSE_WAIT
tcp        1      0 192.168.11.4:40363          centos.at.multacom.com:http CLOSE_WAIT
tcp        1      0 192.168.11.4:40361          centos.at.multacom.com:http CLOSE_WAIT
tcp        1      0 192.168.11.4:40365          centos.at.multacom.com:http CLOSE_WAIT
tcp        0      0 *:webcache                  *:*                         LISTEN
tcp        0      0 *:http                      *:*                         LISTEN
tcp        0      0 *:ssh                       *:*                         LISTEN
tcp        0    132 ::ffff:192.168.11.4:ssh     ::ffff:192.1:carrius-rshell ESTABLISHED
[root@localhost ~]#

-a 全てのソケット
-c 1秒毎リアルタイム表示
-i ネットワークインターフェース状況
-n アドレス,ポートを数値で表示
-p PIDとプロセス名も表示する
-r ルーティングテーブル表示
-t TCPポートのみ表示

routeコマンド

Destination → 宛先   Gateway→GWのアドレス   Genmask→宛先のSubnet(ホストは255.255.255.255 GWは0.0.0.0)

Flags→経路状態(U:有効, H:宛先はホスト, G: GW, !:経路無効)  Metric→距離(HOP) Ref→ルートの参照数,

Use→経路参照回数  Iface→ネットワークインターフェース

[root@localhost ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.11.0    *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         air.setup       0.0.0.0         UG    0      0        0 eth0
[root@localhost ~]#

route add で追加

route del  で削除

 

LinuxをRouterとして扱うような場合は,異なるネットワークのパケットを転送する必要がるのでip fowardを1に設定する。

0=パケット転送拒否 1=パケット転送許可

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@localhost ~]#

TCPDUMP

-i インターフェース

-s バイト数

-X 16進とASCII文字で表示

-n アドレスを名前変換しないで表示

port ポート番号指定

proto プロトコルを指定

[root@localhost ~]# tcpdump -X -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:09:10.196603 IP 192.168.11.2.gxtelmd > 192.168.11.4.http: S 3053066467:3053066467(0) win 16384 <mss 1460,
        0x0000:  4500 0030 601c 4000 8006 0355 c0a8 0b02  E..0`.@….U….
        0x0010:  c0a8 0b04 0934 0050 b5fa 18e3 0000 0000  …..4.P……..
        0x0020:  7002 4000 d366 0000 0204 05b4 0101 0402  p.@..f……….
01:09:10.239801 IP 192.168.11.4.http > 192.168.11.2.gxtelmd: S 2904952068:2904952068(0) ack 3053066468 win 5p,nop,sackOK>

 

tcpdump.jpg