Wiresharkとは
WiresharkはネットワークプロトコルアナライザEtherealの後継にあたるらしい。
インストール
リモートのサーバーにsshで入って使うことを想定しているのでGUI版ではなくCLI版を使います。CLI版のコマンドはtsharkです。
CentOS 5.2の場合
# yum install wireshark
ちなみにGUI版のパッケージ名はwireshark-gnome
Ubuntu 9.04の場合
$ sudo aptitude install tshark
ちなみにGUI版のパッケージ名はwireshark
テスト
CLI版のコマンドはtsharkです。
# tshark -n -i br0 tcp port 80
別の端末で以下のコマンドを実行。
$ telnet 192.168.11.241 80 GET /
tsharkの端末で^Cを入力。出力結果はこんな感じ。
# tshark -n -i br0 tcp port 80 Running as user "root" and group "root". This could be dangerous. Capturing on br0 0.000000 192.168.11.102 -> 192.168.11.241 TCP 36674 > 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1738335 TSER=0 WS=6 0.000905 192.168.11.241 -> 192.168.11.102 TCP 80 > 36674 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3965771 TSER=1738335 WS=4 0.000978 192.168.11.102 -> 192.168.11.241 TCP 36674 > 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1738335 TSER=3965771 1.362928 192.168.11.102 -> 192.168.11.241 HTTP GET / 1.363635 192.168.11.241 -> 192.168.11.102 TCP 80 > 36674 [ACK] Seq=1 Ack=8 Win=5792 Len=0 TSV=3967134 TSER=1738471 1.364764 192.168.11.241 -> 192.168.11.102 HTTP Continuation or non-HTTP traffic 1.364829 192.168.11.102 -> 192.168.11.241 TCP 36674 > 80 [ACK] Seq=8 Ack=22 Win=5888 Len=0 TSV=1738471 TSER=3967135 1.364852 192.168.11.241 -> 192.168.11.102 TCP 80 > 36674 [FIN, ACK] Seq=22 Ack=8 Win=5792 Len=0 TSV=3967136 TSER=1738471 1.365315 192.168.11.102 -> 192.168.11.241 TCP 36674 > 80 [FIN, ACK] Seq=8 Ack=23 Win=5888 Len=0 TSV=1738471 TSER=3967136 1.366978 192.168.11.241 -> 192.168.11.102 TCP 80 > 36674 [ACK] Seq=23 Ack=9 Win=5792 Len=0 TSV=3967138 TSER=1738471 ^C10 packets captured
ちなみにtcpdumpの場合はこんな感じ。
# tcpdump -n -i br0 tcp port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes 11:49:01.942466 IP 192.168.11.102.36673 > 192.168.11.241.80: S 3722872408:3722872408(0) win 5840 <mss 1460,sackOK,timestamp 1722908 0,nop,wscale 6> 11:49:01.943604 IP 192.168.11.241.80 > 192.168.11.102.36673: S 1321486056:1321486056(0) ack 3722872409 win 5792 <mss 1460,sackOK,timestamp 3811486 1722908,nop,wscale 4> 11:49:01.943673 IP 192.168.11.102.36673 > 192.168.11.241.80: . ack 1 win 92 <nop,nop,timestamp 1722909 3811486> 11:49:04.794205 IP 192.168.11.102.36673 > 192.168.11.241.80: P 1:8(7) ack 1 win 92 <nop,nop,timestamp 1723194 3811486> 11:49:04.795714 IP 192.168.11.241.80 > 192.168.11.102.36673: . ack 8 win 362 <nop,nop,timestamp 3814337 1723194> 11:49:04.795782 IP 192.168.11.241.80 > 192.168.11.102.36673: P 1:22(21) ack 8 win 362 <nop,nop,timestamp 3814338 1723194> 11:49:04.795818 IP 192.168.11.102.36673 > 192.168.11.241.80: . ack 22 win 92 <nop,nop,timestamp 1723194 3814338> 11:49:04.795838 IP 192.168.11.241.80 > 192.168.11.102.36673: F 22:22(0) ack 8 win 362 <nop,nop,timestamp 3814339 1723194> 11:49:04.796667 IP 192.168.11.102.36673 > 192.168.11.241.80: F 8:8(0) ack 23 win 92 <nop,nop,timestamp 1723194 3814339> 11:49:04.798567 IP 192.168.11.241.80 > 192.168.11.102.36673: . ack 9 win 362 <nop,nop,timestamp 3814341 1723194> ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel
0 件のコメント:
コメントを投稿