之前寫到過在 linux 機器上面跑 Ethereal 來抓封包,不過這 Ethereal 都已經進版到 Wireshark 了,所以乾脆再把這方便的指令記錄一下當作備檔,順便也列一下幾個好用的抓封包的指令來做為參考:
首先是 Wireshark,在這裡因為機器多半跑在 run level 3 ,所以我還是用指令來秀就好,先看一下 tshark 有什麼用法:
下面這個範例示範最常用到就是抓 eth0 的封包並寫到 /tmp/test.cap 去:
假如你不想在 /var/log/messages 裡面再看到這些訊息的話,可以再加上一個 -p 的參數,就好了...
當然如果還要加上一些 filter 的話就只需依想要過濾的條件去設定就行了,舉例來說,我想過濾只抓關於 RTSP 的封包就好:
---------- 補充於 2009/04/30 -------------
追加補充個我常用的 filer,因為常需要分析 AAA server 間的 Radius protocol,所以常會這麼下指令:(這些是在 Linux OS 上的指令)
首先是 Wireshark,在這裡因為機器多半跑在 run level 3 ,所以我還是用指令來秀就好,先看一下 tshark 有什麼用法:
Usage: tshark [options] ...這裡秀了不少相關的參數,不過一般我們用不了這麼多,我就用最簡單的例子來示範一下就好:
Capture interface:
-i (interface) name or idx of interface (def: first non-loopback)
-f (capture) packet filter in libpcap filter syntax
-s (snaplen) packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y (link) link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c (packet) stop after n packets (def: infinite)
-a (autostop) ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b (ringbuffer) ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r (infile) set the filename to read from (no pipes or stdin!)
Processing:
-R (read) packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N (name) enable specific name resolution(s): "mntC"
-d (layer_type)==(selector),(decode_as_protocol) ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w (outfile|-) set the output filename (or '-' for stdout)
-F (output) set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e (field) field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E(fieldsoption)=(value) set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|(char) select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X (key):(value) eXtension options, see the man page for details
-z (statistics) various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o (name):(value) ... override preference setting
下面這個範例示範最常用到就是抓 eth0 的封包並寫到 /tmp/test.cap 去:
[root@KHCDNSS01 ~]# tshark -i eth0 -w /tmp/test.cap如果要讀出這個 .cap 檔,可以用 -r 的參數,或者直接把檔案抓下來在自己的電腦上用 Wireshark 去開啟,不過有時就是急著要在機器上直接檢視所抓取的封包的結果,那就用 -S 吧,讓存檔的時候還順便把結果秀在螢幕上來檢視:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
145
[root@KHCDNSS01 ~]#
[root@KHCDNSS01 ~]# tshark -i eth0 -w /tmp/test.log -S不過這樣的封包訊息很難對時間對吧?那我們變換一下隊形,加上時間戳記在每個封包前面好了,這樣也比較方便檢視:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.013780 IntelCor_0c:9c:e3 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.019267 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.026100 IntelCor_0c:a2:40 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.106711 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.125997 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.149380 10.255.131.253 -> 10.15.25.13 NTP NTP client
0.149424 10.15.25.13 -> 10.255.131.253 NTP NTP server
0.213424 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.232625 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.321434 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.340753 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.428148 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.447482 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
14 packets captured
[root@KHCDNSS01 ~]#
[root@KHCDNSS01 ~]# tshark -i eth1 -ta -w /tmp/test.log -S再列出另一種我比較喜歡的時間格式:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
22:52:38.637125 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.5
22:52:38.637154 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.7? Tell 172.24.132.5
22:52:38.642615 SunMicro_d0:3e:07 -> Broadcast ARP Who has 172.24.4.8? Tell 172.24.4.9
22:52:38.645906 SunMicro_1a:4e:3b -> Broadcast ARP Who has 172.24.4.87? Tell 172.24.4.84
22:52:38.646316 SunMicro_1a:b6:37 -> Broadcast ARP Who has 172.24.4.87? Tell 172.24.4.86
22:52:38.650723 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34734
22:52:38.657893 172.24.4.7 -> 172.24.4.44 TCP 706 > login [ACK] Seq=0 Ack=0 Win=24820 Len=0
22:52:38.657904 172.24.4.44 -> 172.24.4.7 Rlogin Data: Capturing on eth0\r\n22:52:38.637125 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.5\r\n22:52:38.6371
22:52:38.672427 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
[root@KHCDNSS01 ~]# tshark -i eth1 -tad -w /tmp/test.log -S不過這樣的封包訊息又太精簡了,看不習慣對吧,那我們再變換一下隊形,這樣應該會更方便檢視:(加上 -V 把封包的 detail 訊息秀出來,加上 -x 後把 output 用 hex 和 ASCII 給 dump 出來,現在是不是清楚多了?)
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
2009-04-26 22:57:47.071895 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
2009-04-26 22:57:47.073645 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34734
2009-04-26 22:57:47.089852 172.24.4.7 -> 172.24.4.44 TCP 706 > login [ACK] Seq=0 Ack=0 Win=24820 Len=0
2009-04-26 22:57:47.089863 172.24.4.44 -> 172.24.4.7 Rlogin Data: Capturing on eth0\r\n2009-04-26 22:57:47.071895 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732\r\n200
2009-04-26 22:57:47.098563 SunMicro_9b:ad:c9 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.2
2009-04-26 22:57:47.098599 SunMicro_9b:ad:c9 -> Broadcast ARP Who has 172.24.132.7? Tell 172.24.132.2
2009-04-26 22:57:47.116810 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
2009-04-26 22:57:47.137607 172.24.4.14 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34730
2009-04-26 22:57:47.138241 172.24.4.28 -> 172.24.4.44 UDP Source port: 3030 Destination port: 34726
[root@KHCDNSS01 ~]# tshark -i eth0 -Vta -x對了,補充一下,當在抓封包時在 /var/log/messages 裡面常會出現一堆如下所列的訊息:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (104 bytes on wire, 104 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.406686000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 104 bytes
Capture Length: 104 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: UscInfor_00:00:00 (01:00:5e:00:00:00)
Address: UscInfor_00:00:00 (01:00:5e:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_11:57:ec (00:1c:c0:11:57:ec)
Address: IntelCor_11:57:ec (00:1c:c0:11:57:ec)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 90
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Unknown (0x020000)
Protocol ID: 0x0001
Data (82 bytes)
Data: 01011201020000635FFE001CC01157EC01800319112A0000...
0000 01 00 5e 00 00 00 00 1c c0 11 57 ec 00 5a aa aa ..^.......W..Z..
0010 03 02 00 00 00 01 01 01 12 01 02 00 00 63 5f fe .............c_.
0020 00 1c c0 11 57 ec 01 80 03 19 11 2a 00 00 00 00 ....W......*....
0030 00 00 00 00 00 05 0f 49 6e 74 65 72 4e 45 54 2d .......InterNET-
0040 50 72 69 2d 42 6b 00 00 00 1c c0 0c a2 40 00 00 Pri-Bk.......@..
0050 00 00 00 00 00 0c 11 86 f9 ba 00 07 29 5e 4f 88 ............)^O.
0060 4c c8 04 85 e2 ff c3 f9 L.......
Frame 2 (104 bytes on wire, 104 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.427783000
[Time delta from previous captured frame: 0.021097000 seconds]
[Time delta from previous displayed frame: 0.021097000 seconds]
[Time since reference or first frame: 0.021097000 seconds]
Frame Number: 2
Frame Length: 104 bytes
Capture Length: 104 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: UscInfor_00:00:00 (01:00:5e:00:00:00)
Address: UscInfor_00:00:00 (01:00:5e:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_0c:5e:84 (00:1c:c0:0c:5e:84)
Address: IntelCor_0c:5e:84 (00:1c:c0:0c:5e:84)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 90
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Unknown (0x020000)
Protocol ID: 0x0001
Data (82 bytes)
Data: 01011001020000DC8C04001CC00C5E84017F0318112A0000...
0000 01 00 5e 00 00 00 00 1c c0 0c 5e 84 00 5a aa aa ..^.......^..Z..
0010 03 02 00 00 00 01 01 01 10 01 02 00 00 dc 8c 04 ................
0020 00 1c c0 0c 5e 84 01 7f 03 18 11 2a 00 00 00 01 ....^......*....
0030 00 01 00 00 00 07 0d 41 53 4e 2d 53 65 63 2d 42 .......ASN-Sec-B
0040 72 69 63 6b 00 00 00 00 00 1c c0 0c 9c e3 00 00 rick............
0050 00 00 00 00 00 0c 11 86 f9 bb 00 05 e3 0c 4e a3 ..............N.
0060 fd 42 49 17 bb 9e bd 64 .BI....d
Frame 3 (90 bytes on wire, 90 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.444956000
[Time delta from previous captured frame: 0.017173000 seconds]
[Time delta from previous displayed frame: 0.017173000 seconds]
[Time since reference or first frame: 0.038270000 seconds]
Frame Number: 3
Frame Length: 90 bytes
Capture Length: 90 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:ntp]
Ethernet II, Src: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04), Dst: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Destination: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Address: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04)
Address: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.255.131.253 (10.255.131.253), Dst: 10.15.25.13 (10.15.25.13)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 76
Identification: 0x284a (10314)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 27
Protocol: UDP (0x11)
Header checksum: 0xc53f [correct]
[Good: True]
[Bad : False]
Source: 10.255.131.253 (10.255.131.253)
Destination: 10.15.25.13 (10.15.25.13)
User Datagram Protocol, Src Port: ntp (123), Dst Port: ntp (123)
Source port: ntp (123)
Destination port: ntp (123)
Length: 56
Checksum: 0x4170 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Network Time Protocol
Flags: 0x0b
00.. .... = Leap Indicator: no warning (0)
..00 1... = Version number: reserved (1)
.... .011 = Mode: client (3)
Peer Clock Stratum: unspecified or unavailable (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference Clock ID: NULL
Reference Clock Update Time: NULL
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: NULL
0000 00 22 19 50 bc 7e 02 00 00 dc 8c 04 08 00 45 00 .".P.~........E.
0010 00 4c 28 4a 00 00 1b 11 c5 3f 0a ff 83 fd 0a 0f .L(J.....?......
0020 19 0d 00 7b 00 7b 00 38 41 70 0b 00 00 00 00 00 ...{.{.8Ap......
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 ..........
kernel: device eth0 entered promiscuous mode這代表你的網卡處於"混雜模式時",在同一個 broadcast segment 下的封包,都會被監聽,如果你的 LAN 是用 HUB 來接,那整個 LAN 的封包都會被監聽,若你的 LAN 是用 switch 接,一般來說就只能看到自己和 broadcast 的封包。
kernel: device eth0 left promiscuous mode
假如你不想在 /var/log/messages 裡面再看到這些訊息的話,可以再加上一個 -p 的參數,就好了...
當然如果還要加上一些 filter 的話就只需依想要過濾的條件去設定就行了,舉例來說,我想過濾只抓關於 RTSP 的封包就好:
[root@KHCDNSS01 ~]# tshark -i eth1 -Vtad -x -p port rtsp綜合以上所說的,其實我一般最常用的便是類似下面組合起來的 command 囉:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
Frame 1 (74 bytes on wire, 74 bytes captured)
Arrival Time: Apr 26, 2009 23:39:12.773857000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 74 bytes
Capture Length: 74 bytes
Protocols in frame: eth:ip:tcp
Ethernet II, Src: 00:15:60:a3:f4:67, Dst: 00:15:60:a3:f8:e5
Destination: 00:15:60:a3:f8:e5 (00:15:60:a3:f8:e5)
Source: 00:15:60:a3:f4:67 (00:15:60:a3:f4:67)
Type: IP (0x0800)
Internet Protocol, Src Addr: 172.24.4.44 (172.24.4.44), Dst Addr: 172.24.4.14 (172.24.4.14)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x03e6 (998)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xd66b (correct)
Source: 172.24.4.44 (172.24.4.44)
Destination: 172.24.4.14 (172.24.4.14)
Transmission Control Protocol, Src Port: 57606 (57606), Dst Port: rtsp (554), Seq: 0, Ack: 0, Len: 0
Source port: 57606 (57606)
Destination port: rtsp (554)
Sequence number: 0 (relative sequence number)
Header length: 40 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 5792
Checksum: 0x57d2 (correct)
Options: (20 bytes)
Maximum segment size: 1460 bytes
SACK permitted
Time stamp: tsval 2080473562, tsecr 2080479415
NOP
Window scale: 0 (multiply by 1)
0000 00 15 60 a3 f8 e5 00 15 60 a3 f4 67 08 00 45 00 ..`.....`..g..E.
0010 00 3c 03 e6 40 00 40 06 d6 6b ac 18 04 2c ac 18 .(..@.@..k...,..
0020 04 0e e1 06 02 2a 01 28 82 3c 00 00 00 00 a0 02 .....*.(.(......
0030 16 a0 57 d2 00 00 02 04 05 b4 04 02 08 0a 7c 01 ..W...........|.
0040 81 da 7c 01 98 b7 01 03 03 00 ..|.......
[root@KHCDNSS01 ~]# tshark -i eth0 -Vtad -x icmp -p -w /tmp/test.log -S既然說到在 Linux 上使用 Wireshark, 那在 Solaris 上面呢?簡單來說你可以使用 snoop 跟 tcpdump,不過個人是偏好 snoop 啦,下面先簡單列一下可用的選項:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (98 bytes on wire, 98 bytes captured)
Arrival Time: Apr 27, 2009 10:53:50.326876000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes
Capture Length: 98 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: 00:22:19:50:bc:7e (00:22:19:50:bc:7e), Dst: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Destination: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Address: All-HSRP-routers_04 (00:00:0c:07:ac:04)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Address: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.15.25.13 (10.15.25.13), Dst: 192.168.161.5 (192.168.161.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (0x01)
Header checksum: 0xb5df [correct]
[Good: True]
[Bad : False]
Source: 10.15.25.13 (10.15.25.13)
Destination: 192.168.161.5 (192.168.161.5)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x866f [correct]
Identifier: 0x7a27
Sequence number: 1 (0x0001)
Data (56 bytes)
Data: 3E1EF549D4FC040008090A0B0C0D0E0F1011121314151617...
0000 00 00 0c 07 ac 04 00 22 19 50 bc 7e 08 00 45 00 .......".P.~..E.
0010 00 54 00 00 40 00 40 01 b5 df 0a 0f 19 0d c0 a8 .T..@.@.........
0020 a1 05 08 00 86 6f 7a 27 00 01 3e 1e f5 49 d4 fc .....oz'..)..I..
0030 04 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67
1 packets captured
[root@KHCDNSS01 ~]#
Usage: snoop其實簡單說起來,用法跟 Wireshark 大同小異啦,比方說,下面是我常用的一個指令,用來檢查 NTP client 有沒有過來做 NTP 的同步,當然也可以把 filter 的部分改成其他的用法,比方說用 "bootp" 來取代掉 "port ntp" 的部分,就可以檢查 DHCP Client 有沒有來 request IP...其他的選項部分跟 Wireshark 其實差異不大,-d 是用來指定抓封包的 interface,-P 一樣可以避免網卡處於"混雜模式",-r 是不要解析 IP address,-v 是秀出詳細的 packet,而 -ta 則是秀出時間戳記.....
[ -a ] # Listen to packets on audio
[ -d device ] # Listen on interface named device
[ -s snaplen ] # Truncate packets
[ -c count ] # Quit after count packets
[ -P ] # Turn OFF promiscuous mode
[ -D ] # Report dropped packets
[ -S ] # Report packet size
[ -i file ] # Read previously captured packets
[ -o file ] # Capture packets in file
[ -n file ] # Load addr-to-name table from file
[ -N ] # Create addr-to-name table
[ -t r|a|d ] # Time: Relative, Absolute or Delta
[ -v ] # Verbose packet display
[ -V ] # Show all summary lines
[ -p first[,last] ] # Select packet(s) to display
[ -x offset[,length] ] # Hex dump from offset for length
[ -C ] # Print packet filter code
[ -q ] # Suppress printing packet count
[ -r ] # Do not resolve address to name
[ filter expression ]
47ksh# snoop -vVta -r -d bge0 -P -x5 port ntp好囉,就先寫到這兒吧~
Using device /dev/bge0 (non promiscuous)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 11 arrived at 18:21:4.42140
ETHER: Packet size = 90 bytes
ETHER: Destination = 0:14:4f:a9:83:50,
ETHER: Source = 0:1a:f0:bc:b6:6d,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0xc0
IP: xxx. .... = 6 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 76 bytes
IP: Identification = 0
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 254 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 757e
IP: Source address = 10.16.25.34, 10.16.25.34
IP: Destination address = 10.17.25.32, 10.17.25.32
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 123
UDP: Destination port = 123 (NTP)
UDP: Length = 56
UDP: Checksum = F8E2
UDP:
NTP: ----- Network Time Protocol -----
NTP:
NTP: Leap = 0x0 (OK)
NTP: Version = 3
NTP: Mode = 3 (client)
NTP: Stratum = 3 (secondary reference)
NTP: Poll = 6
NTP: Precision = 238 seconds
NTP: Synchronizing distance = 0x0000.0064 (0.001526)
NTP: Synchronizing dispersion = 0x0000.040d (0.015823)
NTP: Reference clock = 10.17.25.32 (10.17.25.32)
NTP: Reference time = 0xcda00550.6bbe484f (2009-04-27 18:20:00.42087)
NTP: Originate time = 0xcda00550.6b9f8000 (2009-04-27 18:20:00.42040)
NTP: Receive time = 0xcda00550.6bbe484f (2009-04-27 18:20:00.42087)
NTP: Transmit time = 0xcda00590.6bc46a2c (2009-04-27 18:21:04.42097)
0: 8350 001a f0bc b66d 0800 45c0 004c 0000 .P.....m..E..L..
16: 0000 fe11 757e 0a10 1922 0a11 1920 007b ....u~..."... .{
32: 007b 0038 f8e2 1b03 06ee 0000 0064 0000 .{.8.........d..
48: 040d 0a11 1920 cda0 0550 6bbe 484f cda0 ..... .?.Pk.HO.?
64: 0550 6b9f 8000 cda0 0550 6bbe 484f cda0 .Pk?...?.Pk.HO.?
80: 0590 6bc4 6a2c ..k.j,
^C
root@KHXDNSS1:/etc/domain
---------- 補充於 2009/04/30 -------------
追加補充個我常用的 filer,因為常需要分析 AAA server 間的 Radius protocol,所以常會這麼下指令:(這些是在 Linux OS 上的指令)
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x -z "radius,rtd,ip.addr==xx.xx.xx.xx" -w /tmp/AAA-radius.cap -S或者是:
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x -z radius,rtd. -w /tmp/AAA-radius.cap -S又或者是乾脆就這麼用:
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x port radius -w /tmp/AAA-radius.cap -S對了,加上這個 -z 的參數,在抓完封包時,會多出如下的處理訊息:
RADIUS Response Time Delay (RTD) Statistics:OK,補充完畢... (詳全文...)
Filter for statistics:
Duplicate requests: 3
Duplicate responses: 0
Open requests: 3
Discarded responses: 0
Type | Messages | Min RTD | Max RTD | Avg RTD | Min in Frame | Max in Frame |
Overall | 1 | 1.53 msec | 1.53 msec | 1.53 msec | 11 | 11 |
Access | 1 | 1.53 msec | 1.53 msec | 1.53 msec | 11 | 11 |