顯示具有 Ethereal 標籤的文章。 顯示所有文章
顯示具有 Ethereal 標籤的文章。 顯示所有文章

要如何在 Linux 和 Solaris 上 capture the network packets?

之前寫到過在 linux 機器上面跑 Ethereal 來抓封包,不過這 Ethereal 都已經進版到 Wireshark 了,所以乾脆再把這方便的指令記錄一下當作備檔,順便也列一下幾個好用的抓封包的指令來做為參考:

首先是 Wireshark,在這裡因為機器多半跑在 run level 3 ,所以我還是用指令來秀就好,先看一下 tshark 有什麼用法:
Usage: tshark [options] ...

Capture interface:
-i (interface) name or idx of interface (def: first non-loopback)
-f (capture) packet filter in libpcap filter syntax
-s (snaplen) packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y (link) link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c (packet) stop after n packets (def: infinite)
-a (autostop) ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b (ringbuffer) ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r (infile) set the filename to read from (no pipes or stdin!)

Processing:
-R (read) packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N (name) enable specific name resolution(s): "mntC"
-d (layer_type)==(selector),(decode_as_protocol) ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w (outfile|-) set the output filename (or '-' for stdout)
-F (output) set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e (field) field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E(fieldsoption)=(value) set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|(char) select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X (key):(value) eXtension options, see the man page for details
-z (statistics) various statistics, see the man page for details

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o (name):(value) ... override preference setting
這裡秀了不少相關的參數,不過一般我們用不了這麼多,我就用最簡單的例子來示範一下就好:

下面這個範例示範最常用到就是抓 eth0 的封包並寫到 /tmp/test.cap 去:
[root@KHCDNSS01 ~]# tshark -i eth0 -w /tmp/test.cap
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
145
[root@KHCDNSS01 ~]#
如果要讀出這個 .cap 檔,可以用 -r 的參數,或者直接把檔案抓下來在自己的電腦上用 Wireshark 去開啟,不過有時就是急著要在機器上直接檢視所抓取的封包的結果,那就用 -S 吧,讓存檔的時候還順便把結果秀在螢幕上來檢視:
[root@KHCDNSS01 ~]# tshark -i eth0 -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.013780 IntelCor_0c:9c:e3 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.019267 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.026100 IntelCor_0c:a2:40 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.106711 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.125997 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.149380 10.255.131.253 -> 10.15.25.13 NTP NTP client
0.149424 10.15.25.13 -> 10.255.131.253 NTP NTP server
0.213424 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.232625 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.321434 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.340753 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.428148 IntelCor_11:57:ec -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
0.447482 IntelCor_0c:5e:84 -> UscInfor_00:00:00 LLC U, func=UI; SNAP, OUI 0x020000 (Unknown), PID 0x0001
14 packets captured
[root@KHCDNSS01 ~]#
不過這樣的封包訊息很難對時間對吧?那我們變換一下隊形,加上時間戳記在每個封包前面好了,這樣也比較方便檢視:
[root@KHCDNSS01 ~]# tshark -i eth1 -ta -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
22:52:38.637125 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.5
22:52:38.637154 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.7? Tell 172.24.132.5
22:52:38.642615 SunMicro_d0:3e:07 -> Broadcast ARP Who has 172.24.4.8? Tell 172.24.4.9
22:52:38.645906 SunMicro_1a:4e:3b -> Broadcast ARP Who has 172.24.4.87? Tell 172.24.4.84
22:52:38.646316 SunMicro_1a:b6:37 -> Broadcast ARP Who has 172.24.4.87? Tell 172.24.4.86
22:52:38.650723 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34734
22:52:38.657893 172.24.4.7 -> 172.24.4.44 TCP 706 > login [ACK] Seq=0 Ack=0 Win=24820 Len=0
22:52:38.657904 172.24.4.44 -> 172.24.4.7 Rlogin Data: Capturing on eth0\r\n22:52:38.637125 SunMicro_9b:ab:99 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.5\r\n22:52:38.6371
22:52:38.672427 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
再列出另一種我比較喜歡的時間格式:
[root@KHCDNSS01 ~]# tshark -i eth1 -tad -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
2009-04-26 22:57:47.071895 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
2009-04-26 22:57:47.073645 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34734
2009-04-26 22:57:47.089852 172.24.4.7 -> 172.24.4.44 TCP 706 > login [ACK] Seq=0 Ack=0 Win=24820 Len=0
2009-04-26 22:57:47.089863 172.24.4.44 -> 172.24.4.7 Rlogin Data: Capturing on eth0\r\n2009-04-26 22:57:47.071895 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732\r\n200
2009-04-26 22:57:47.098563 SunMicro_9b:ad:c9 -> Broadcast ARP Who has 172.24.132.9? Tell 172.24.132.2
2009-04-26 22:57:47.098599 SunMicro_9b:ad:c9 -> Broadcast ARP Who has 172.24.132.7? Tell 172.24.132.2
2009-04-26 22:57:47.116810 172.24.128.202 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34732
2009-04-26 22:57:47.137607 172.24.4.14 -> 172.24.4.44 UDP Source port: 3020 Destination port: 34730
2009-04-26 22:57:47.138241 172.24.4.28 -> 172.24.4.44 UDP Source port: 3030 Destination port: 34726
不過這樣的封包訊息又太精簡了,看不習慣對吧,那我們再變換一下隊形,這樣應該會更方便檢視:(加上 -V 把封包的 detail 訊息秀出來,加上 -x 後把 output 用 hex 和 ASCII 給 dump 出來,現在是不是清楚多了?)
[root@KHCDNSS01 ~]# tshark -i eth0 -Vta -x
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (104 bytes on wire, 104 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.406686000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 104 bytes
Capture Length: 104 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: UscInfor_00:00:00 (01:00:5e:00:00:00)
Address: UscInfor_00:00:00 (01:00:5e:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_11:57:ec (00:1c:c0:11:57:ec)
Address: IntelCor_11:57:ec (00:1c:c0:11:57:ec)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 90
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Unknown (0x020000)
Protocol ID: 0x0001
Data (82 bytes)
Data: 01011201020000635FFE001CC01157EC01800319112A0000...

0000 01 00 5e 00 00 00 00 1c c0 11 57 ec 00 5a aa aa ..^.......W..Z..
0010 03 02 00 00 00 01 01 01 12 01 02 00 00 63 5f fe .............c_.
0020 00 1c c0 11 57 ec 01 80 03 19 11 2a 00 00 00 00 ....W......*....
0030 00 00 00 00 00 05 0f 49 6e 74 65 72 4e 45 54 2d .......InterNET-
0040 50 72 69 2d 42 6b 00 00 00 1c c0 0c a2 40 00 00 Pri-Bk.......@..
0050 00 00 00 00 00 0c 11 86 f9 ba 00 07 29 5e 4f 88 ............)^O.
0060 4c c8 04 85 e2 ff c3 f9 L.......

Frame 2 (104 bytes on wire, 104 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.427783000
[Time delta from previous captured frame: 0.021097000 seconds]
[Time delta from previous displayed frame: 0.021097000 seconds]
[Time since reference or first frame: 0.021097000 seconds]
Frame Number: 2
Frame Length: 104 bytes
Capture Length: 104 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
Destination: UscInfor_00:00:00 (01:00:5e:00:00:00)
Address: UscInfor_00:00:00 (01:00:5e:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_0c:5e:84 (00:1c:c0:0c:5e:84)
Address: IntelCor_0c:5e:84 (00:1c:c0:0c:5e:84)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 90
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Unknown (0x020000)
Protocol ID: 0x0001
Data (82 bytes)
Data: 01011001020000DC8C04001CC00C5E84017F0318112A0000...

0000 01 00 5e 00 00 00 00 1c c0 0c 5e 84 00 5a aa aa ..^.......^..Z..
0010 03 02 00 00 00 01 01 01 10 01 02 00 00 dc 8c 04 ................
0020 00 1c c0 0c 5e 84 01 7f 03 18 11 2a 00 00 00 01 ....^......*....
0030 00 01 00 00 00 07 0d 41 53 4e 2d 53 65 63 2d 42 .......ASN-Sec-B
0040 72 69 63 6b 00 00 00 00 00 1c c0 0c 9c e3 00 00 rick............
0050 00 00 00 00 00 0c 11 86 f9 bb 00 05 e3 0c 4e a3 ..............N.
0060 fd 42 49 17 bb 9e bd 64 .BI....d

Frame 3 (90 bytes on wire, 90 bytes captured)
Arrival Time: Apr 26, 2009 18:56:34.444956000
[Time delta from previous captured frame: 0.017173000 seconds]
[Time delta from previous displayed frame: 0.017173000 seconds]
[Time since reference or first frame: 0.038270000 seconds]
Frame Number: 3
Frame Length: 90 bytes
Capture Length: 90 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:ntp]
Ethernet II, Src: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04), Dst: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Destination: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Address: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04)
Address: 02:00:00:dc:8c:04 (02:00:00:dc:8c:04)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.255.131.253 (10.255.131.253), Dst: 10.15.25.13 (10.15.25.13)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 76
Identification: 0x284a (10314)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 27
Protocol: UDP (0x11)
Header checksum: 0xc53f [correct]
[Good: True]
[Bad : False]
Source: 10.255.131.253 (10.255.131.253)
Destination: 10.15.25.13 (10.15.25.13)
User Datagram Protocol, Src Port: ntp (123), Dst Port: ntp (123)
Source port: ntp (123)
Destination port: ntp (123)
Length: 56
Checksum: 0x4170 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Network Time Protocol
Flags: 0x0b
00.. .... = Leap Indicator: no warning (0)
..00 1... = Version number: reserved (1)
.... .011 = Mode: client (3)
Peer Clock Stratum: unspecified or unavailable (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference Clock ID: NULL
Reference Clock Update Time: NULL
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: NULL

0000 00 22 19 50 bc 7e 02 00 00 dc 8c 04 08 00 45 00 .".P.~........E.
0010 00 4c 28 4a 00 00 1b 11 c5 3f 0a ff 83 fd 0a 0f .L(J.....?......
0020 19 0d 00 7b 00 7b 00 38 41 70 0b 00 00 00 00 00 ...{.{.8Ap......
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 ..........
對了,補充一下,當在抓封包時在 /var/log/messages 裡面常會出現一堆如下所列的訊息:
kernel: device eth0 entered promiscuous mode
kernel: device eth0 left promiscuous mode
這代表你的網卡處於"混雜模式時",在同一個 broadcast segment 下的封包,都會被監聽,如果你的 LAN 是用 HUB 來接,那整個 LAN 的封包都會被監聽,若你的 LAN 是用 switch 接,一般來說就只能看到自己和 broadcast 的封包。

假如你不想在 /var/log/messages 裡面再看到這些訊息的話,可以再加上一個 -p 的參數,就好了...

當然如果還要加上一些 filter 的話就只需依想要過濾的條件去設定就行了,舉例來說,我想過濾只抓關於 RTSP 的封包就好:
[root@KHCDNSS01 ~]# tshark -i eth1 -Vtad -x -p port rtsp
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
Frame 1 (74 bytes on wire, 74 bytes captured)
Arrival Time: Apr 26, 2009 23:39:12.773857000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 74 bytes
Capture Length: 74 bytes
Protocols in frame: eth:ip:tcp
Ethernet II, Src: 00:15:60:a3:f4:67, Dst: 00:15:60:a3:f8:e5
Destination: 00:15:60:a3:f8:e5 (00:15:60:a3:f8:e5)
Source: 00:15:60:a3:f4:67 (00:15:60:a3:f4:67)
Type: IP (0x0800)
Internet Protocol, Src Addr: 172.24.4.44 (172.24.4.44), Dst Addr: 172.24.4.14 (172.24.4.14)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x03e6 (998)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0xd66b (correct)
Source: 172.24.4.44 (172.24.4.44)
Destination: 172.24.4.14 (172.24.4.14)
Transmission Control Protocol, Src Port: 57606 (57606), Dst Port: rtsp (554), Seq: 0, Ack: 0, Len: 0
Source port: 57606 (57606)
Destination port: rtsp (554)
Sequence number: 0 (relative sequence number)
Header length: 40 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 5792
Checksum: 0x57d2 (correct)
Options: (20 bytes)
Maximum segment size: 1460 bytes
SACK permitted
Time stamp: tsval 2080473562, tsecr 2080479415
NOP
Window scale: 0 (multiply by 1)

0000 00 15 60 a3 f8 e5 00 15 60 a3 f4 67 08 00 45 00 ..`.....`..g..E.
0010 00 3c 03 e6 40 00 40 06 d6 6b ac 18 04 2c ac 18 .(..@.@..k...,..
0020 04 0e e1 06 02 2a 01 28 82 3c 00 00 00 00 a0 02 .....*.(.(......
0030 16 a0 57 d2 00 00 02 04 05 b4 04 02 08 0a 7c 01 ..W...........|.
0040 81 da 7c 01 98 b7 01 03 03 00 ..|.......
綜合以上所說的,其實我一般最常用的便是類似下面組合起來的 command 囉:
[root@KHCDNSS01 ~]# tshark -i eth0 -Vtad -x icmp -p -w /tmp/test.log -S
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (98 bytes on wire, 98 bytes captured)
Arrival Time: Apr 27, 2009 10:53:50.326876000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes
Capture Length: 98 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: 00:22:19:50:bc:7e (00:22:19:50:bc:7e), Dst: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Destination: All-HSRP-routers_04 (00:00:0c:07:ac:04)
Address: All-HSRP-routers_04 (00:00:0c:07:ac:04)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
Address: 00:22:19:50:bc:7e (00:22:19:50:bc:7e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.15.25.13 (10.15.25.13), Dst: 192.168.161.5 (192.168.161.5)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (0x01)
Header checksum: 0xb5df [correct]
[Good: True]
[Bad : False]
Source: 10.15.25.13 (10.15.25.13)
Destination: 192.168.161.5 (192.168.161.5)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x866f [correct]
Identifier: 0x7a27
Sequence number: 1 (0x0001)
Data (56 bytes)
Data: 3E1EF549D4FC040008090A0B0C0D0E0F1011121314151617...

0000 00 00 0c 07 ac 04 00 22 19 50 bc 7e 08 00 45 00 .......".P.~..E.
0010 00 54 00 00 40 00 40 01 b5 df 0a 0f 19 0d c0 a8 .T..@.@.........
0020 a1 05 08 00 86 6f 7a 27 00 01 3e 1e f5 49 d4 fc .....oz'..)..I..
0030 04 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67

1 packets captured
[root@KHCDNSS01 ~]#
既然說到在 Linux 上使用 Wireshark, 那在 Solaris 上面呢?簡單來說你可以使用 snoop 跟 tcpdump,不過個人是偏好 snoop 啦,下面先簡單列一下可用的選項:
Usage: snoop
[ -a ] # Listen to packets on audio
[ -d device ] # Listen on interface named device
[ -s snaplen ] # Truncate packets
[ -c count ] # Quit after count packets
[ -P ] # Turn OFF promiscuous mode
[ -D ] # Report dropped packets
[ -S ] # Report packet size
[ -i file ] # Read previously captured packets
[ -o file ] # Capture packets in file
[ -n file ] # Load addr-to-name table from file
[ -N ] # Create addr-to-name table
[ -t r|a|d ] # Time: Relative, Absolute or Delta
[ -v ] # Verbose packet display
[ -V ] # Show all summary lines
[ -p first[,last] ] # Select packet(s) to display
[ -x offset[,length] ] # Hex dump from offset for length
[ -C ] # Print packet filter code
[ -q ] # Suppress printing packet count
[ -r ] # Do not resolve address to name

[ filter expression ]
其實簡單說起來,用法跟 Wireshark 大同小異啦,比方說,下面是我常用的一個指令,用來檢查 NTP client 有沒有過來做 NTP 的同步,當然也可以把 filter 的部分改成其他的用法,比方說用 "bootp" 來取代掉 "port ntp" 的部分,就可以檢查 DHCP Client 有沒有來 request IP...其他的選項部分跟 Wireshark 其實差異不大,-d 是用來指定抓封包的 interface,-P 一樣可以避免網卡處於"混雜模式",-r 是不要解析 IP address,-v 是秀出詳細的 packet,而 -ta 則是秀出時間戳記.....
47ksh# snoop -vVta -r -d bge0 -P -x5 port ntp
Using device /dev/bge0 (non promiscuous)
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 11 arrived at 18:21:4.42140
ETHER: Packet size = 90 bytes
ETHER: Destination = 0:14:4f:a9:83:50,
ETHER: Source = 0:1a:f0:bc:b6:6d,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0xc0
IP: xxx. .... = 6 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 76 bytes
IP: Identification = 0
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 254 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 757e
IP: Source address = 10.16.25.34, 10.16.25.34
IP: Destination address = 10.17.25.32, 10.17.25.32
IP: No options
IP:
UDP: ----- UDP Header -----
UDP:
UDP: Source port = 123
UDP: Destination port = 123 (NTP)
UDP: Length = 56
UDP: Checksum = F8E2
UDP:
NTP: ----- Network Time Protocol -----
NTP:
NTP: Leap = 0x0 (OK)
NTP: Version = 3
NTP: Mode = 3 (client)
NTP: Stratum = 3 (secondary reference)
NTP: Poll = 6
NTP: Precision = 238 seconds
NTP: Synchronizing distance = 0x0000.0064 (0.001526)
NTP: Synchronizing dispersion = 0x0000.040d (0.015823)
NTP: Reference clock = 10.17.25.32 (10.17.25.32)
NTP: Reference time = 0xcda00550.6bbe484f (2009-04-27 18:20:00.42087)
NTP: Originate time = 0xcda00550.6b9f8000 (2009-04-27 18:20:00.42040)
NTP: Receive time = 0xcda00550.6bbe484f (2009-04-27 18:20:00.42087)
NTP: Transmit time = 0xcda00590.6bc46a2c (2009-04-27 18:21:04.42097)


0: 8350 001a f0bc b66d 0800 45c0 004c 0000 .P.....m..E..L..
16: 0000 fe11 757e 0a10 1922 0a11 1920 007b ....u~..."... .{
32: 007b 0038 f8e2 1b03 06ee 0000 0064 0000 .{.8.........d..
48: 040d 0a11 1920 cda0 0550 6bbe 484f cda0 ..... .?.Pk.HO.?
64: 0550 6b9f 8000 cda0 0550 6bbe 484f cda0 .Pk?...?.Pk.HO.?
80: 0590 6bc4 6a2c ..k.j,

^C
root@KHXDNSS1:/etc/domain
好囉,就先寫到這兒吧~

---------- 補充於 2009/04/30 -------------
追加補充個我常用的 filer,因為常需要分析 AAA server 間的 Radius protocol,所以常會這麼下指令:(這些是在 Linux OS 上的指令)
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x -z "radius,rtd,ip.addr==xx.xx.xx.xx" -w /tmp/AAA-radius.cap -S
或者是:
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x -z radius,rtd. -w /tmp/AAA-radius.cap -S
又或者是乾脆就這麼用:
[root@TEST01 ~]# tshark -Vtad -p -i bond1 -x port radius -w /tmp/AAA-radius.cap -S
對了,加上這個 -z 的參數,在抓完封包時,會多出如下的處理訊息:
RADIUS Response Time Delay (RTD) Statistics:
Filter for statistics:
Duplicate requests: 3
Duplicate responses: 0
Open requests: 3
Discarded responses: 0
Type | Messages | Min RTD | Max RTD | Avg RTD | Min in Frame | Max in Frame |
Overall | 1 | 1.53 msec | 1.53 msec | 1.53 msec | 11 | 11 |
Access | 1 | 1.53 msec | 1.53 msec | 1.53 msec | 11 | 11 |
OK,補充完畢...
(詳全文...)

網路封包分析軟體 Wireshark (前身為Ethereal) 1.0.0 發佈囉

今天為了在兩台新 Notebook 上安裝測試 Quanta 的 Beceem WiMAX 無線網卡時,發現居然得先裝 WinPcap, 臨時找不到軟體,只好上網去找一下囉;這時才後知後覺的發現到原來 在 0.99 版龜了很久的Wireshark 也就是之前大家習慣用的 Ethereal 已經在 3 月 31 號就推出 v1.0.0 的正式版本了...對了,其中的 WinPcap 也已經是 v4.0.2 的版本囉。

沒圖沒真相,就看一下圖吧...

畫面差異不大,細部的變更還得再看一下 Release notes...

不過有興趣的人可以到他的網站去下載吧。當然其中還有 portable 的版本可以下載喔。
Wireshark 官方網頁:http://www.wireshark.org/
Wireshark v1.0.0 下載網頁:http://www.wireshark.org/download.html
對 portable 版本的軟體有興趣的人也可以到 PortableApps.com 去瞧瞧。

好了,以上報告完畢。
(詳全文...)

為何 Ethereal 抓到的封包都顯示 "TCP CHECKSUM INCORRECT"

今天收到一封 mail 說 site 的人寄來一個 Ethereal 檔,但裡面由 vbsu2 bge0 到 vscsmp1 bge0 的封包有一堆的 "TCP CHECKSUM INCORRECT",問說是不是我們網路或者機器出了什麼問題了...

我查了一下,這個問題有兩種可能,第一種當然是 機器的 checksum 真的出狀況,不過我檢查了一下兩台機器的網路設定都正常,"netstat -i" 看到的也沒有問題:
vbsu2# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue
lo0 8232 loopback localhost 185648811 0 185648811 0 0 0
bge0 1500 vbsu2 vbsu2 3852441355 0 2300074072 0 0 0
bge1 1500 vbsu2 vbsu2 1308849274 0 654286221 0 0 0
bge2 1500 vbsu2_bge2 vbsu2_bge2 90997818 0 70916223 0 1 0
bge3 1500 vbsu2_bge3 vbsu2_bge3 66905686 0 68586413 0 1 0
vscsmp1# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue
lo0 8232 loopback localhost 3009726492 0 3009726492 0 0 0
bge0 1500 vscsmp1 vscsmp1 2974853663 0 1088339819 0 0 0
bge3 1500 vscsmp1_qfe3 vscsmp1_qfe3 407128947 0 3519356 0 0 0
qfe0 1500 vscsmp1 vscsmp1 1227705888 0 831020139 0 0 0
qfe2 1500 172.16.0.128 172.16.0.129 3305973879 0 3289022674 0 0 0
bge2 1500 172.16.1.0 172.16.1.1 3279046154 7 3280696443 0 0 0
qfe1 1500 vscsmp1_qfe1 vscsmp1_qfe1 456708510 0 11583742 0 0 0
再來是檢查 Switch 上面這兩台機器所界接的 port 狀況:
VSW01# sh int Gi2/0/15
GigabitEthernet2/0/15 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0014.1c2e.a60f (bia 0014.1c2e.a60f)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:29, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 435000 bits/sec, 66 packets/sec
5 minute output rate 442000 bits/sec, 120 packets/sec
2299440955 packets input, 3364519803 bytes, 0 no buffer
Received 130985710 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
1888829558 packets output, 1756426108 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
VSW01# sh int Gi2/0/1
GigabitEthernet2/0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0014.1c2e.a601 (bia 0014.1c2e.a601)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 3/255, rxload 6/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:19, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2603000 bits/sec, 703 packets/sec
5 minute output rate 1218000 bits/sec, 626 packets/sec
1082693515 packets input, 2233319119 bytes, 0 no buffer
Received 554691 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
1859379099 packets output, 1999426888 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
VSW01#
從 Switch 上看來並沒有什麼問題,沒有任何的 packet error 出現。所以暫時排除機器本身 checksum error 的可能性。

那麼接下來有可能的就是這兩台 SunFire v240 所用的網卡上的 checksum offload 造成的了,順便再查了一下,我們機器上所用的 ce, bge 網卡都有 support TCP checksum offload,而且 default 居然還是 enable 的。

所以這裡有兩種方式可以不再看到這個 "TCP CHECKSUM INCORRECT" 出現,第一種就是直接到機器上把 /etc/system 加上下面這一行:
set ip:dohwcksum = 0
然後重起機器就可以了。

第二種方式比較鴕鳥一點,就是直接到 Ethereal 裡面去把 Checksum 的檢查選項關掉:
打開 Ethereal,
點選 Edit
> Preference
然後點開 Protocol
選擇 IP,然後把右邊視窗的 "Validate the IP checksum if possible" 選項關掉。
然後就天下太平了。
參考網站:The Ethereal Wiki page

這邊直接把 TCP checksum offloading 的用意直接貼上,大家參考看看:

Many Gigabit network adapters have the "Checksum offload" feature enabled by default. When this is enabled, the adapter performs the time-consuming process of calculating the checksum which appears in both the IP header and in the TCP header of a packet.

For some network drivers, if the checksum calculations are offloaded then the checksum value(s) are set to zero. Ethereal captures each outgoing packet before it goes to the adapter, thus the checksum for the packet was not calculated.
(詳全文...)