Linux 서버에 telnet, ssh 접속해서 tcpdump를 하면 정말 보기 어렵다.
원격 서버에 telnet, ssh 접속해서 Network Packet을 예쁘게 출력하려면 2가지 방법이 있다.
(방법1) tshark 명령 사용
tshark을 사용하면, Network Packet이 정말 예쁘게 출력된다.
만약, CentOS를 사용하는 User라면 아래와 같이 wireshark패키지를 설치한다.
yum install wireshark
그런 후에 아래와 같이 tshark 명령을 수행한다. (-V 옵션이 decode를 하라는 뜻이다)
# tshark -i eth0 -nV port 53
Frame 10: 387 bytes on wire (3096 bits), 387 bytes captured (3096 bits) on interface 0
(중간 생략)
Ethernet II, Src: 00:08:5a:00:40:78 (00:08:5a:00:40:78), Dst: f0:1f:af:dc:ae:3b (f0:1f:af:dc:ae:3b)
Destination: f0:1f:af:dc:ae:3b (f0:1f:af:dc:ae:3b)
Address: f0:1f:af:dc:ae:3b (f0:1f:af:dc:ae:3b)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:08:5a:00:40:78 (00:08:5a:00:40:78)
Address: 00:08:5a:00:40:78 (00:08:5a:00:40:78)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 168.126.63.1 (168.126.63.1), Dst: 1.235.191.65 (1.235.191.65)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 373
Identification: 0x942b (37931)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 56
Protocol: UDP (17)
Header checksum: 0x44a1 [correct]
[Good: True]
[Bad: False]
Source: 168.126.63.1 (168.126.63.1)
Destination: 1.235.191.65 (1.235.191.65)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 61224 (61224)
Source port: 53 (53)
Destination port: 61224 (61224)
Length: 353
Checksum: 0x8acc [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Domain Name System (response)
[Request In: 9]
[Time: 0.003702000 seconds]
Transaction ID: 0x0898
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 11
Authority RRs: 4
Additional RRs: 4
Queries
plus.google.com: type A, class IN
Name: plus.google.com
Type: A (Host address)
Class: IN (0x0001)
Answers
plus.google.com: type A, class IN, addr 173.194.127.226
Name: plus.google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 58 seconds
Data length: 4
Addr: 173.194.127.226 (173.194.127.226)
plus.google.com: type A, class IN, addr 173.194.127.227
Name: plus.google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 58 seconds
Data length: 4
Addr: 173.194.127.227 (173.194.127.227)
plus.google.com: type A, class IN, addr 173.194.127.228
Name: plus.google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 58 seconds
Data length: 4
Addr: 173.194.127.228 (173.194.127.228)
plus.google.com: type A, class IN, addr 173.194.127.229
Name: plus.google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 58 seconds
Data length: 4
Addr: 173.194.127.229 (173.194.127.229)
plus.google.com: type A, class IN, addr 173.194.127.230
Name: plus.google.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 58 seconds
Data length: 4
Addr: 173.194.127.230 (173.194.127.230)
(방법2) tcpdump 명령의 -A 옵션 사용
tshark을 사용할 수 없는 경우라면, 아래 명령처럼 -A 옵션을 주면, TCP 또는 UDP의 Payload가 ASCII 로 출력된다.
(즉, Readable Character만 터미널에 출력함)
-A 옵션만 주면, TCP 세션을 수립하기 위한 SYN과 ACK 및 FIN도 모두 보여지기 때문에
Filter에 tcp[32:4] = 0x47455420 조건을 추가한다. ("GET "에 대한 Pointcode 값이다)
[ HTTP GET 요청 메시지만 출력 ]
tcpdump -i p2p2 -s 1500 -An 'src net 192.168.0.0/24' and dst port 80 and 'tcp[32:4] = 0x47455420'
[ HTTP GET 요청과 응답 메시지 모두 출력 ]
tcpdump -i em2 -s 1500 -An 'src net 192.168.0.0/24' and 'tcp[32:4] = 0x48545450' or 'tcp[32:4] = 0x47455420'
또는
tcpdump -i em2 -An -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
(참고: 위의 3개 명령 중에서 3번째 줄의 명령이 제일 출력 포맷이 예쁘다)
출력은 아래와 같은 형태로 된다.
13:17:04.233515 IP 192.168.0.207.57084 > 112.175.42.43.http: Flags [P.], seq 5014:5577, ack 12833, win 324, options [nop,nop,TS val 1951264 ecr 632892989], length 563
E..g.n@.@. .....p.*+...P7..FL......D*......
... %..=GET /include/style/default/SiteHeader/new_window_icon_blue.png HTTP/1.1
Referer: http://wwwimages.adobe.com/www.adobe.com/include/style/compressed.css
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Host: wwwimages.adobe.com
Connection: Keep-Alive
Cookie: READER_HTTPREFERER=http%3A%2F%2Fwww%2Eadobe%2Ecom%2F; READER_NEW_USER=false; REFERER_URL=http%3A%2F%2Fwww%2Eadobe%
13:17:04.257579 IP 192.168.0.207.47618 > 112.175.13.198.http: Flags [P.], seq 7922:8258, ack 1194783, win 65535, options [nop,nop,TS val 1951270 ecr 3946957185], length 336
....P!.B3...............
...&.A..GET /_common/showThumb.asp?dire=infoMovie&fn=IMG%5F1272thumb%2Ejpg HTTP/1.1
Referer: http://kumon.co.kr/product/edu2_math.asp
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Host: kumon.co.kr
Connection: Keep-Alive
Cookie: ASPSESSIONIDSQQAQABD=MCBEOLEDLACODBPMGANNNFHG
13:17:04.465645 IP 192.168.0.207.47152 > a184-50-205-15.deploy.static.akamaitechnologies.com.http: Flags [P.], seq 335:669, ack 563, win 123, options [nop,nop,TS val 1951322 ecr 3284250484], length 334
E....N@.@..n.....2...0.PS.y..i.....{Z......
...Z...tGET /itunes/features/ HTTP/1.1
Referer: https://itunes.apple.com/app/id657500465?mt=8
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Host: www.apple.com
Connection: Keep-Alive
Cookie: ccl=fZMrl+bDAe8OE6vShNUGZA==; dssid2=3069a63c-9e19-42bf-b4bb-ec4af96b2ccd; geo=KR
댓글 없음:
댓글 쓰기