Created
August 30, 2014 17:53
-
-
Save furandon-pig/d0f0c050231960f490d2 to your computer and use it in GitHub Desktop.
第20回「ネットワークパケットを読む会(仮)」での発表スライドです。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%% 「ネットワークパケットを読む会(仮)」での発表スライドです。 | |
%% | |
%% 第20回「ネットワークパケットを読む会(仮)」 | |
%% https://atnd.org/events/54939 | |
%% | |
%% MagicPoingで表示する際はsjisに変換してください。 | |
%% $ mkdir tmp | |
%% $ iconv -f euc-jp -t cp932 slide.mgp > tmp/slide.mgp | |
%% $ mgp tmp/slide.mgp | |
%include "default.mgp" | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%nodefault | |
%size 7, font "standard", fore "white", vgap 20, back "black" | |
%bquality 10 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
%right, size 4 | |
2014/08/28 | |
第20回「ネットワークパケットを読む会(仮)」 | |
%center, size 7 | |
tcpdumpの16進ダンプからはじめる | |
ネットワークパケット解読入門 | |
%size 6 | |
@furandon_pig | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
自己紹介 | |
Twitter ID: @furandon_pig | |
宮沢賢治「フランドン農学校の豚」が由来です | |
ブログ: | |
夜はいよいよ冴えたのだ | |
http://furandon-pig.hatenablog.com/ | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
本日の内容 | |
tcpdumpの16進ダンプを読んでみる | |
ARP(Address Resolution Protocol) | |
IP(Internet Protocol) ...のさわりの部分 | |
ICMP(Internet Control Message Protocol) | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
本日の説明範囲 | |
%size 3 | |
+ - - -+ + - - + + - - + + - - + | |
|Telnet| | FTP | | TFTP| ... | ... | | |
+ - - -+ + - - + + - - + + - - + | |
| | | | | |
+ - - + + - - + + - - + | |
| TCP | | UDP | ... | ... | | |
+ - - + + - - + + - - + | |
| | | | |
+--------------------------+----+ | |
| Internet Protocol & ICMP | | |
+--------------------------+----+ | |
| | |
+---------------------------+ | |
| Local Network Protocol | | |
+---------------------------+ | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
テスト環境(1/2) | |
%center, image "img/net.tiff" | |
%left | |
仮想マシン上に環境を構築した | |
テストマシン用のネットワークを作成 | |
他ネットワークからのパケットの混入を防止 | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
テスト環境(2/2) | |
%center, image "img/tmn.tiff" | |
%left | |
テストマシンネットワーク上でパケットキャプチャ | |
getからwildにpingを打ち、双方でキャプチャする | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
パケットのキャプチャ手順 | |
wild側でのパケットキャプチャ | |
$ sudo tcpdump -w wild.pcap -i wm1 | |
get側でのパケットキャプチャ | |
$ sudo tcpdump -w get.pcap -i wm1 | |
get→wildにpingを打つ | |
$ ping -c 1 10.0.2.2 | |
wild側でのキャプチャ内容の確認 | |
"-XX"でetherヘッダからの表示となる | |
$ tcpdump -XXNnev -r wild.pcap | less | |
get側でのキャプチャ内容の確認 | |
$ tcpdump -XXNnev -r get.pcap | less | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
キャプチャ結果(1/2) | |
%size 4 | |
$ | |
08:14:16.377533 IP 10.0.2.1 > 10.0.2.2: ICMP echo request, id 57423, seq 0, length 64 | |
08:14:16.377637 ARP, Request who-has 10.0.2.1 tell 10.0.2.2, length 28 | |
08:14:16.377823 ARP, Reply 10.0.2.1 is-at 08:00:27:62:6a:25 (oui Unknown), length 46 | |
08:14:16.377875 IP 10.0.2.2 > 10.0.2.1: ICMP echo reply, id 57423, seq 0, length 64 | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
キャプチャ結果(1/2) | |
%size 3 | |
08:14:16.377533 08:00:27:62:6a:25 > 08:00:27:28:02:6d, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 255, id 32201, offset 0, flags [none], proto ICMP (1), length 84) | |
10.0.2.1 > 10.0.2.2: ICMP echo request, id 57423, seq 0, length 64 | |
0x0000: 0800 2728 026d 0800 2762 6a25 0800 4500 ..'(.m..'bj%..E. | |
0x0010: 0054 7dc9 0000 ff01 25dd 0a00 0201 0a00 .T}.....%....... | |
0x0020: 0202 0800 ba5d e04f 0000 5c03 0000 0000 .....].O..\\..... | |
0x0030: 0000 96af fc1c 0c0d 0e0f 1011 1213 1415 ................ | |
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$% | |
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 0000 &'()*+,-./0123.. | |
0x0060: 0000 .. | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
イーサネットヘッダ(1/2) | |
etherフレームから読み始めてゆく | |
タイプ(2byte)の値がポイント | |
0x0806→ARP | |
0x0800→Internet Protocol(version 4) | |
%size 4 | |
+------------+--------------+-----------+-----------+ | |
| 宛先MAC(6) | 送信元MAC(6) | タイプ(2) | データ... | | |
+------------+--------------+-----------+-----------+ | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
イーサネットヘッダ(2/2) | |
%size 3 | |
0 1 2 3 | |
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| 宛先MAC(6byte) | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | 送信元MAC(6byte) | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| タイプ(2byte) | データ... | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
ARPヘッダ | |
オペレーション(2byte)の値 | |
0x0001→ARP要求 | |
0x0002→ARP応答 | |
%size 3 | |
0 1 2 3 | |
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ハードタイプ(2byte) | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| プロトコルタイプ(2byte) |ハードサイズ |プロトコルsize | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| オペレーション(2byte) |送信元MACアドレス(6byte) | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| 送信元IPアドレス(4byte) | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| 宛先MACアドレス(6byte) | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | 宛先IPアドレス(4byte) | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------------------------+ | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
IPヘッダ | |
今回注目するのはVersion,IHL,{Source,Destination}Address | |
%size 3 | |
0 1 2 3 | |
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
|Version| IHL |Type of Service| Total Length | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Identification |Flags| Fragment Offset | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Time to Live | Protocol | Header Checksum | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Source Address | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Destination Address | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Options | Padding | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
ICMPパケット | |
Echo or Echo Reply Message | |
Typeの値 | |
0x08→echo message | |
0x00→echo reply message | |
%size 3 | |
0 1 2 3 | |
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Type | Code | Checksum | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Identifier | Sequence Number | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Data ... | |
+-+-+-+-+- | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
ARP要求 | |
%center, image "img/arp_req.tiff" | |
L2レベルのブロードキャストで送信する | |
宛先IPは10.0.2.2だが、MACが不明なので0で埋めている | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
ARP応答 | |
%center, image "img/arp_reply.tiff" | |
該当するMACアドレスを持つマシンが応答する | |
10.0.2.2に対応するMACアドレスを返す | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
IPヘッダ | |
%center, image "img/ip.tiff" | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
echo要求 | |
%center, image "img/echo.tiff" | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
echo応答 | |
%center, image "img/echo_reply.tiff" | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
まとめ | |
ICMPパケットを例に、キャプチャデータを読んでみました | |
tcpdumpで16進ダンプした内容からパケットを読み解いてみました | |
ARPによるL2レベルでのアドレス解決 | |
IPヘッダの解読 | |
ICMP echo/replayメッセージの解読 | |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% | |
%page | |
%pcache 1 1 1 30 | |
%bgrad 25 25 128 -45 1 "black" "blue" "black" | |
参照RFC | |
RFC(Request for Comment) | |
RFC 791: INTERNET PROTOCOL | |
RFC 792: INTERNET CONTROL MESSAGE PROTOCOL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment