Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
第20回「ネットワークパケットを読む会(仮)」での発表スライドです。
%% 「ネットワークパケットを読む会(仮)」での発表スライドです。
%%
%% 第20回「ネットワークパケットを読む会(仮)」
%% https://atnd.org/events/54939
%%
%% MagicPoingで表示する際はsjisに変換してください。
%% $ mkdir tmp
%% $ iconv -f euc-jp -t cp932 slide.mgp > tmp/slide.mgp
%% $ mgp tmp/slide.mgp
%include "default.mgp"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%size 7, font "standard", fore "white", vgap 20, back "black"
%bquality 10
%bgrad 25 25 128 -45 1 "black" "blue" "black"
%right, size 4
2014/08/28 
第20回「ネットワークパケットを読む会(仮)」
%center, size 7
tcpdumpの16進ダンプからはじめる
ネットワークパケット解読入門
%size 6
@furandon_pig
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
自己紹介
Twitter ID: @furandon_pig
宮沢賢治「フランドン農学校の豚」が由来です
ブログ:
夜はいよいよ冴えたのだ
http://furandon-pig.hatenablog.com/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
本日の内容
tcpdumpの16進ダンプを読んでみる
ARP(Address Resolution Protocol)
IP(Internet Protocol) ...のさわりの部分
ICMP(Internet Control Message Protocol)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
本日の説明範囲
%size 3
+ - - -+ + - - + + - - + + - - +
|Telnet| | FTP | | TFTP| ... | ... |
+ - - -+ + - - + + - - + + - - +
| | | |
+ - - + + - - + + - - +
| TCP | | UDP | ... | ... |
+ - - + + - - + + - - +
| | |
+--------------------------+----+
| Internet Protocol & ICMP |
+--------------------------+----+
|
+---------------------------+
| Local Network Protocol |
+---------------------------+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
テスト環境(1/2)
%center, image "img/net.tiff"
%left
仮想マシン上に環境を構築した
テストマシン用のネットワークを作成
他ネットワークからのパケットの混入を防止
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
テスト環境(2/2)
%center, image "img/tmn.tiff"
%left
テストマシンネットワーク上でパケットキャプチャ
getからwildにpingを打ち、双方でキャプチャする
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
パケットのキャプチャ手順
wild側でのパケットキャプチャ
$ sudo tcpdump -w wild.pcap -i wm1
get側でのパケットキャプチャ
$ sudo tcpdump -w get.pcap -i wm1
get→wildにpingを打つ
$ ping -c 1 10.0.2.2
wild側でのキャプチャ内容の確認
"-XX"でetherヘッダからの表示となる
$ tcpdump -XXNnev -r wild.pcap | less
get側でのキャプチャ内容の確認
$ tcpdump -XXNnev -r get.pcap | less
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
キャプチャ結果(1/2)
%size 4
$
08:14:16.377533 IP 10.0.2.1 > 10.0.2.2: ICMP echo request, id 57423, seq 0, length 64
08:14:16.377637 ARP, Request who-has 10.0.2.1 tell 10.0.2.2, length 28
08:14:16.377823 ARP, Reply 10.0.2.1 is-at 08:00:27:62:6a:25 (oui Unknown), length 46
08:14:16.377875 IP 10.0.2.2 > 10.0.2.1: ICMP echo reply, id 57423, seq 0, length 64
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
キャプチャ結果(1/2)
%size 3
08:14:16.377533 08:00:27:62:6a:25 > 08:00:27:28:02:6d, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 255, id 32201, offset 0, flags [none], proto ICMP (1), length 84)
10.0.2.1 > 10.0.2.2: ICMP echo request, id 57423, seq 0, length 64
0x0000: 0800 2728 026d 0800 2762 6a25 0800 4500 ..'(.m..'bj%..E.
0x0010: 0054 7dc9 0000 ff01 25dd 0a00 0201 0a00 .T}.....%.......
0x0020: 0202 0800 ba5d e04f 0000 5c03 0000 0000 .....].O..\\.....
0x0030: 0000 96af fc1c 0c0d 0e0f 1011 1213 1415 ................
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 0000 &'()*+,-./0123..
0x0060: 0000 ..
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
イーサネットヘッダ(1/2)
etherフレームから読み始めてゆく
タイプ(2byte)の値がポイント
0x0806→ARP
0x0800→Internet Protocol(version 4)
%size 4
+------------+--------------+-----------+-----------+
| 宛先MAC(6) | 送信元MAC(6) | タイプ(2) | データ... |
+------------+--------------+-----------+-----------+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
イーサネットヘッダ(2/2)
%size 3
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 宛先MAC(6byte) |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | 送信元MAC(6byte) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| タイプ(2byte) | データ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
ARPヘッダ
オペレーション(2byte)の値
0x0001→ARP要求
0x0002→ARP応答
%size 3
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ハードタイプ(2byte) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| プロトコルタイプ(2byte) |ハードサイズ |プロトコルsize |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| オペレーション(2byte) |送信元MACアドレス(6byte) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 送信元IPアドレス(4byte) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 宛先MACアドレス(6byte) |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | 宛先IPアドレス(4byte) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------------------------+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
IPヘッダ
今回注目するのはVersion,IHL,{Source,Destination}Address
%size 3
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
ICMPパケット
Echo or Echo Reply Message
Typeの値
0x08→echo message
0x00→echo reply message
%size 3
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
ARP要求
%center, image "img/arp_req.tiff"
L2レベルのブロードキャストで送信する
宛先IPは10.0.2.2だが、MACが不明なので0で埋めている
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
ARP応答
%center, image "img/arp_reply.tiff"
該当するMACアドレスを持つマシンが応答する
10.0.2.2に対応するMACアドレスを返す
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
IPヘッダ
%center, image "img/ip.tiff"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
echo要求
%center, image "img/echo.tiff"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
echo応答
%center, image "img/echo_reply.tiff"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
まとめ
ICMPパケットを例に、キャプチャデータを読んでみました
tcpdumpで16進ダンプした内容からパケットを読み解いてみました
ARPによるL2レベルでのアドレス解決
IPヘッダの解読
ICMP echo/replayメッセージの解読
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%pcache 1 1 1 30
%bgrad 25 25 128 -45 1 "black" "blue" "black"
参照RFC
RFC(Request for Comment)
RFC 791: INTERNET PROTOCOL
RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment