SPAN の練習
本エントリについて
Dynagen、Dynamips を使って、 SPANを練習します。RSPAN、ERSPAN は対象外です。
Dynagen、Dynamips の利用環境はすでに整っているものとします。
SPANはSwitched Port Analyzer の略です。
SPANにより、指定したポートを通過するパケットを別のポートに転送します。
SPAN
下記の環境で、fa1/4 を通過するパケットを fa1/0 に転送する設定をします
sw11#show cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
sw01 Fas 1/14 132 R S I 3725 Fas 1/0
sw11#show int status
Port Name Status Vlan Duplex Speed Type
Fa1/0 connected 10 auto auto 10/100BaseTX
Fa1/1 connected 10 a-full a-100 10/100BaseTX
Fa1/2 notconnect 10 auto auto 10/100BaseTX
Fa1/3 notconnect 10 auto auto 10/100BaseTX
Fa1/4 connected 11 a-full a-100 10/100BaseTX
Fa1/5 connected 11 a-full a-100 10/100BaseTX
Fa1/6 notconnect 11 auto auto 10/100BaseTX
Fa1/7 notconnect 11 auto auto 10/100BaseTX
Fa1/8 notconnect 1 auto auto 10/100BaseTX
Fa1/9 notconnect 1 auto auto 10/100BaseTX
Fa1/10 notconnect 1 auto auto 10/100BaseTX
Fa1/11 notconnect 1 auto auto 10/100BaseTX
Fa1/12 notconnect 1 auto auto 10/100BaseTX
Fa1/13 notconnect 1 auto auto 10/100BaseTX
Fa1/14 connected trunk a-full a-100 10/100BaseTX
Fa1/15 connected trunk a-full a-100 10/100BaseTX
設定コマンドは下記になります。
sw11(config)#monitor session 1 source int fa1/4
sw11(config)#monitor session 1 destination int fa1/0
fa1/0 に接続したLinux端末で、tcpdump コマンドでパケットキャプチャしてみます。ここではtap0 インタフェースを通るパケットをキャプチャし、内容を capture_access.cap ファイルに保存しています。
終了するには Ctrl + c を押下します。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -i tap0 -w capture_access.cap
パケット転送が不要になったら、SPAN を終了します。
sw11(config)#no monitor session 1 destination int fa1/0
sw11(config)#no monitor session 1 source int fa1/4
パケットキャプチャを保存したファイルの内容を出力してみます。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -r capture_access.cap | less
06:38:43.460544 STP 802.1d, Config, Flags [none], bridge-id c000.c2:02:03:8f:00:01.802d, length 43
06:38:44.378475 ARP, Request who-has ip-10-2-1-2.ap-northeast-1.compute.internal (Broadcast) tell ip-10-2-1-1.ap-northeast-1.compute.internal, length 50
06:38:45.378384 ARP, Request who-has ip-10-2-1-2.ap-northeast-1.compute.internal (Broadcast) tell ip-10-2-1-1.ap-northeast-1.compute.internal, length 50
06:38:45.378464 ARP, Reply ip-10-2-1-2.ap-northeast-1.compute.internal is-at 00:50:79:66:68:02 (oui Unknown), length 50
06:38:45.379439 IP ip-10-2-1-1.ap-northeast-1.compute.internal > ip-10-2-1-2.ap-northeast-1.compute.internal: ICMP echo request, id 58656, seq 1, length 72
06:38:45.379567 IP ip-10-2-1-2.ap-northeast-1.compute.internal > ip-10-2-1-1.ap-northeast-1.compute.internal: ICMP echo reply, id 58656, seq 1, length 72
-n オプションを指定すると、アドレス、ポートを名前に変換しないで、数値のまま出力します。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -r capture_access.cap -n | less
06:38:43.460544 STP 802.1d, Config, Flags [none], bridge-id c000.c2:02:03:8f:00:01.802d, length 43
06:38:44.378475 ARP, Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:38:45.378384 ARP, Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:38:45.378464 ARP, Reply 10.2.1.2 is-at 00:50:79:66:68:02, length 50
06:38:45.379439 IP 10.2.1.1 > 10.2.1.2: ICMP echo request, id 58656, seq 1, length 72
06:38:45.379567 IP 10.2.1.2 > 10.2.1.1: ICMP echo reply, id 58656, seq 1, length 72
取得元として trunk ポートを指定する
SPANのソースポートとして trunk ポートを指定することができます。
sw11(config)#monitor session 1 source int fa1/14
sw11(config)#monitor session 1 destination int fa1/0
同じように、キャプチャ内容を capture_trunk.cap に保存してみます。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -i tap0 -w capture_trunk.cap
SPANを終了します。
sw11(config)#no monitor session 1 destination int fa1/0
sw11(config)#no monitor session 1 source int fa1/14
保存したファイルの内容を出力してみます。
trunkポートを通る802.1q のタグを付けられたパケットの内容を表示できます。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -r capture_trunk.cap -n | less
06:50:28.323970 VTPv1, Message Join message (0x04), length 166
06:50:31.650552 ARP, Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:50:31.778420 IP 10.2.254.11.123 > 10.2.0.1.123: NTPv3, Client, length 48
06:50:31.788563 IP 10.2.254.11.123 > 10.2.0.1.123: NTPv3, Client, length 48
06:50:44.118313 ARP, Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:50:44.164313 ARP, Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
06:50:44.164817 IP 10.2.1.1 > 10.2.1.252: ICMP echo request, id 46115, seq 1, length 72
06:50:44.194663 IP 10.2.1.252 > 10.2.1.1: ICMP echo reply, id 46115, seq 1, length 72
出力先として trunk ポートを指定する
trunk ポートをSPANの出力先ポートとして指定すると、指定されたポートが non-trunk になります。
sw11(config)#monitor session 1 destination int fa1/14
Jan 14 21:47:31.989: %DTP-5-NONTRUNKPORTON: Port Fa1/14 has become non-trunk
sw11(config)#no monitor session 1 destination int fa1/14
Jan 14 21:47:55.695: %DTP-5-TRUNKPORTON: Port Fa1/14 has become dot1q trunk
Dynagen でキャプチャする
ここで、SPANから離れ、Dynamips/Dynagen の話題になります。
Dynagen で capture コマンドを実行すると、各デバイスのインタフェースを通過するパケットをキャプチャしてファイルに出力することができます。
=> help capture
[no] capture device interface filename [link-type]
Begins a capture of all packets in and out of "interface" on "device".
Enclose the filename in quotes if there are spaces in the filespec. The capture
file is written to the dynamips host. Link type is one of:
ETH (Ethernet 10/100/1000)
FR (Frame-Relay)
HDLC (Cisco HDLC)
PPP (PPP on serial)
Captures of ethernet interfaces default to EN10MB, but for serial interfaces
the link type must be specified.
Examples:
capture R1 f0/0 example.cap -- Capture packets in and out of f0/0
on R1 and write the output to
example.cap
capture R1 s0/0 example2.cap HDLC -- Capture and specify HDLC
encapsulation
no capture R1 s0/0 -- End the packet capture
アクセスポートのパケットをキャプチャしてみます。
=> capture sw11 f1/4 capture_access_dynagen.cap
=> no capture sw11 f1/4
保存したファイルの内容を表示するには、やはり、tcpdump コマンドを利用することができます。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -r capture_access_dynagen.cap -n | less
06:57:38.625958 STP 802.1d, Config, Flags [none], bridge-id c000.c2:02:03:8f:00:01.802d, length 43
06:57:40.442333 ARP, Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:57:40.442515 ARP, Reply 10.2.1.2 is-at 00:50:79:66:68:02, length 50
06:57:40.443335 IP 10.2.1.1 > 10.2.1.2: ICMP echo request, id 21541, seq 1, length 72
06:57:40.443403 IP 10.2.1.2 > 10.2.1.1: ICMP echo reply, id 21541, seq 1, length 72
トランクポートのパケットをキャプチャしてみます。
=> capture sw11 f1/14 capture_trunk_dynagen.cap
=> no capture sw11 f1/14
保存した内容を表示してみます。
admin@ip-10-0-0-73:~/zenn$ sudo tcpdump -r capture_trunk_dynagen.cap -n | less
07:00:52.603719 VTPv1, Message Join message (0x04), length 166
07:00:54.827025 STP 802.1d, Config, Flags [none], bridge-id 4000.c2:00:03:8f:00:02.8029, length 42
07:00:55.786329 ARP, Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
07:00:55.794972 ARP, Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
07:00:55.795868 IP 10.2.1.1 > 10.2.1.252: ICMP echo request, id 5926, seq 1, length 72
07:00:55.805058 IP 10.2.1.252 > 10.2.1.1: ICMP echo reply, id 5926, seq 1, length 72
tcpdump のオプション
tcpdump コマンドのオプションについていくつか紹介します。
-e オプションは、L2フレームヘッダの情報を表示します。
(tcpdump という名称ですが tcp に限定されてもいませんし、パケットキャプチャとは言いますが L3以上に限定されてもいません)
pi@doorcamera:/tmp $ tcpdump -r capture_access.cap -n -e | less
06:38:43.460544 c2:02:03:8f:f1:04 > 01:80:c2:00:00:00, 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id c000.c2:02:03:8f:00:01.802d, length 35
06:38:44.378475 00:50:79:66:68:01 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 64: Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:38:45.378384 00:50:79:66:68:01 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 64: Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:38:45.378464 00:50:79:66:68:02 > 00:50:79:66:68:01, ethertype ARP (0x0806), length 64: Reply 10.2.1.2 is-at 00:50:79:66:68:02, length 50
06:38:45.379439 00:50:79:66:68:01 > 00:50:79:66:68:02, ethertype IPv4 (0x0800), length 106: 10.2.1.1 > 10.2.1.2: ICMP echo request, id 58656, seq 1, length 72
06:38:45.379567 00:50:79:66:68:02 > 00:50:79:66:68:01, ethertype IPv4 (0x0800), length 106: 10.2.1.2 > 10.2.1.1: ICMP echo reply, id 58656, seq 1, length 72
trunkポートのキャプチャだと、802.1Q の VLANタグ付けされていることも知ることができます。
まずは、SPANでキャプチャした内容です。
pi@doorcamera:/tmp $ tcpdump -r capture_trunk.cap -n -e | less
06:50:28.323970 c2:02:03:8f:f1:0e > 01:00:0c:cc:cc:cc, 802.3, length 174: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid VTP (0x2003), length 166: VTPv1, Message Join message (0x04), length 166
06:50:31.650552 00:50:79:66:68:01 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 64: Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:50:31.778420 c2:02:03:8f:00:00 > c2:00:03:8f:00:00, ethertype 802.1Q (0x8100), length 94: vlan 1, p 0, ethertype IPv4 (0x0800), 10.2.254.11.123 > 10.2.0.1.123: NTPv3, Client, length 48
06:50:31.788563 c2:00:03:8f:00:00 > 1a:19:9e:ef:96:43, ethertype 802.1Q (0x8100), length 94: vlan 10, p 0, ethertype IPv4 (0x0800), 10.2.254.11.123 > 10.2.0.1.123: NTPv3, Client, length 48
06:50:44.118313 00:50:79:66:68:01 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 64: Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:50:44.164313 c2:00:03:8f:00:00 > 00:50:79:66:68:01, ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype ARP (0x0806), Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
06:50:44.164817 00:50:79:66:68:01 > c2:00:03:8f:00:00, ethertype IPv4 (0x0800), length 106: 10.2.1.1 > 10.2.1.252: ICMP echo request, id 46115, seq 1, length 72
06:50:44.194663 c2:00:03:8f:00:00 > 00:50:79:66:68:01, ethertype 802.1Q (0x8100), length 110: vlan 11, p 0, ethertype IPv4 (0x0800), 10.2.1.252 > 10.2.1.1: ICMP echo reply, id 46115, seq 1, length 72
次は、Dynagenでキャプチャした内容です。スイッチによる変更・処理を行う前のパケットの内容となります。
pi@doorcamera:/tmp $ tcpdump -r capture_trunk_dynagen.cap -n -e | less
07:00:54.827025 c2:00:03:8f:f1:00 > 01:00:0c:cc:cc:cd, ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, 802.3LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid PVST (0x010b), length 42: STP 802.1d, Config, Flags [none], bridge-id 4000.c2:00:03:8f:00:02.8029, length 42
07:00:55.786329 00:50:79:66:68:01 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, ethertype ARP (0x0806), Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
07:00:55.794972 c2:00:03:8f:00:00 > 00:50:79:66:68:01, ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype ARP (0x0806), Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
07:00:55.795868 00:50:79:66:68:01 > c2:00:03:8f:00:00, ethertype 802.1Q (0x8100), length 110: vlan 11, p 0, ethertype IPv4 (0x0800), 10.2.1.1 > 10.2.1.252: ICMP echo request, id 5926, seq 1, length 72
07:00:55.805058 c2:00:03:8f:00:00 > 00:50:79:66:68:01, ethertype 802.1Q (0x8100), length 110: vlan 11, p 0, ethertype IPv4 (0x0800), 10.2.1.252 > 10.2.1.1: ICMP echo reply, id 5926, seq 1, length 72
-v オプションを指定すると、通信内容について解釈して表示します。
この例では、VTP、NTP、Pingの通信内容を見ることができ、それぞれのプログラムの理解やトラブルシュートに役立ちます。
pi@doorcamera:/tmp $ tcpdump -r capture_trunk.cap -n -v | less
06:50:28.323970 VTPv1, Message Join message (0x04), length 166
Domain name: ccna, Rsvd: 0
06:50:31.650552 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:50:31.778420 IP (tos 0xc0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 76)
10.2.254.11.123 > 10.2.0.1.123: NTPv3, Client, length 48
Leap indicator: (0), Stratum 5 (secondary reference), poll 7 (128s), precision -18
Root Delay: 0.024063, Root dispersion: 0.293914, Reference-ID: 0x0a020001
Reference Timestamp: 3882721575.783404808 (2023-01-14T21:46:15Z)
Originator Timestamp: 3882721575.790269586 (2023-01-14T21:46:15Z)
Receive Timestamp: 3882721575.783404808 (2023-01-14T21:46:15Z)
Transmit Timestamp: 3882721831.732596018 (2023-01-14T21:50:31Z)
Originator - Receive Timestamp: -0.006864778
Originator - Transmit Timestamp: +255.942326432
06:50:31.788563 IP (tos 0xc0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 76)
10.2.254.11.123 > 10.2.0.1.123: NTPv3, Client, length 48
Leap indicator: (0), Stratum 5 (secondary reference), poll 7 (128s), precision -18
Root Delay: 0.024063, Root dispersion: 0.293914, Reference-ID: 0x0a020001
Reference Timestamp: 3882721575.783404808 (2023-01-14T21:46:15Z)
Originator Timestamp: 3882721575.790269586 (2023-01-14T21:46:15Z)
Receive Timestamp: 3882721575.783404808 (2023-01-14T21:46:15Z)
Transmit Timestamp: 3882721831.732596018 (2023-01-14T21:50:31Z)
Originator - Receive Timestamp: -0.006864778
Originator - Transmit Timestamp: +255.942326432
06:50:44.118313 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
06:50:44.164313 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
06:50:44.164817 IP (tos 0x0, ttl 64, id 9140, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.1 > 10.2.1.252: ICMP echo request, id 46115, seq 1, length 72
06:50:44.194663 IP (tos 0x0, ttl 255, id 9140, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.252 > 10.2.1.1: ICMP echo reply, id 46115, seq 1, length 72
-x オプションを指定すると、L3パケットの内容を16進数で表示します。L3以上のレイヤの通信の理解に役立ちます。
こちらはアクセスポートのキャプチャの表示例です。
pi@doorcamera:/tmp $ tcpdump -r capture_access.cap -n -v -x | less
06:38:43.460544 STP 802.1d, Config, Flags [none], bridge-id c000.c2:02:03:8f:00:01.802d, length 35
message-age 1.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 4000.c2:00:03:8f:00:02, root-pathcost 3019
0x0000: 0000 0000 0040 00c2 0003 8f00 0200 000b
0x0010: cbc0 00c2 0203 8f00 0180 2d01 0014 0002
0x0020: 000f 0000 0000 0000 0000 00
06:38:44.378475 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
0x0000: 0001 0800 0604 0001 0050 7966 6801 0a02
0x0010: 0101 ffff ffff ffff 0a02 0102 0000 0000
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000
0x0030: 0000
06:38:45.378384 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.2.1.2 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
0x0000: 0001 0800 0604 0001 0050 7966 6801 0a02
0x0010: 0101 ffff ffff ffff 0a02 0102 0000 0000
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000
0x0030: 0000
06:38:45.378464 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.2.1.2 is-at 00:50:79:66:68:02, length 50
0x0000: 0001 0800 0604 0002 0050 7966 6802 0a02
0x0010: 0102 0050 7966 6801 0a02 0101 0000 0000
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000
0x0030: 0000
06:38:45.379439 IP (tos 0x0, ttl 64, id 8420, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.1 > 10.2.1.2: ICMP echo request, id 58656, seq 1, length 72
0x0000: 4500 005c 20e4 4000 4001 03b7 0a02 0101
0x0010: 0a02 0102 0800 2dd9 e520 0001 0809 0a0b
0x0020: 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
0x0030: 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b
0x0040: 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b
0x0050: 3c3d 3e3f 4041 4243 4445 4647
06:38:45.379567 IP (tos 0x0, ttl 64, id 8420, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.2 > 10.2.1.1: ICMP echo reply, id 58656, seq 1, length 72
0x0000: 4500 005c 20e4 4000 4001 03b7 0a02 0102
0x0010: 0a02 0101 0000 35d9 e520 0001 0809 0a0b
0x0020: 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
0x0030: 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b
0x0040: 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b
0x0050: 3c3d 3e3f 4041 4243 4445 4647
次にtrunkポートのキャプチャの表示例です。
pi@doorcamera:/tmp $ tcpdump -r capture_trunk_dynagen.cap -n -v -x | less
07:00:54.827025 STP 802.1d, Config, Flags [none], bridge-id 4000.c2:00:03:8f:00:02.8029, length 42
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 4000.c2:00:03:8f:00:02, root-pathcost 0
0x0000: 0000 0000 0040 00c2 0003 8f00 0200 0000
0x0010: 0040 00c2 0003 8f00 0280 2900 0014 0002
0x0020: 000f 0000 0000 0002 000b
07:00:55.786329 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
0x0000: 0001 0800 0604 0001 0050 7966 6801 0a02
0x0010: 0101 ffff ffff ffff 0a02 01fc 0000 0000
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000
0x0030: 0000
07:00:55.794972 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
0x0000: 0001 0800 0604 0002 c200 038f 0000 0a02
0x0010: 01fc 0050 7966 6801 0a02 0101 0000 0000
0x0020: 0000 0000 0000 0000 0000 0000 0000
07:00:55.795868 IP (tos 0x0, ttl 64, id 9751, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.1 > 10.2.1.252: ICMP echo request, id 5926, seq 1, length 72
0x0000: 4500 005c 2617 4000 4001 fd89 0a02 0101
0x0010: 0a02 01fc 0800 fbd3 1726 0001 0809 0a0b
0x0020: 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
0x0030: 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b
0x0040: 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b
0x0050: 3c3d 3e3f 4041 4243 4445 4647
07:00:55.805058 IP (tos 0x0, ttl 255, id 9751, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.252 > 10.2.1.1: ICMP echo reply, id 5926, seq 1, length 72
0x0000: 4500 005c 2617 4000 ff01 3e89 0a02 01fc
0x0010: 0a02 0101 0000 03d4 1726 0001 0809 0a0b
0x0020: 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b
0x0030: 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b
0x0040: 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b
0x0050: 3c3d 3e3f 4041 4243 4445 4647
07:00:56.661228 IP (tos 0xc0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 76)
10.2.0.252.123 > 10.2.0.1.123: NTPv3, Client, length 48
Leap indicator: (0), Stratum 5 (secondary reference), poll 8 (256s), precision -18
Root Delay: 0.020767, Root dispersion: 0.506607, Reference-ID: 0x0a020001
Reference Timestamp: 3882722200.673068008 (2023-01-14T21:56:40Z)
Originator Timestamp: 3882722200.661787140 (2023-01-14T21:56:40Z)
Receive Timestamp: 3882722200.673068008 (2023-01-14T21:56:40Z)
Transmit Timestamp: 3882722456.651476876 (2023-01-14T22:00:56Z)
Originator - Receive Timestamp: +0.011280867
Originator - Transmit Timestamp: +255.989689735
0x0000: 45c0 004c 0000 0000 ff11 a5e0 0a02 00fc
0x0010: 0a02 0001 007b 007b 0038 edd2 1b05 08ee
0x0020: 0000 0551 0000 81b1 0a02 0001 e76d a398
0x0030: ac4e 2f5e e76d a398 a96a e1cf e76d a398
0x0040: ac4e 2f5e e76d a498 a6c7 3046
07:00:56.661602 IP (tos 0x0, ttl 64, id 13841, offset 0, flags [DF], proto UDP (17), length 76)
10.2.0.1.123 > 10.2.0.252.123: NTPv3, Server, length 48
Leap indicator: (0), Stratum 4 (secondary reference), poll 8 (256s), precision -25
Root Delay: 0.000289, Root dispersion: 0.000335, Reference-ID: 0xa9fea97b
Reference Timestamp: 3882722415.569917344 (2023-01-14T22:00:15Z)
Originator Timestamp: 3882722456.651476876 (2023-01-14T22:00:56Z)
Receive Timestamp: 3882722456.661415451 (2023-01-14T22:00:56Z)
Transmit Timestamp: 3882722456.661501365 (2023-01-14T22:00:56Z)
Originator - Receive Timestamp: +0.009938575
Originator - Transmit Timestamp: +0.010024488
0x0000: 4500 004c 3611 4000 4011 ef8f 0a02 0001
0x0010: 0a02 00fc 007b 007b 0038 bdd1 1c04 08e7
0x0020: 0000 0013 0000 0016 a9fe a97b e76d a46f
0x0030: 91e6 1a66 e76d a498 a6c7 3046 e76d a498
0x0040: a952 85e6 e76d a498 a958 274a
-xx オプションを指定すると、さらにイーサネットヘッダ情報も表示します。L2通信の理解に役立ちます。
trunkポートを流れるパケットの場合、802.1q タグの内容も表示されます。
pi@doorcamera:/tmp $ tcpdump -r capture_trunk_dynagen.cap -e -n -v -xx | less
07:00:54.827025 c2:00:03:8f:f1:00 > 01:00:0c:cc:cc:cd, ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, 802.3LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid PVST (0x010b), length 42: STP 802.1d, Config, Flags [none], bridge-id 4000.c2:00:03:8f:00:02.8029, length 42
message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s
root-id 4000.c2:00:03:8f:00:02, root-pathcost 0
0x0000: 0100 0ccc cccd c200 038f f100 8100 000b
0x0010: 0032 aaaa 0300 000c 010b 0000 0000 0040
0x0020: 00c2 0003 8f00 0200 0000 0040 00c2 0003
0x0030: 8f00 0280 2900 0014 0002 000f 0000 0000
0x0040: 0002 000b
07:00:55.786329 00:50:79:66:68:01 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 10.2.1.252 (ff:ff:ff:ff:ff:ff) tell 10.2.1.1, length 50
0x0000: ffff ffff ffff 0050 7966 6801 8100 000b
0x0010: 0806 0001 0800 0604 0001 0050 7966 6801
0x0020: 0a02 0101 ffff ffff ffff 0a02 01fc 0000
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000
0x0040: 0000 0000
07:00:55.794972 c2:00:03:8f:00:00 > 00:50:79:66:68:01, ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 10.2.1.252 is-at c2:00:03:8f:00:00, length 46
0x0000: 0050 7966 6801 c200 038f 0000 8100 000b
0x0010: 0806 0001 0800 0604 0002 c200 038f 0000
0x0020: 0a02 01fc 0050 7966 6801 0a02 0101 0000
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000
07:00:55.795868 00:50:79:66:68:01 > c2:00:03:8f:00:00, ethertype 802.1Q (0x8100), length 110: vlan 11, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 64, id 9751, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.1 > 10.2.1.252: ICMP echo request, id 5926, seq 1, length 72
0x0000: c200 038f 0000 0050 7966 6801 8100 000b
0x0010: 0800 4500 005c 2617 4000 4001 fd89 0a02
0x0020: 0101 0a02 01fc 0800 fbd3 1726 0001 0809
0x0030: 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819
0x0040: 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829
0x0050: 2a2b 2c2d 2e2f 3031 3233 3435 3637 3839
0x0060: 3a3b 3c3d 3e3f 4041 4243 4445 4647
07:00:55.805058 c2:00:03:8f:00:00 > 00:50:79:66:68:01, ethertype 802.1Q (0x8100), length 110: vlan 11, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 255, id 9751, offset 0, flags [DF], proto ICMP (1), length 92)
10.2.1.252 > 10.2.1.1: ICMP echo reply, id 5926, seq 1, length 72
0x0000: 0050 7966 6801 c200 038f 0000 8100 000b
0x0010: 0800 4500 005c 2617 4000 ff01 3e89 0a02
0x0020: 01fc 0a02 0101 0000 03d4 1726 0001 0809
0x0030: 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819
0x0040: 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829
0x0050: 2a2b 2c2d 2e2f 3031 3233 3435 3637 3839
0x0060: 3a3b 3c3d 3e3f 4041 4243 4445 4647
07:00:56.661228 c2:00:03:8f:00:00 > 1a:19:9e:ef:96:43, ethertype 802.1Q (0x8100), length 94: vlan 10, p 0, ethertype IPv4 (0x0800), (tos 0xc0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 76)
10.2.0.252.123 > 10.2.0.1.123: NTPv3, Client, length 48
Leap indicator: (0), Stratum 5 (secondary reference), poll 8 (256s), precision -18
Root Delay: 0.020767, Root dispersion: 0.506607, Reference-ID: 0x0a020001
Reference Timestamp: 3882722200.673068008 (2023-01-14T21:56:40Z)
Originator Timestamp: 3882722200.661787140 (2023-01-14T21:56:40Z)
Receive Timestamp: 3882722200.673068008 (2023-01-14T21:56:40Z)
Transmit Timestamp: 3882722456.651476876 (2023-01-14T22:00:56Z)
Originator - Receive Timestamp: +0.011280867
Originator - Transmit Timestamp: +255.989689735
0x0000: 1a19 9eef 9643 c200 038f 0000 8100 000a
0x0010: 0800 45c0 004c 0000 0000 ff11 a5e0 0a02
0x0020: 00fc 0a02 0001 007b 007b 0038 edd2 1b05
0x0030: 08ee 0000 0551 0000 81b1 0a02 0001 e76d
0x0040: a398 ac4e 2f5e e76d a398 a96a e1cf e76d
0x0050: a398 ac4e 2f5e e76d a498 a6c7 3046
07:00:56.661602 1a:19:9e:ef:96:43 > c2:00:03:8f:00:00, ethertype 802.1Q (0x8100), length 94: vlan 10, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 64, id 13841, offset 0, flags [DF], proto UDP (17), length 76)
10.2.0.1.123 > 10.2.0.252.123: NTPv3, Server, length 48
Leap indicator: (0), Stratum 4 (secondary reference), poll 8 (256s), precision -25
Root Delay: 0.000289, Root dispersion: 0.000335, Reference-ID: 0xa9fea97b
Reference Timestamp: 3882722415.569917344 (2023-01-14T22:00:15Z)
Originator Timestamp: 3882722456.651476876 (2023-01-14T22:00:56Z)
Receive Timestamp: 3882722456.661415451 (2023-01-14T22:00:56Z)
Transmit Timestamp: 3882722456.661501365 (2023-01-14T22:00:56Z)
Originator - Receive Timestamp: +0.009938575
Originator - Transmit Timestamp: +0.010024488
0x0000: c200 038f 0000 1a19 9eef 9643 8100 000a
0x0010: 0800 4500 004c 3611 4000 4011 ef8f 0a02
0x0020: 0001 0a02 00fc 007b 007b 0038 bdd1 1c04
0x0030: 08e7 0000 0013 0000 0016 a9fe a97b e76d
0x0040: a46f 91e6 1a66 e76d a498 a6c7 3046 e76d
0x0050: a498 a952 85e6 e76d a498 a958 274a
Discussion