NexG VPN, FW, UTM TCPDUMP 확인방법 대해서 알아보자
tcpdump를 위한 st 상태로 전환
enable mode -> st 입력
/media/disk0 # 모드 전환
1. TCPDUMP 일반 형태
tcpdump [포트] [연산자(and,or,not)] [네트워크 대역/호스트]
예) tcpdump port 33
예) tcpdump not port telnet
예) tcpdump port http and not host 100.100.100.1
예) tcpdump host 100.100.100.1 or host 100.100.100.254
예) tcpdump net 100.100.100.0/24
예) tcpdump src 100.100.100.1
2. TCPDUMP 확장 형태
tcpdump [옵션(-i,-c,-v...)]
[프로토콜 ip/ether proto (\\tcp,\\udp,\\icmp,TCP,UDP...)] [연산자] [포트] [연산자] [네트워크 대역/호스트]
예) tcpdump -i eth0 -q -c 10 ip proto \\tcp and src port 33 and src host 100.100.100.1
예) tcpdump -i eth0 -q -c 10 ip proto TCP and port telnet and not net 100.100.100.0/24
3. TCPDUMP 옵션
-n : 10진수 표시
-i <Interface> : <Interface> 지정 미지정시 eth0
-c <count> : <count>개의 Packet를 수신 한 후에 종료
-e : 각각의 출력 라인에 링크 레벨의 헤더를 출력 (mac 확인)
-v : detail (통상보다 조금 상세하게 표시 time to live, identification, total length,checksum)
-t : no-time (각 덤프행에 시간 정보를 표시 하지 않음)
-q : brief (TCP나UDP등의 Protocol 정보의 표시를 일부 생략 하여 통상보다 간소한 표시)
-esp : ESP Protocol 표시
4. Tcpdump로 ping 패킷 확인
Test # st
/media/disk0 # tcpdump -i eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
16:33:35.779544 IP 192.168.10.26 > 192.168.10.25: ICMP echo request, id 5285, seq 19893, length 36
16:33:35.780068 IP 192.168.10.25 > 192.168.10.26: ICMP echo reply, id 5285, seq 19893, length 36
16:33:40.783386 IP 192.168.10.26 > 192.168.10.25: ICMP echo request, id 3977, seq 19894, length 36
16:33:40.783918 IP 192.168.10.25 > 192.168.10.26: ICMP echo reply, id 3977, seq 19894, length 36
16:33:45.787544 IP 192.168.10.26 > 192.168.10.25: ICMP echo request, id 3075, seq 19895, length 36
16:33:45.788073 IP 192.168.10.25 > 192.168.10.26: ICMP echo reply, id 3075, seq 19895, length 36
16:33:50.787152 arp who-has 192.168.10.25 tell 192.168.10.26
16:33:50.787792 arp reply 192.168.10.25 is-at 00:1a:2f:28:49:4d
16:33:50.791489 IP 192.168.10.26 > 192.168.10.25: ICMP echo request, id 676, seq 19896, length 36
16:33:50.792020 IP 192.168.10.25 > 192.168.10.26: ICMP echo reply, id 676, seq 19896, length 36
16:33:55.795532 IP 192.168.10.26 > 192.168.10.25: ICMP echo request, id 6234, seq 19897, length 36
16:33:55.796064 IP 192.168.10.25 > 192.168.10.26: ICMP echo reply, id 6234, seq 19897, length 36
16:34:00.799387 IP 192.168.10.26 > 192.168.10.25: ICMP echo request, id 1082, seq 19898, length 36
16:34:00.799906 IP 192.168.10.25 > 192.168.10.26: ICMP echo reply, id 1082, seq 19898, length 36
16:34:02.429100 IP 172.30.12.16.55237 > 192.168.16.140.20534: S 1220709519:1220709519(0) win 65535 <mss 1460,wscale 1,nop>
16:34:02.457353 IP 192.168.16.140.20534 > 172.30.12.16.55237: S 4003055494:4003055494(0) ack 1220709520 win 65535 <mss 1300,nop,wscale 3>
16:34:02.458016 IP 172.30.12.16.55237 > 192.168.16.140.20534: P 1:1215(1214) ack 1 win 32768
16:34:02.581474 IP 192.168.16.140.20534 > 172.30.12.16.55237: . ack 1215 win 32673
Test # st
/media/disk0 # tcpdump -ni eth1 host 172.16.100.1 and esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
'IT Technology > Security' 카테고리의 다른 글
IPSEC VPN이란? (0) | 2022.04.26 |
---|---|
암호화 알고리즘 종류와 분류 (0) | 2022.04.19 |
IPSEC VPN 1: 개념(AH, ESP, SA, IKE) (0) | 2022.04.11 |
SECUI 방화벽 HA Log 확인방법 (0) | 2021.11.10 |
SECUI 방화벽 HA VIP 확인 및 TCP VRRP Capture 방법 (0) | 2021.11.02 |