can't dump log which get with `-i any`

Question

can't dump log which get with `-i any`

koron opened this issue 7 years ago · comments

MURAOKA Taro commented 7 years ago

tcpdump の -i any で取ったキャプチャが解釈できない。

スタックの問題?

MURAOKA Taro · Answer 1 · Wed Oct 04 2017 10:10:39 GMT+0800 (China Standard Time)

any-interface ブランチの pcap-dump コマンドで比較してみた。

OK: lo.pcap

-- FULL PACKET DATA (74 bytes) ------------------------------------
00000000  00 00 00 00 00 00 00 00  00 00 00 00 08 00 45 00  |..............E.|
00000010  00 3c 6b f3 40 00 40 06  d0 c6 7f 00 00 01 7f 00  |.<k.@.@.........|
00000020  00 01 9c 72 0c ea 9e 48  23 d7 00 00 00 00 a0 02  |...r...H#.......|
00000030  aa aa fe 30 00 00 02 04  ff d7 04 02 08 0a 00 06  |...0............|
00000040  48 24 00 00 00 00 01 03  03 07                    |H$........|
--- Layer 1 ---
Ethernet	{Contents=[..14..] Payload=[..60..] SrcMAC=00:00:00:00:00:00 DstMAC=00:00:00:00:00:00 EthernetType=IPv4 Length=0}
00000000  00 00 00 00 00 00 00 00  00 00 00 00 08 00        |..............|
--- Layer 2 ---
IPv4	{Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=27635 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=53446 SrcIP=127.0.0.1 DstIP=127.0.0.1 Options=[] Padding=[]}
00000000  45 00 00 3c 6b f3 40 00  40 06 d0 c6 7f 00 00 01  |E..<k.@.@.......|
00000010  7f 00 00 01                                       |....|
--- Layer 3 ---
TCP	{Contents=[..40..] Payload=[] SrcPort=40050 DstPort=3306(mysql) Seq=2655527895 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=43690 Checksum=65072 Urgent=0 Options=[..5..] Padding=[]}
00000000  9c 72 0c ea 9e 48 23 d7  00 00 00 00 a0 02 aa aa  |.r...H#.........|
00000010  fe 30 00 00 02 04 ff d7  04 02 08 0a 00 06 48 24  |.0............H$|
00000020  00 00 00 00 01 03 03 07                           |........|

NG: any.pcap

-- FULL PACKET DATA (76 bytes) ------------------------------------
00000000  00 00 03 04 00 06 00 00  00 00 00 00 00 00 08 00  |................|
00000010  45 00 00 3c a0 56 40 00  40 06 9c 63 7f 00 00 01  |E..<.V@.@..c....|
00000020  7f 00 00 01 9c 70 0c ea  a2 a9 0c 67 00 00 00 00  |.....p.....g....|
00000030  a0 02 aa aa fe 30 00 00  02 04 ff d7 04 02 08 0a  |.....0..........|
00000040  ff ff ac 31 00 00 00 00  01 03 03 07              |...1........|
--- Layer 1 ---
Ethernet        {Contents=[..14..] Payload=[] SrcMAC=00:00:00:00:00:00 DstMAC=00:00:03:04:00:06 EthernetType=LLC Length=0}
00000000  00 00 03 04 00 06 00 00  00 00 00 00 00 00        |..............|

MURAOKA Taro · Answer 2 · Wed Oct 04 2017 10:26:50 GMT+0800 (China Standard Time)

any でキャプチャすると Linux SLL というものになるらしい。

http://d.hatena.ne.jp/EijiYoshida/20130824/1377345098

MURAOKA Taro · Answer 3 · Wed Oct 04 2017 10:35:06 GMT+0800 (China Standard Time)

デコーダーを Linux SLL にしたら any.pcap が読めた。つまりデコーダーを切り替える仕組みが必要。

MURAOKA Taro · Answer 4 · Wed Oct 04 2017 10:52:36 GMT+0800 (China Standard Time)

2b710da で対応した。
-decoder {NAME} オプションで指定できる。

$ sudo tcpdump -i any -s 0 -l -w - "tcp port 3306" | dbquerylog -decoder "Linux SLL"