Kozupon.com    
 
 tcpdumpでパケットを監視する!


さて、今さら説明する事も無いほど有名なネットワークツール。オフィシャルサイトは、 ここ だ。
俺は普段良く使ってるが、ネタを書いたことが無かったので何気に書いてみたくなった。
tcpdumpは、TCPでもUDPでもパケットと言うパケット全てキャプチャーしてくれるネットワークツールだ。レスポンスも良いので一度使うとやみつきになった。例えば、netstatを使った時に怪しいポートがLISTENされてたとしたら、tcpdumpでそのポートの受信パケットをキャプチャーしてみよう。クラックな方がセッションを掴んでるかも知れないよ。


1.インスコする
1)前準備

勿論、バイナリインスコした方が早いし正確だが、バイナリが用意されていないLinuxを使ってる方々の為にも、俺自身のこだわりの為にもソースからインスコする。
初めに、tcpdumpはlibpcapライブラリを必要とするので予め入ってるかを確認する。入っていなかったら別途スコーン!!とインスコが必要だ(笑)。多分、バージョンも関係してくると思うので注意が必要だね。ちなみに、このインスコ環境は、VineLinux4.0だ。
[root@linux_michan root]# cd /usr/local/src/
[root@linux_michan src]# updatedb
[root@linux_michan src]# locate libpcap

/usr/lib/libpcap.so.0.9.3
/usr/lib/libpcap.so.0.9
/usr/lib/libpcap.so.0
/usr/lib/libpcap.a
/usr/lib/libpcap.so
/usr/share/doc/libpcap-0.9.3
/usr/share/doc/libpcap-0.9.3/CHANGES
/usr/share/doc/libpcap-0.9.3/README

なるほど、このマシンには入ってるみたいだね。

2)ソースをゲットする
ソースは、 ここ からゲットする。2007年2月現在、最新版が tcpdump-3.9.5.tar.gz であった。
[root@linux_michan src]# wget http://www.tcpdump.org/release/tcpdump-3.9.5.tar.gz
--11:21:53-- http://www.tcpdump.org/release/tcpdump-3.9.5.tar.gz
=> `tcpdump-3.9.5.tar.gz'
192.168.0.12:8080 に接続しています... 接続しました。
Proxy による接続要求を送信しました、応答を待っています... 200 OK
長さ: 712,411 (696K) [application/x-tar]

100%[====================================>] 712,411 58.38K/s ETA 00:00

11:22:04 (68.20 KB/s) - `tcpdump-3.9.5.tar.gz' を保存しました [712411/712411]

3)ソースを展開する
[root@linux_michan src]# tar zxvf tcpdump-3.9.5.tar.gz
tcpdump-3.9.5/./
tcpdump-3.9.5/./lbl/
tcpdump-3.9.5/./lbl/os-osf4.h
tcpdump-3.9.5/./lbl/os-solaris2.h
tcpdump-3.9.5/./lbl/os-sunos4.h
tcpdump-3.9.5/./lbl/os-ultrix4.h
tcpdump-3.9.5/./.cvsignore
tcpdump-3.9.5/./CHANGES
tcpdump-3.9.5/./CREDITS
tcpdump-3.9.5/./FILES
tcpdump-3.9.5/./INSTALL
tcpdump-3.9.5/./LICENSE
tcpdump-3.9.5/./Makefile-devel-adds
tcpdump-3.9.5/./Makefile.in
tcpdump-3.9.5/./PLATFORMS
tcpdump-3.9.5/./README
tcpdump-3.9.5/./Readme.Win32
tcpdump-3.9.5/./TODO
tcpdump-3.9.5/./VERSION
tcpdump-3.9.5/./acconfig.h
tcpdump-3.9.5/./aclocal.m4
tcpdump-3.9.5/./addrtoname.c
tcpdump-3.9.5/./addrtoname.h
tcpdump-3.9.5/./ah.h
tcpdump-3.9.5/./aodv.h
tcpdump-3.9.5/./appletalk.h
tcpdump-3.9.5/./arcnet.h
tcpdump-3.9.5/./atime.awk
tcpdump-3.9.5/./atm.h
tcpdump-3.9.5/./atmuni31.h
tcpdump-3.9.5/./bgp.h
tcpdump-3.9.5/./bootp.h
tcpdump-3.9.5/./bpf_dump.c
tcpdump-3.9.5/./chdlc.h
tcpdump-3.9.5/./config.guess
tcpdump-3.9.5/./config.h.in
tcpdump-3.9.5/./config.sub
tcpdump-3.9.5/./configure
tcpdump-3.9.5/./configure.in
tcpdump-3.9.5/./cpack.c
tcpdump-3.9.5/./cpack.h
tcpdump-3.9.5/./dccp.h
tcpdump-3.9.5/./decnet.h
tcpdump-3.9.5/./decode_prefix.h
tcpdump-3.9.5/./enc.h
tcpdump-3.9.5/./esp.h
tcpdump-3.9.5/./ether.h
tcpdump-3.9.5/./ethertype.h
tcpdump-3.9.5/./extract.h
tcpdump-3.9.5/./fddi.h
tcpdump-3.9.5/./gmpls.c
tcpdump-3.9.5/./gmpls.h
tcpdump-3.9.5/./gmt2local.c
tcpdump-3.9.5/./gmt2local.h
tcpdump-3.9.5/./icmp6.h
tcpdump-3.9.5/./ieee802_11.h
tcpdump-3.9.5/./ieee802_11_radio.h
tcpdump-3.9.5/./igrp.h
tcpdump-3.9.5/./install-sh
tcpdump-3.9.5/./ip.h
tcpdump-3.9.5/./interface.h
tcpdump-3.9.5/./ip6.h
tcpdump-3.9.5/./ipfc.h
tcpdump-3.9.5/./ipproto.c
tcpdump-3.9.5/./ipproto.h
tcpdump-3.9.5/./ipsec_doi.h
tcpdump-3.9.5/./ipx.h
tcpdump-3.9.5/./isakmp.h
tcpdump-3.9.5/./l2tp.h
tcpdump-3.9.5/./l2vpn.c
tcpdump-3.9.5/./l2vpn.h
tcpdump-3.9.5/./lane.h
tcpdump-3.9.5/./llc.h
tcpdump-3.9.5/./machdep.c
tcpdump-3.9.5/./machdep.h
tcpdump-3.9.5/./makemib
tcpdump-3.9.5/./mib.h
tcpdump-3.9.5/./mkdep
tcpdump-3.9.5/./mpls.h
tcpdump-3.9.5/./nameser.h
tcpdump-3.9.5/./netbios.h
tcpdump-3.9.5/./netdissect.h
tcpdump-3.9.5/./nfs.h
tcpdump-3.9.5/./nfsfh.h
tcpdump-3.9.5/./nlpid.c
tcpdump-3.9.5/./nlpid.h
tcpdump-3.9.5/./ntp.h
tcpdump-3.9.5/./oakley.h
tcpdump-3.9.5/./ospf.h
tcpdump-3.9.5/./ospf6.h
tcpdump-3.9.5/./oui.c
tcpdump-3.9.5/./oui.h
tcpdump-3.9.5/./packetdat.awk
tcpdump-3.9.5/./parsenfsfh.c
tcpdump-3.9.5/./pcap-missing.h
tcpdump-3.9.5/./pcap_dump_ftell.c
tcpdump-3.9.5/./pf.h
tcpdump-3.9.5/./pmap_prot.h
tcpdump-3.9.5/./ppp.h
tcpdump-3.9.5/./print-802_11.c
tcpdump-3.9.5/./print-ah.c
tcpdump-3.9.5/./print-aodv.c
tcpdump-3.9.5/./print-ap1394.c
tcpdump-3.9.5/./print-arcnet.c
tcpdump-3.9.5/./print-arp.c
tcpdump-3.9.5/./print-ascii.c
tcpdump-3.9.5/./print-atalk.c
tcpdump-3.9.5/./print-atm.c
tcpdump-3.9.5/./print-beep.c
tcpdump-3.9.5/./print-bfd.c
tcpdump-3.9.5/./print-bgp.c
tcpdump-3.9.5/./print-bootp.c
tcpdump-3.9.5/./print-cdp.c
tcpdump-3.9.5/./print-chdlc.c
tcpdump-3.9.5/./print-cip.c
tcpdump-3.9.5/./print-cnfp.c
tcpdump-3.9.5/./print-dccp.c
tcpdump-3.9.5/./print-decnet.c
tcpdump-3.9.5/./print-dhcp6.c
tcpdump-3.9.5/./print-domain.c
tcpdump-3.9.5/./print-dvmrp.c
tcpdump-3.9.5/./print-eap.c
tcpdump-3.9.5/./print-egp.c
tcpdump-3.9.5/./print-eigrp.c
tcpdump-3.9.5/./print-enc.c
tcpdump-3.9.5/./print-esp.c
tcpdump-3.9.5/./print-ether.c
tcpdump-3.9.5/./print-fddi.c
tcpdump-3.9.5/./print-fr.c
tcpdump-3.9.5/./print-frag6.c
tcpdump-3.9.5/./print-gre.c
tcpdump-3.9.5/./print-hsrp.c
tcpdump-3.9.5/./print-icmp.c
tcpdump-3.9.5/./print-icmp6.c
tcpdump-3.9.5/./print-igmp.c
tcpdump-3.9.5/./print-igrp.c
tcpdump-3.9.5/./print-ip.c
tcpdump-3.9.5/./print-ip6.c
tcpdump-3.9.5/./print-ip6opts.c
tcpdump-3.9.5/./print-ipcomp.c
tcpdump-3.9.5/./print-ipfc.c
tcpdump-3.9.5/./print-ipx.c
tcpdump-3.9.5/./print-isakmp.c
tcpdump-3.9.5/./print-isoclns.c
tcpdump-3.9.5/./print-juniper.c
tcpdump-3.9.5/./print-krb.c
tcpdump-3.9.5/./print-l2tp.c
tcpdump-3.9.5/./print-lane.c
tcpdump-3.9.5/./print-ldp.c
tcpdump-3.9.5/./print-llc.c
tcpdump-3.9.5/./print-lmp.c
tcpdump-3.9.5/./print-lspping.c
tcpdump-3.9.5/./print-lwres.c
tcpdump-3.9.5/./print-mobile.c
tcpdump-3.9.5/./print-mobility.c
tcpdump-3.9.5/./print-mpls.c
tcpdump-3.9.5/./print-msdp.c
tcpdump-3.9.5/./print-netbios.c
tcpdump-3.9.5/./print-nfs.c
tcpdump-3.9.5/./print-ntp.c
tcpdump-3.9.5/./print-null.c
tcpdump-3.9.5/./rx.h
tcpdump-3.9.5/./print-ospf.c
tcpdump-3.9.5/./print-ospf6.c
tcpdump-3.9.5/./print-pflog.c
tcpdump-3.9.5/./print-pgm.c
tcpdump-3.9.5/./print-pim.c
tcpdump-3.9.5/./print-ppp.c
tcpdump-3.9.5/./print-pppoe.c
tcpdump-3.9.5/./print-pptp.c
tcpdump-3.9.5/./print-radius.c
tcpdump-3.9.5/./print-raw.c
tcpdump-3.9.5/./print-rip.c
tcpdump-3.9.5/./print-ripng.c
tcpdump-3.9.5/./print-rsvp.c
tcpdump-3.9.5/./print-rt6.c
tcpdump-3.9.5/./print-rx.c
tcpdump-3.9.5/./print-sctp.c
tcpdump-3.9.5/./print-sip.c
tcpdump-3.9.5/./print-sl.c
tcpdump-3.9.5/./print-sll.c
tcpdump-3.9.5/./print-slow.c
tcpdump-3.9.5/./print-smb.c
tcpdump-3.9.5/./print-snmp.c
tcpdump-3.9.5/./print-stp.c
tcpdump-3.9.5/./print-sunatm.c
tcpdump-3.9.5/./print-sunrpc.c
tcpdump-3.9.5/./print-symantec.c
tcpdump-3.9.5/./print-syslog.c
tcpdump-3.9.5/./print-tcp.c
tcpdump-3.9.5/./print-telnet.c
tcpdump-3.9.5/./print-tftp.c
tcpdump-3.9.5/./print-timed.c
tcpdump-3.9.5/./print-token.c
tcpdump-3.9.5/./print-udp.c
tcpdump-3.9.5/./print-vjc.c
tcpdump-3.9.5/./print-vrrp.c
tcpdump-3.9.5/./print-wb.c
tcpdump-3.9.5/./print-zephyr.c
tcpdump-3.9.5/./route6d.h
tcpdump-3.9.5/./rpc_auth.h
tcpdump-3.9.5/./rpc_msg.h
tcpdump-3.9.5/./sctpConstants.h
tcpdump-3.9.5/./sctpHeader.h
tcpdump-3.9.5/./send-ack.awk
tcpdump-3.9.5/./setsignal.c
tcpdump-3.9.5/./setsignal.h
tcpdump-3.9.5/./slcompress.h
tcpdump-3.9.5/./slip.h
tcpdump-3.9.5/./sll.h
tcpdump-3.9.5/./smb.h
tcpdump-3.9.5/./smbutil.c
tcpdump-3.9.5/./stime.awk
tcpdump-3.9.5/./strcasecmp.c
tcpdump-3.9.5/./tcp.h
tcpdump-3.9.5/./tcpdump-stdinc.h
tcpdump-3.9.5/./tcpdump.1
tcpdump-3.9.5/./tcpdump.c
tcpdump-3.9.5/./telnet.h
tcpdump-3.9.5/./timed.h
tcpdump-3.9.5/./token.h
tcpdump-3.9.5/./udp.h
tcpdump-3.9.5/./util.c
tcpdump-3.9.5/./vfprintf.c
tcpdump-3.9.5/./missing/
tcpdump-3.9.5/./missing/addrinfo.h
tcpdump-3.9.5/./missing/addrsize.h
tcpdump-3.9.5/./missing/bittypes.h
tcpdump-3.9.5/./missing/datalinks.c
tcpdump-3.9.5/./missing/dlnames.c
tcpdump-3.9.5/./missing/getaddrinfo.c
tcpdump-3.9.5/./missing/getnameinfo.c
tcpdump-3.9.5/./missing/inet_aton.c
tcpdump-3.9.5/./missing/inet_ntop.c
tcpdump-3.9.5/./missing/inet_pton.c
tcpdump-3.9.5/./missing/resolv6.h
tcpdump-3.9.5/./missing/resolv_ext.h
tcpdump-3.9.5/./missing/snprintf.c
tcpdump-3.9.5/./missing/sockstorage.h
tcpdump-3.9.5/./missing/strdup.c
tcpdump-3.9.5/./missing/strlcat.c
tcpdump-3.9.5/./missing/strlcpy.c
tcpdump-3.9.5/./missing/strsep.c
tcpdump-3.9.5/./tests/
tcpdump-3.9.5/./tests/.cvsignore
tcpdump-3.9.5/./tests/02-sunrise-sunset-esp.puu
tcpdump-3.9.5/./tests/08-sunrise-sunset-aes.puu
tcpdump-3.9.5/./tests/08-sunrise-sunset-esp2.puu
tcpdump-3.9.5/./tests/alltests.sh
tcpdump-3.9.5/./tests/bgp-infinite-loop.pcap
tcpdump-3.9.5/./tests/bgp_vpn_attrset.out
tcpdump-3.9.5/./tests/bgp_vpn_attrset.pcap
tcpdump-3.9.5/./tests/bgp_vpn_attrset.sh
tcpdump-3.9.5/./tests/chdlc-slarp-short.pcap
tcpdump-3.9.5/./tests/chdlc-slarp.pcap
tcpdump-3.9.5/./tests/eapon1.gdbinit
tcpdump-3.9.5/./tests/eapon1.out
tcpdump-3.9.5/./tests/eapon1.puu
tcpdump-3.9.5/./tests/eapon1.sh
tcpdump-3.9.5/./tests/eapon2.puu
tcpdump-3.9.5/./tests/esp-secrets.txt
tcpdump-3.9.5/./tests/esp0.out
tcpdump-3.9.5/./tests/esp0.sh
tcpdump-3.9.5/./tests/esp1.gdbinit
tcpdump-3.9.5/./tests/esp1.out
tcpdump-3.9.5/./tests/esp1.sh
tcpdump-3.9.5/./tests/esp2.gdbinit
tcpdump-3.9.5/./tests/esp2.out
tcpdump-3.9.5/./tests/esp2.sh
tcpdump-3.9.5/./tests/esp3.gdbinit
tcpdump-3.9.5/./tests/esp3.sh
tcpdump-3.9.5/./tests/esp4.gdbinit
tcpdump-3.9.5/./tests/esp4.sh
tcpdump-3.9.5/./tests/esp5.gdbinit
tcpdump-3.9.5/./tests/esp5.out
tcpdump-3.9.5/./tests/esp5.sh
tcpdump-3.9.5/./tests/espudp1.out
tcpdump-3.9.5/./tests/espudp1.puu
tcpdump-3.9.5/./tests/espudp1.sh
tcpdump-3.9.5/./tests/isakmp-delete-segfault.puu
tcpdump-3.9.5/./tests/isakmp-identification-segfault.puu
tcpdump-3.9.5/./tests/isakmp-pointer-loop.puu
tcpdump-3.9.5/./tests/isakmp1.out
tcpdump-3.9.5/./tests/isakmp1.sh
tcpdump-3.9.5/./tests/isakmp2.out
tcpdump-3.9.5/./tests/isakmp2.sh
tcpdump-3.9.5/./tests/lmp.out
tcpdump-3.9.5/./tests/isakmp3.out
tcpdump-3.9.5/./tests/isakmp3.sh
tcpdump-3.9.5/./tests/isakmp4.out
tcpdump-3.9.5/./tests/isakmp4.sh
tcpdump-3.9.5/./tests/isakmp4500.puu
tcpdump-3.9.5/./tests/isis-infinite-loop.pcap
tcpdump-3.9.5/./tests/ldp-infinite-loop.pcap
tcpdump-3.9.5/./tests/lmp.puu
tcpdump-3.9.5/./tests/lmp.sh
tcpdump-3.9.5/./tests/lspping-fec-ldp.pcap
tcpdump-3.9.5/./tests/lspping-fec-rsvp.pcap
tcpdump-3.9.5/./tests/mpls-ldp-hello.out
tcpdump-3.9.5/./tests/mpls-ldp-hello.puu
tcpdump-3.9.5/./tests/mpls-ldp-hello.sh
tcpdump-3.9.5/./tests/mpls-traceroute.pcap
tcpdump-3.9.5/./tests/ospf-gmpls.out
tcpdump-3.9.5/./tests/ospf-gmpls.puu
tcpdump-3.9.5/./tests/ospf-gmpls.sh
tcpdump-3.9.5/./tests/print-A.out
tcpdump-3.9.5/./tests/print-AA.out
tcpdump-3.9.5/./tests/print-capX.out
tcpdump-3.9.5/./tests/print-capXX.out
tcpdump-3.9.5/./tests/print-flags.puu
tcpdump-3.9.5/./tests/print-flags.sh
tcpdump-3.9.5/./tests/print-x.out
tcpdump-3.9.5/./tests/print-xx.out
tcpdump-3.9.5/./tests/rsvp-infinite-loop.pcap
tcpdump-3.9.5/./win32/
tcpdump-3.9.5/./win32/Include/
tcpdump-3.9.5/./win32/Include/getopt.h
tcpdump-3.9.5/./win32/Include/errno.h
tcpdump-3.9.5/./win32/Include/Arpa/
tcpdump-3.9.5/./win32/Include/Arpa/tftp.h
tcpdump-3.9.5/./win32/Include/inetprivate.h
tcpdump-3.9.5/./win32/Include/telnet.h
tcpdump-3.9.5/./win32/Include/w32_fzs.h
tcpdump-3.9.5/./win32/Include/Netinet/
tcpdump-3.9.5/./win32/Include/Netinet/in_systm.h
tcpdump-3.9.5/./win32/Include/Netinet/ip.h
tcpdump-3.9.5/./win32/Src/
tcpdump-3.9.5/./win32/Src/getopt.c
tcpdump-3.9.5/./win32/prj/
tcpdump-3.9.5/./win32/prj/GNUmakefile
tcpdump-3.9.5/./win32/prj/WinDump.dsp
tcpdump-3.9.5/./win32/prj/WinDump.dsw

[root@linux_michan src]# chown -R root.root tcpdump-3.9.5

4)コンパイル&リンク
[root@linux_michan src]# cd tcpdump-3.9.5
[root@linux_michan tcpdump-3.9.5]# ./configure

checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking gcc version... 3
checking for inline... inline
checking for __attribute__... yes
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking rpc/rpcent.h usability... no
checking rpc/rpcent.h presence... no
checking for rpc/rpcent.h... no
checking netdnet/dnetdb.h usability... no
checking netdnet/dnetdb.h presence... no
checking for netdnet/dnetdb.h... no
checking for netinet/if_ether.h... yes
checking whether time.h and sys/time.h may both be included... yes
checking Linux kernel version... 2
checking smi.h usability... no
checking smi.h presence... no
checking for smi.h... no
checking for smiInit in -lsmi... no
checking whether to enable the possibly-buggy SMB printer... yes
configure: WARNING: The SMB printer may have exploitable buffer overflows!!!
checking whether to drop root privileges by default... no
checking whether to chroot... no
checking whether to enable ipv6... yes
checking ipv6 stack type... linux-glibc
checking for library containing getaddrinfo... none required
checking getaddrinfo bug... good
checking for getaddrinfo... yes
checking for getnameinfo... yes
checking for dnet_htoa declaration in netdnet/dnetdb.h... no
checking for char... yes
checking size of char... 1
checking for short... yes
checking size of short... 2
checking for int... yes
checking size of int... 4
checking for long... yes
checking size of long... 4
checking for long long... yes
checking size of long long... 8
checking for addrinfo... yes
checking for NI_MAXSERV... yes
checking for NI_NAMEREQD... yes
checking for sockaddr_storage... yes
checking for INADDRSZ... yes
checking for IN6ADDRSZ... yes
checking for RES_USE_INET6... yes
checking for res_state_ext... no
checking for nsort in res_state... no
checking for vfprintf... yes
checking for strcasecmp... yes
checking for strlcat... no
checking for strlcpy... no
checking for strdup... yes
checking for strsep... yes
checking for strftime... yes
checking for setlinebuf... yes
checking for alarm... yes
checking for vsnprintf... yes
checking for snprintf... yes
checking return type of signal handlers... void
checking for sigaction... yes
checking for library containing dnet_htoa... no
checking for main in -lrpc... no
checking for library containing getrpcbynumber... none required
checking for library containing gethostbyname... none required
checking for library containing socket... none required
checking for library containing putmsg... none required
checking for local pcap library... not found
checking for main in -lpcap... yes
checking for extraneous pcap header directories... found -- -I/usr/include/pcap added
checking for pcap_list_datalinks... yes
checking for pcap_set_datalink... yes
checking for pcap_datalink_name_to_val... yes
checking for pcap_datalink_val_to_description... yes
checking for pcap_breakloop... yes
checking for pcap_dump_ftell... yes
checking for inet_ntop... yes
checking for inet_pton... yes
checking for inet_aton... yes
checking for ether_ntohost... yes
checking for buggy ether_ntohost... no
checking whether ether_ntohost is declared... no
checking netinet/ether.h usability... yes
checking netinet/ether.h presence... yes
checking for netinet/ether.h... yes
checking whether ether_ntohost is declared... yes
checking if sockaddr struct has sa_len member... no
checking for pcap_findalldevs... yes
checking for pcap_dump_flush... yes
checking for pcap_lib_version... yes
checking for pcap_if_t... yes
checking whether pcap_debug is defined by libpcap... no
checking whether yydebug is defined by libpcap... no
checking for bpf_dump... yes
checking sys/bitypes.h usability... yes
checking sys/bitypes.h presence... yes
checking for sys/bitypes.h... yes
checking for int8_t... yes
checking for u_int8_t... yes
checking for int16_t... yes
checking for u_int16_t... yes
checking for int32_t... yes
checking for u_int32_t... yes
checking for int64_t... yes
checking for u_int64_t... yes
checking for inttypes.h... (cached) yes
checking whether inttypes.h defines the PRI[doxu]64 macros... yes
checking if sockaddr struct has sa_len member... no
checking if unaligned accesses fail... no
checking for h_errno... yes
checking for SSLeay... no
checking for a BSD-compatible install... /usr/bin/install -c
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: executing default-1 commands

[root@linux_michan tcpdump-3.9.5]# make
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./addrtoname.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./cpack.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./gmpls.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./oui.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./gmt2local.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./ipproto.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./nlpid.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./l2vpn.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./machdep.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./parsenfsfh.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-802_11.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ap1394.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ah.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-arcnet.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-aodv.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-arp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ascii.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-atalk.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-atm.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-beep.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-bfd.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-bgp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-bootp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-cdp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-chdlc.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-cip.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-cnfp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-dccp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-decnet.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-domain.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-dvmrp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-enc.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-egp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-eap.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-eigrp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-esp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ether.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-fddi.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-fr.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-gre.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-hsrp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-icmp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-igmp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-igrp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ip.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ipcomp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ipfc.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ipx.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-isakmp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-isoclns.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-juniper.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-krb.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-l2tp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-lane.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ldp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-llc.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-lmp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-lspping.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-lwres.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-mobile.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-mpls.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-msdp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-nfs.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ntp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-null.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ospf.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-pflog.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-pgm.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-pim.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ppp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-pppoe.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-pptp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-radius.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-raw.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-rip.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-rsvp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-rx.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-sctp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-sip.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-sl.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-sll.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-slow.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-snmp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-stp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-sunatm.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-sunrpc.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-symantec.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-syslog.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-tcp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-telnet.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-tftp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-timed.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-token.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-udp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-vjc.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-vrrp.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-wb.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-zephyr.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./setsignal.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./tcpdump.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./util.c
sed -e 's/.*/char version[] = "&";/' ./VERSION > version.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c version.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ip6.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ip6opts.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-mobility.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ripng.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-icmp6.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-frag6.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-rt6.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-ospf6.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-dhcp6.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./print-smb.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -c ./smbutil.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -o strlcat.o -c ./missing/strlcat.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -o strlcpy.o -c ./missing/strlcpy.c
gcc -O2 -DHAVE_CONFIG_H -I./missing -D_U_="__attribute__((unused))" -I. -I/usr /include/pcap -I./missing -o tcpdump addrtoname.o cpack.o gmpls.o oui.o gmt2lo cal.o ipproto.o nlpid.o l2vpn.o machdep.o parsenfsfh.o print-802_11.o print-ap13 94.o print-ah.o print-arcnet.o print-aodv.o print-arp.o print-ascii.o print-atal k.o print-atm.o print-beep.o print-bfd.o print-bgp.o print-bootp.o print-cdp.o p rint-chdlc.o print-cip.o print-cnfp.o print-dccp.o print-decnet.o print-domain.o print-dvmrp.o print-enc.o print-egp.o print-eap.o print-eigrp.o print-esp.o pri nt-ether.o print-fddi.o print-fr.o print-gre.o print-hsrp.o print-icmp.o print-i gmp.o print-igrp.o print-ip.o print-ipcomp.o print-ipfc.o print-ipx.o print-isak mp.o print-isoclns.o print-juniper.o print-krb.o print-l2tp.o print-lane.o print -ldp.o print-llc.o print-lmp.o print-lspping.o print-lwres.o print-mobile.o prin t-mpls.o print-msdp.o print-nfs.o print-ntp.o print-null.o print-ospf.o print-pf log.o print-pgm.o print-pim.o print-ppp.o print-pppoe.o print-pptp.o print-radiu s.o print-raw.o print-rip.o print-rsvp.o print-rx.o print-sctp.o print-sip.o pri nt-sl.o print-sll.o print-slow.o print-snmp.o print-stp.o print-sunatm.o print-s unrpc.o print-symantec.o print-syslog.o print-tcp.o print-telnet.o print-tftp.o print-timed.o print-token.o print-udp.o print-vjc.o print-vrrp.o print-wb.o prin t-zephyr.o setsignal.o tcpdump.o util.o version.o print-ip6.o print-ip6opts.o pr int-mobility.o print-ripng.o print-icmp6.o print-frag6.o print-rt6.o print-ospf6 .o print-dhcp6.o print-smb.o smbutil.o strlcat.o strlcpy.o -lpcap

[root@linux_michan tcpdump-3.9.5]# make install
[ -d /usr/local/sbin ] || \
(mkdir -p /usr/local/sbin; chmod 755 /usr/local/sbin)
/usr/bin/install -c tcpdump /usr/local/sbin/tcpdump
[ -d /usr/local/man/man1 ] || \
(mkdir -p /usr/local/man/man1; chmod 755 /usr/local/man/man1)
/usr/bin/install -c -m 644 ./tcpdump.1 /usr/local/man/man1/tcpdump.1


2.使ってみる
予め、netstatでLISTENポートを確認する。
[root@ns ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 52 ::ffff:xxx.xxx.xxx.xxx:22 ::ffff:xxx.xxx.xxx.xxx:62260 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 xxx.xxx.xxx.xxx:7206 xxx.xxx.xxx.xxx:53 ESTABLISHED
udp 0 0 xxx.xxx.xxx.xxx:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 432 0 xxx.xxx.xxx.xxx:22611 xxx.xxx.xxx.xxx:53 ESTABLISHED
udp 0 0 xxx.xxx.xxx.xxx:12766 xxx.xxx.xxx.xxx:53 ESTABLISHED
udp 0 0 :::32769 :::*
以下省略

結果を見れば一目瞭然だが、このホストはメール鯖だ。

1)SMTPポートのキャプチャー
tcpdumpで、この鯖のSMTPポートの送信で監視して、アクセスしてくるホスト情報をゲットする(つまり、この鯖のメール中継を仕掛けてくるホストを全てキャプチャーする)。

[root@ns ~]# tcpdump -i eth0 src port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:01:05.447672 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: S 2267764677:2267764677(0) ack 1176833920 win 5792 <mss 1460,sackOK,timestamp 2348003290 5753658,nop,wscale 2>
15:01:05.532152 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 1:34(33) ack 1 win 1448 <nop,nop,timestamp 2348003375 5753661>
15:01:05.711409 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: . ack 22 win 1448 <nop,nop,timestamp 2348003554 5753724>
15:01:05.711534 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 34:158(124) ack 22 win 1448 <nop,nop,timestamp 2348003554 5753724>
15:01:05.739606 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 158:224(66) ack 37 win 1448 <nop,nop,timestamp 2348003582 5753731>
15:01:05.773663 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 224:255(31) ack 91 win 1448 <nop,nop,timestamp 2348003616 5753740>
15:01:05.802222 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 255:263(8) ack 137 win 1448 <nop,nop,timestamp 2348003645 5753747>
15:01:05.843962 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 263:271(8) ack 162 win 1448 <nop,nop,timestamp 2348003687 5753755>
15:01:05.881608 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 271:308(37) ack 168 win 1448 <nop,nop,timestamp 2348003724 5753767>
15:01:05.924489 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 308:338(30) ack 556 win 1716 <nop,nop,timestamp 2348003767 5753776>
15:01:05.952041 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: P 338:347(9) ack 562 win 1716 <nop,nop,timestamp 2348003795 5753785>
15:01:05.952468 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: F 347:347(0) ack 562 win 1716 <nop,nop,timestamp 2348003795 5753785>
15:01:06.090638 IP ns.xxxxxxxxx.jp.smtp > xxx.xxx.xxx.xxx.64655: . ack 563 win 1716 <nop,nop,timestamp 2348003933 5753819>
15:01:06.149151 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: S 3054102830:3054102830(0) ack 2273980965 win 5792 <mss 1414,sackOK,timestamp 3020743750 2348003978,nop,wscale 0>
15:01:06.256868 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: P 1:35(34) ack 1 win 5792 <nop,nop,timestamp 3020743859 2348003992>
15:01:06.267669 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: . ack 29 win 5792 <nop,nop,timestamp 3020743871 2348004100>
15:01:06.268262 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: P 35:152(117) ack 29 win 5792 <nop,nop,timestamp 3020743871 2348004100>
15:01:06.317315 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: . ack 121 win 5792 <nop,nop,timestamp 3020743921 2348004111>
15:01:06.336926 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: P 152:205(53) ack 121 win 5792 <nop,nop,timestamp 3020743940 2348004111>
15:01:06.348295 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: . ack 1152 win 7217 <nop,nop,timestamp 3020743951 2348004180>
15:01:06.382100 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: P 205:244(39) ack 1152 win 7217 <nop,nop,timestamp 3020743986 2348004180>
15:01:06.384121 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: F 244:244(0) ack 1152 win 7217 <nop,nop,timestamp 3020743987 2348004180>
15:01:06.393094 IP 210.196.76.154.smtp > ns.xxxxxxxxx.jp.33713: . ack 1153 win 7217 <nop,nop,timestamp 3020743996 2348004225>

2)POP3ポートのキャプチャー
tcpdumpで、この鯖のPOP3ポートの受信で監視して、アクセスしてくるホスト情報をゲットする。

[root@ns ~]# tcpdump -i eth0 dst port 110
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:05:17.612736 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: S 1432268975:1432268975(0) win 5840 <mss 1414,sackOK,timestamp 5816703 0,nop,wscale 2>
15:05:17.624761 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: . ack 2532747752 win 1460 <nop,nop,timestamp 5816706 2348255494>
15:05:19.814442 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: . ack 107 win 1460 <nop,nop,timestamp 5817253 2348257669>
15:05:19.818677 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: P 0:6(6) ack 107 win 1460 <nop,nop,timestamp 5817254 2348257669>
15:05:19.851511 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: P 6:50(44) ack 314 win 1728 <nop,nop,timestamp 5817262 2348257700>
15:05:19.885078 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: P 50:56(6) ack 371 win 1728 <nop,nop,timestamp 5817271 2348257733>
15:05:19.923842 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: P 56:62(6) ack 380 win 1728 <nop,nop,timestamp 5817281 2348257766>
15:05:19.968408 IP xxx.xxx.xxx.xxx.65020 > ns.xxxxxxxxx.jp.pop3: F 62:62(0) ack 435 win 1728 <nop,nop,timestamp 5817291 2348257805>

上記でデータをダンプ形式で見やすく表示する。
[root@ns ~]# tcpdump -nX -i eth0 dst port 110
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:06:01.225127 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: S 1479393505:1479393505(0) win 5840 <mss 1414,sackOK,timestamp 5827606 0,nop,wscale 2>
0x0000: 4500 003c 2cf7 4000 2e06 4f4d d2c4 4c92 E..<,.@...OM..L.
0x0010: 3dce 7353 ee54 006e 582d c0e1 0000 0000 =.sS.T.nX-......
0x0020: a002 16d0 6caa 0000 0204 0586 0402 080a ....l...........
0x0030: 0058 ec16 0000 0000 0103 0302 .X..........
15:06:01.239809 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: . ack 2588125526 win 1460 <nop,nop,timestamp 5827610 2348299113>
0x0000: 4500 0034 2cf8 4000 2e06 4f54 d2c4 4c92 E..4,.@...OT..L.
0x0010: 3dce 7353 ee54 006e 582d c0e2 9a43 a956 =.sS.T.nX-...C.V
0x0020: 8010 05b4 a94f 0000 0101 080a 0058 ec1a .....O.......X..
0x0030: 8bf8 3369 ..3i
15:06:01.466651 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: . ack 107 win 1460 <nop,nop,timestamp 5827667 2348299336>
0x0000: 4500 0034 2cf9 4000 2e06 4f53 d2c4 4c92 E..4,.@...OS..L.
0x0010: 3dce 7353 ee54 006e 582d c0e2 9a43 a9c0 =.sS.T.nX-...C..
0x0020: 8010 05b4 a7cd 0000 0101 080a 0058 ec53 .............X.S
0x0030: 8bf8 3448 ..4H
15:06:01.467170 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: P 0:6(6) ack 107 win 1460 <nop,nop,timestamp 5827667 2348299336>
0x0000: 4500 003a 2cfa 4000 2e06 4f4c d2c4 4c92 E..:,.@...OL..L.
0x0010: 3dce 7353 ee54 006e 582d c0e2 9a43 a9c0 =.sS.T.nX-...C..
0x0020: 8018 05b4 0733 0000 0101 080a 0058 ec53 .....3.......X.S
0x0030: 8bf8 3448 4341 5041 0d0a ..4HCAPA..
15:06:01.490116 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: P 6:50(44) ack 314 win 1728 <nop,nop,timestamp 5827672 2348299355>
0x0000: 4500 0060 2cfb 4000 2e06 4f25 d2c4 4c92 E..`,.@...O%..L.
0x0010: 3dce 7353 ee54 006e 582d c0e8 9a43 aa8f =.sS.T.nX-...C..
0x0020: 8018 06c0 849c 0000 0101 080a 0058 ec58 .............X.X
0x0030: 8bf8 345b 4150 4f50 206d 6974 7920 3465 ..4[APOP.mity.4e
0x0040: 6464 6162 3265 3236 3139 3639 6164 3662 ddab2e261969ad6b
0x0050: 3234 24
15:06:01.524624 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: P 50:56(6) ack 371 win 1728 <nop,nop,timestamp 5827681 2348299379>
0x0000: 4500 003a 2cfc 4000 2e06 4f4a d2c4 4c92 E..:,.@...OJ..L.
0x0010: 3dce 7353 ee54 006e 582d c114 9a43 aac8 =.sS.T.nX-...C..
0x0020: 8018 06c0 038e 0000 0101 080a 0058 ec61 .............X.a
0x0030: 8bf8 3473 5354 4154 0d0a ..4sSTAT..
15:06:01.555052 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: P 56:62(6) ack 380 win 1728 <nop,nop,timestamp 5827688 2348299412>
0x0000: 4500 003a 2cfd 4000 2e06 4f49 d2c4 4c92 E..:,.@...OI..L.
0x0010: 3dce 7353 ee54 006e 582d c11a 9a43 aad1 =.sS.T.nX-...C..
0x0020: 8018 06c0 fd55 0000 0101 080a 0058 ec68 .....U.......X.h
0x0030: 8bf8 3494 5155 4954 0d0a ..4.QUIT..
15:06:01.596506 IP xxx.xxx.xxx.xxx.61012 > xxx.xxx.xxx.xxx.pop3: F 62:62(0) ack 435 win 1728 <nop,nop,timestamp 5827699 2348299443>
0x0000: 4500 0034 2cfe 4000 2e06 4f4e d2c4 4c92 E..4,.@...ON..L.
0x0010: 3dce 7353 ee54 006e 582d c120 9a43 ab08 =.sS.T.nX-...C..
0x0020: 8011 06c0 a4af 0000 0101 080a 0058 ec73 .............X.s
0x0030: 8bf8 34b3 ..4.

こんな感じかな。使い方によっては色々応用できるけど、俺は特定のポートで待機させてデータをキャプチャーすることが多い。
以上

 


 
 
 



Copyright 2007 Kozupon.com.