送信側と受信側でキャプチャした結果が違う?

送信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-snd070817-2257 -R “tcp.port == 51401” | tail
94107 33.154248 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94108 33.154573 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94109 33.154897 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94110 33.155221 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94111 33.155548 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94112 33.155802 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94113 33.156058 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=191 Ack=81738979 Win=563392 Len=0 TSV=179444729 TSER=113330957
94119 33.204014 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [FIN, ACK] Seq=81748203 Ack=191 Win=6912 Len=0 TSV=113330974 TSER=179444730
94120 33.204199 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [FIN, ACK] Seq=191 Ack=81748204 Win=563392 Len=0 TSV=179444742 TSER=113330974
94122 33.204530 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=81748204 Ack=192 Win=6912 Len=0 TSV=113330974 TSER=179444742
[/code]
受信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-rcv070817-2257 -R “tcp.port == 51401” | tail
84694 27.916116 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84695 27.916136 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=81744770 Win=8803 Len=0 TSV=179444730 TSER=113330959
84696 27.916439 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84697 27.916764 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84698 27.916782 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=81747666 Win=8803 Len=0 TSV=179444730 TSER=113330959
84699 27.917022 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84700 27.917054 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=81748202 Win=8803 Len=0 TSV=179444730 TSER=113330959
84701 27.965231 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [FIN, ACK] Seq=81748202 Ack=0 Win=108 Len=0 TSV=113330974 TSER=179444730
84702 27.965275 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [FIN, ACK] Seq=0 Ack=81748203 Win=8803 Len=0 TSV=179444742 TSER=113330974
84703 27.965748 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=81748203 Ack=1 Win=108 Len=0 TSV=113330974 TSER=179444742
[/code]

送信側のFIN/ACKがSeq=81748203
受信側のFIN/ACKがSeq=81748202

なぜ違う?

理由は、wireshark(tshark)のTCPシーケンス番号の計算方法が、そのストリームで一番初めに受信したTCPセグメントのシーケンス番号(ランダムに初期化された番号)を基準0として扱うため、「一番初めに受信したTCPセグメント」が送信側、受信側で異なると番号がずれる。

送信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-snd070817-2257 -R “tcp.port == 51401” | head
100 4.791747 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [SYN] Seq=0 Len=0 MSS=1460 TSV=179437639 TSER=0 WS=6
102 4.791882 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=113323870 TSER=179437639 WS=6
103 4.792085 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=179437639 TSER=113323870
106 4.792353 192.168.2.12 -> 192.168.2.10 TCP [TCP ACKed lost segment] 1234 > 51401 [ACK] Seq=1 Ack=42 Win=5824 Len=0 TSV=113323871 TSER=179437639
107 4.792843 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [PSH, ACK] Seq=42 Ack=1 Win=5888 Len=149 TSV=179437639 TSER=113323871
109 4.792954 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=1 Ack=191 Win=6912 Len=0 TSV=113323871 TSER=179437639
112 4.892060 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=1 Ack=191 Win=6912 Len=84 TSV=113323896 TSER=179437639
113 4.892243 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=191 Ack=85 Win=5888 Len=0 TSV=179437664 TSER=113323896
115 4.892549 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=85 Ack=191 Win=6912 Len=188 TSV=113323896 TSER=179437664
116 4.892726 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=191 Ack=273 Win=6912 Len=0 TSV=179437664 TSER=113323896
[/code]

受信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-rcv070817-2257 -R “tcp.port == 51401” | head
1 0.000000 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=0 Ack=0 Win=108 Len=84 TSV=113323896 TSER=179437639
2 0.000026 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=84 Win=92 Len=0 TSV=179437664 TSER=113323896
3 0.000031 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=84 Ack=0 Win=108 Len=188 TSV=113323896 TSER=179437664
4 0.000035 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=272 Win=108 Len=0 TSV=179437664 TSER=113323896
5 0.000040 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=272 Ack=0 Win=108 Len=1448 TSV=113323946 TSER=179437664
6 0.000045 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=1720 Win=154 Len=0 TSV=179437714 TSER=113323946
7 0.000049 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=1720 Ack=0 Win=108 Len=1448 TSV=113323946 TSER=179437664
8 0.000054 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=3168 Win=199 Len=0 TSV=179437714 TSER=113323946
9 0.000059 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=3168 Ack=0 Win=108 Len=1448 TSV=113323946 TSER=179437664
10 0.000122 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=4616 Win=244 Len=0 TSV=179437714 TSER=113323946
[/code]

192.168.2.10から192.168.2.12に向かうSYNがキャプチャできていないことが分かる。

  1. そうか、キャプチャできてないことと、ドロップしてるかどうかは別か!

  2. これはキャプチャ系の実験をするときに重要

  3. boat kitchen water me glass all kitchen juicy english mail

  4. kitchen key busy day usa usa

  5. woman house greed go we red red australia

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>