送信側と受信側でキャプチャした結果が違う?

送信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-snd070817-2257 -R “tcp.port == 51401” | tail
94107 33.154248 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94108 33.154573 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94109 33.154897 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94110 33.155221 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94111 33.155548 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94112 33.155802 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
94113 33.156058 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=191 Ack=81738979 Win=563392 Len=0 TSV=179444729 TSER=113330957
94119 33.204014 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [FIN, ACK] Seq=81748203 Ack=191 Win=6912 Len=0 TSV=113330974 TSER=179444730
94120 33.204199 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [FIN, ACK] Seq=191 Ack=81748204 Win=563392 Len=0 TSV=179444742 TSER=113330974
94122 33.204530 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=81748204 Ack=192 Win=6912 Len=0 TSV=113330974 TSER=179444742
[/code]
受信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-rcv070817-2257 -R “tcp.port == 51401” | tail
84694 27.916116 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84695 27.916136 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=81744770 Win=8803 Len=0 TSV=179444730 TSER=113330959
84696 27.916439 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84697 27.916764 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84698 27.916782 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=81747666 Win=8803 Len=0 TSV=179444730 TSER=113330959
84699 27.917022 192.168.2.12 -> 192.168.2.10 TCP [TCP segment of a reassembled PDU]
84700 27.917054 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=81748202 Win=8803 Len=0 TSV=179444730 TSER=113330959
84701 27.965231 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [FIN, ACK] Seq=81748202 Ack=0 Win=108 Len=0 TSV=113330974 TSER=179444730
84702 27.965275 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [FIN, ACK] Seq=0 Ack=81748203 Win=8803 Len=0 TSV=179444742 TSER=113330974
84703 27.965748 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=81748203 Ack=1 Win=108 Len=0 TSV=113330974 TSER=179444742
[/code]

送信側のFIN/ACKがSeq=81748203
受信側のFIN/ACKがSeq=81748202

なぜ違う?

理由は、wireshark(tshark)のTCPシーケンス番号の計算方法が、そのストリームで一番初めに受信したTCPセグメントのシーケンス番号(ランダムに初期化された番号)を基準0として扱うため、「一番初めに受信したTCPセグメント」が送信側、受信側で異なると番号がずれる。

送信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-snd070817-2257 -R “tcp.port == 51401” | head
100 4.791747 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [SYN] Seq=0 Len=0 MSS=1460 TSV=179437639 TSER=0 WS=6
102 4.791882 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=113323870 TSER=179437639 WS=6
103 4.792085 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=179437639 TSER=113323870
106 4.792353 192.168.2.12 -> 192.168.2.10 TCP [TCP ACKed lost segment] 1234 > 51401 [ACK] Seq=1 Ack=42 Win=5824 Len=0 TSV=113323871 TSER=179437639
107 4.792843 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [PSH, ACK] Seq=42 Ack=1 Win=5888 Len=149 TSV=179437639 TSER=113323871
109 4.792954 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=1 Ack=191 Win=6912 Len=0 TSV=113323871 TSER=179437639
112 4.892060 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=1 Ack=191 Win=6912 Len=84 TSV=113323896 TSER=179437639
113 4.892243 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=191 Ack=85 Win=5888 Len=0 TSV=179437664 TSER=113323896
115 4.892549 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=85 Ack=191 Win=6912 Len=188 TSV=113323896 TSER=179437664
116 4.892726 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=191 Ack=273 Win=6912 Len=0 TSV=179437664 TSER=113323896
[/code]

受信側
[code]
noch@debian-noch:~/wa2/wa2$ tshark -r /tmp/tshark-tcp-rcv070817-2257 -R “tcp.port == 51401” | head
1 0.000000 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=0 Ack=0 Win=108 Len=84 TSV=113323896 TSER=179437639
2 0.000026 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=84 Win=92 Len=0 TSV=179437664 TSER=113323896
3 0.000031 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=84 Ack=0 Win=108 Len=188 TSV=113323896 TSER=179437664
4 0.000035 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=272 Win=108 Len=0 TSV=179437664 TSER=113323896
5 0.000040 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=272 Ack=0 Win=108 Len=1448 TSV=113323946 TSER=179437664
6 0.000045 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=1720 Win=154 Len=0 TSV=179437714 TSER=113323946
7 0.000049 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [ACK] Seq=1720 Ack=0 Win=108 Len=1448 TSV=113323946 TSER=179437664
8 0.000054 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=3168 Win=199 Len=0 TSV=179437714 TSER=113323946
9 0.000059 192.168.2.12 -> 192.168.2.10 TCP 1234 > 51401 [PSH, ACK] Seq=3168 Ack=0 Win=108 Len=1448 TSV=113323946 TSER=179437664
10 0.000122 192.168.2.10 -> 192.168.2.12 TCP 51401 > 1234 [ACK] Seq=0 Ack=4616 Win=244 Len=0 TSV=179437714 TSER=113323946
[/code]

192.168.2.10から192.168.2.12に向かうSYNがキャプチャできていないことが分かる。

  1. そうか、キャプチャできてないことと、ドロップしてるかどうかは別か!

  2. これはキャプチャ系の実験をするときに重要

  3. boat kitchen water me glass all kitchen juicy english mail

  4. kitchen key busy day usa usa

  5. woman house greed go we red red australia

Reply to yusuke ¬
Cancel reply


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>