=== ch04.docx
[chap]4́@Wiresharkł̃pPbgLv`̃eNjbN

O͂Wireshark̃CnЉ̂ŁAۂɃpPbgLv`A͂Ă݂܂傤B{͂ł̓Lv`t@CApPbg̑AԂ̕\`ɂẴeNjbNЉ܂B܂pPbg̃Lv`ɊւA荂xȃIvVƂŁAtB^̐Eɔэł܂傤B

Lv`t@C̑
pPbg͂sĂ݂ƁAƂ͂́ALv`ɍsKv邱ƂɋCÂƎv܂Bʏ́ApPbg񂩃Lv`ĕۑŁAꊇĉ͂邱ƂɂȂ܂B̂߁AWiresharkɂ̓Lv`pPbgLv`t@CƂĕۑAŉ͂邱Ƃ\Ƃ@\tĂ܂B̃Lv`t@C}[W邱Ƃł܂B


Lv`t@C̕ۑƃGNX|[g
Lv`pPbgۑɂ́A[File][Save As]I܂BƐ}4-1̂悤[Save File As]_CAO\܂BŃLv`pPbg̕ۑꏊƃt@C`I܂Bt@C`w肵Ȃꍇ́A.pcap`ŕۑ܂B

}4-1@[Save File As]_CAOLv`t@Cۑ
(Figure4-1.tiff)


[Save File As]_CAOɂ́Aw肵͈͂̃pPbĝ݂ۑƂ͂ȋ@\܂B́AcオLv`t@C̃TCŶɔɕ֗łB͈͂̃pPbgԍ̃pPbgA}[LOꂽpPbgAfBXvCtB^ɂĕ\ꂽpPbgi}[LOƃtB^ɂĂ͖{͂ł̂قǈ܂jȂǁÃpPbĝ݂ۑ邱Ƃł܂B
iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́A̋@\[Save As]ł͂Ȃ[Export Specified Packets]Ƃʂ̃j[ɂȂĂ܂B[Export Specified Packets]_CAO}4-1bɎ܂B/ }4-1b: [Export Specified Packets]_CAOLv`t@Cۑ / (Figure4-1b.tiff)j
Wiresharkł́Aʂ̕@ŎQƂAʂ̃pPbg̓c[ɃC|[g肷邽߂ɁAeLXgA|XgXNvgACSVAXMLƂ`ŃLv`f[^GNX|[g邱Ƃł܂BGNX|[gɂ́A[File][Export]IAGNX|[gt@C̃t@C`IĂB[Save As]ۑƂɂA[t@C̎]ۑ`I邱Ƃł܂B
iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́A̋@\͍폜Ă܂Bj

Lv`t@C̃}[W
pPbg͂ĂƁÃLv`t@C}[WȂ邱Ƃ܂B́A2̃f[^Xg[rAʁXɃLv`gtBbÑXg[gݍ킹肷ƂȂǂɁA悭s܂B
Lv`t@C}[Wɂ́A}[WLv`t@CJA[File][Merge]IāA}4-2̂悤[Merge with Capture File]_CAOJ܂BłɊJĂt@CɃ}[Wt@CIĂA}[W@I܂B}[W@ɂ́A[Prepend packets to existing file]iݕ\ĂpPbg̑OɃ}[WLv`t@C̃pPbgǉjA[Append packets to existing file]iݕ\ĂpPbǧɃ}[WLv`t@C̃pPbgǉjA[Merge packet chronologically]i^CX^vɉĎnɒǉj3܂B

}4-2@[Merge with Capture File]2̃t@C}[W

pPbg̑
pPbg͂n߂ƁAcȗʂ̃pPbgƑΛ邱ƂɂȂ܂BASƃpPbg̐cオĂƁAقǌIɉ͂ȂƑΉȂȂł傤B̂Wiresharkł́Ã[Ƀ}b`pPbg𒊏oă}[LO邱Ƃł悤ɂȂĂ܂B܂₷邽߂ɃpPbg邱Ƃł܂B

pPbǧ
̃[Ƀ}b`pPbgɂ́A}4-3̂悤ɁACtrl-F[Find Packet]_CAOJ܂B

}4-3@Wiresharkœ̃[Ƀ}b`pPbg

pPbǧɂ3̃IvV܂B
E[Display filter]IvVł́Ax[X̃tB^͂邱ƂŁAɃ}b`pPbĝ݂܂B
E[Hex value]IvVł́A16iioCgRŋ؂`jŎw肳ꂽpPbg܂B
E[String]IvVł́AŎw肳ꂽpPbg܂B

\4-1ɂꂼ̗܂B

\4-1@pPbg̗
̃^Cv@
Display filter	not ip	ip address==192.168.0.2	arp
Hex value	00:ff	ff:ff			00:AB:B1:f0
String		Workstation1			UserB	domain


̑̃IvVƂāAΏۂ̃yC̎wAgp镶R[h̎wA̐ݒ肪\łB񌟍ɂẮAΏۂƂȂyC̎wAgp镶R[h̎wA啶ʂ邩ǂ̎w肪\łB
IvVݒ肵AeLXg{bNXɌ̏͂āA[Find]NbNƁAŏɏɃ}b`pPbg\܂BꍇɂCtrl-NAOꍇɂCtrl-BĂB

pPbg̃}[LO
Ƀ}b`pPbg𒊏oA}[LOĂƂł܂B}[LOpPbgʂɕۑĂꍇAFtĂƂȒPɌ悤ɂĂꍇȂǂɁA}[LO͕֗łB}[LOꂽpPbǵA}4-4̂悤ɍnɔƂȂڗ悤ɂȂ܂iLv`ꂽpPbgt@CɕۑƂɁA}[LOpPbĝ݂ۑ邱Ƃ\łjB
pPbg}[LOɂ́APacket ListyCŃpPbgENbNA|bvAbvj[[Mark Packet]IłBpPbgNbNACtrl-MƂł}[LOł܂BCtrl-Mx΃}[LO邱Ƃł܂BpPbg͍DȂ}[LO邱Ƃ\łB̃pPbg}[LOꍇAShift-Ctrl-N܂Shift-Ctrl-BŃ}[LOꂽpPbgԂWv邱Ƃł܂B

}4-4@}[LOꂽpPbg̓nCCg\B̗ł1Ԗڂ̃pPbg}[LOAÂFɂȂĂ


pPbg̈
pPbg͉͂ʏōs邱ƂقƂǂłAɂ͈Kv邩܂BM҂̓pPbgĊ̏ɓ\ĂAʂ̉͂sĂƂł̓eɎQƂł悤ɂĂ܂Bɕ񍐏쐬ꍇȂǁApPbgPDF`ňł@\͔ɕ֗łB
Lv`pPbgɂ́ACj[[File][Print]IĂB}4-5̂悤[Print]_CAO\܂B

}4-5@[Print]_CAOpPbg̈ł

[Print]_CAOAIf[^eLXg܂̓|XgXNvgƂĈ邩At@CƂďo͂邱Ƃł܂B[Save File As]_CAOƓ悤ɁA͈͂̃pPbgԍpPbgA}[LOꂽpPbgAfBXvCtB^ɂĕ\ꂽpPbgȂǁÃpPbĝ݂邱Ƃł܂B܂A3̃yĈIyĈ݂邱Ƃł܂BIvVI[Print]NbNĂB

Ԃ̕\`Ɗԕ\
pPbg͂ɂāAԂ͏dvȗvfłBlbg[NŔĂ鎖ۂ͎Ԃ̗vfɂ͌ꂸA͂̍ۂɂ́AقƂǂׂẴLv`t@CŒʐM̌Xlbg[N̒x𒲂ׂ邱ƂKvɂȂł傤BWiresharkł́AԂ̏dv𓥂܂A̃IvV񋟂Ă܂Bł́AԂ̕\`Ɗԕ\Ă܂傤B

Ԃ̕\`
Wiresharkł́ALv`epPbgɃVXeƂɂ^CX^vt^܂BWireshark̓pPbgLv`ꂽΎ\邱ƂAÕpPbg瑊ΎLv`Jn̑Ύŕ\邱Ƃł܂B
Ԃ̕\ɊւIvV́ACj[[View]ɂ}4-6[Time Display Format]ݒ肵܂Bł́A̕\`̂قA̕\xɂĂI\łB̐xɂẮAݒȊOɁAbA~bA}CNbȂǂ蓮Ŏwł܂B{̌̏͂ł͂̃IvVύXĂӏ̂ŁÂɊĂĂB

ԕ\
Wiresharkł́ApPbgLv`ꂽ_̑ΓIȎԂ\ԕ\iPacket Time Referencej̐ݒ肪ł܂B̋@\́ALv`̊Jn_ȊÔǂŊJnꂽÃCxg𒲂ׂƂɓɕ֗łB
pPbg̑ΓIȎԂ\ɂ́APacket ListyCƂpPbgIACj[[Edit][Set Time Reference]I܂B\~߂ɂ́ApPbgIA[Edit][Set Time Reference]ݒēxI܂B̃IvV̓gOɂȂĂ܂B
̐ݒsƁAƂȂpPbgPacket ListyCɂTimeJ́A}4-7̂悤*REF*ƕ\܂B
̐ݒ́AԂ̕\`Lv`Jn_̑ΎԂɂĂȂƈӖ܂BȊǑ`ł́AӖȂłȂA\sĂ܂܂B

}4-6@܂܂ȎԂ̕\`

}4-7@ԕ\̊ɂȂpPbg


Lv`IvV̐ݒ
3͂ł̓pPbgLv`̊{̊{ɂĐ܂BWiresharkł͐}4-8Ɏ悤ɁA[Capture Options]_CAO炳܂܂ȃIvVݒ肷邱Ƃł܂B_CAOJɂ́A[Capture][Interfaces]IApPbgLv`C^tF[X̉ɂ[Options]{^NbN܂B
iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́A}3-4Ő悤ɕNIC̃pPbg𓯎ɃLv`\ƂȂ߁A{_CAÕC^tF[XύXA[Options]{^̈ʒu̓_CAOɕύXĂ܂BLv`C^tF[X_CAOŉ߂đI悤ɂȂĂ܂Bj

[Capture Options]_CAOɂ͂ꂱƂ܂Ă܂ApPbgLv`֗ɂ邽߂̂̂łB[Capture]A[Capture Files]A[Stop Capture]A[Display Options]A[Name Resolution]ƂIvVAЂƂĂ܂傤B

Capture̐ݒ
[Capture]ZNV[Interface]hbv_EXgŁAݒΏۂ̃lbg[NC^tF[XI܂B̃hbv_EXgLocalRemote؂ւ邱ƂŁA[gzXg̃C^tF[Xw肷邱Ƃ\łBẼhbv_EXgł̓Lv`Ɏgp\ȃC^[tF[Ẍꗗ\܂Bhbv_Ej[̉ɁAIC^tF[XIPAhX\܂B

}4-8@[Capture Options]_CAO

i3̃`FbN{bNXŁAv~XLX[h̗L؂ւiftHgł͗LɂȂĂ܂jA_ł͎iKɂpcap-ngtH[}bgŃpPbgLv`AepPbg̃TCY̏oCgPʂŎw肵肷邱Ƃł܂B

[Capture] ZNV̉Eĩ{^ł́A⃊[g̐ݒ肪\łi炪gp\ȏꍇjB

̉ɂ[Buffer size]IvV́AWindows삵ĂVXeł̂ݎw\ȃIvVŁALv`pPbgfBXNɏޑOɁAꎞۑJ[lobt@̃TCYw肵܂iʂ̃pPbgjĂƂ󋵂ɂȂȂA̒lύXKv͂Ȃł傤jB

iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́A}3-5bŐƂLv`Ώۂ̃C^tF[X͕I\ƂȂĂ邽߁A}4-8b̂悤ɁA[UC^tF[X啝ɕύXĂ܂B

}4-8b [Capture Options]_CAO
(Figure04-8b.tiff)

[gzXg̃C^tF[X̐ݒ́A[Capture]ZNV̉Eɂ[Manage Interfaces]{^ƕ\郁j[ōs܂B
v~XLX[h̐ݒAepPbg̃TCYA[Buffer size]IvVɑݒ́AeC^tF[X_uNbNƕ\}4-8c[Edit Interface Settings]_CAOŃC^tF[XƂɍs܂iv~XLX[h̗LAׂẴC^tF[Xňxɐ؂ւꍇ́A[Capture]ZNV̍ɂ`FbN{bNXݒ肷邱Ƃł܂jB
pcap-ng tH[}bg̎gp[Capture File(s)]ZNV[Use pcap-ng format]Ő䂵܂B

}4-8c [Edit Interface Settings]_CAO
(Figure04-8c.tiff)
j

Capture Fileݒ
[Captre File]ZNVł͐ݒsƂŁApPbg܂Lv`Ăt@Cɕۑ̂ł͂ȂALv`pPbgIɃt@Cɕۑ邱Ƃ\ƂȂApPbgۑԂȂƂł܂Bۑ̍ۂ́APt@CAt@CZbgAw肵̃t@CŏzsOobt@`Ił܂B̃IvVgɂ́A[File]eLXg{bNXɃt@C̃tpX͂܂B
ʂ̃pPbgLv`ꍇAɂ킽ăLv`sꍇɂ́At@CZbgɕ֗łBt@CZbgƂ́Aw肳ꂽŕꂽÃt@CӖ܂Bt@CZbgƂĕۑɂ́A[Use Multiple Files]IvVI܂B

Wiresharkł́At@CTCYƎԂɊÂ܂܂ȃgKŁAt@CZbg̕ۑ^C~O𐧌䂷邱Ƃł܂B̃gKLɂɂ́A[Next File Every]IvViオt@CTCYɊÂgKAԂɊÂgKj̃`FbN{bNXIAgK̒lƒPʂw肵܂BLv`pPbg̗eʂ1MBɒB邲ƂɐVt@C쐬gKA}4-9̂悤ɃLv`Ԃ1o߂邲ƂɐVt@C쐬gKȂǂ邱Ƃł܂B

}4-9@Wiresharkɂ1Ԋuō쐬ꂽt@CZbg

IvVgݍ킹Ďgp邱Ƃ\łBƂ΂قǂ̃gK𗼕w肷ƁAf[^1MBLv`邩A邢1o߂邩Aǂ炩̏ƐVȃt@C쐬܂B
[Ring Buffer With]́At@CZbg쐬̍ۂɃOobt@gIvVłBWireshark̃t@CɏłۂɁAFIFOpws܂BZpł́uOobt@vɂ͂܂܂ȈӖ܂Ał̓t@CZbg̍Ō̃t@CςɂȂ_łɃf[^ۑKvꍇAŏ̃t@C㏑悤ȃt@CZbgӖ܂B̃IvVݒ肵ꍇA쐬t@C̍ő吔w肵܂B1ԂɐVt@C쐬悤ݒ肵AOobt@u6vɐݒ肵Ƃ܂傤B6Ԗڂ̃t@C쐬ƃOobt@ꏄA7Ԗڂ̃t@C쐬ɁAŏ̃t@C㏑܂B̐ݒƁAVf[^͏܂܂An[hfBXÑf[^t@C̐6ȏɂȂ邱Ƃ͂܂B
[Stop Capture After]IvVgƁAw肵̃t@C쐬ꂽ_ŁALv`~悤ݒł܂B

Stop Captureݒ
[Stop Capture]ZNVł́AgK̏ꂽ_ŃLv`~ݒ肪s܂Bt@CZbgpꍇAt@CTCY⎞Ԃ̊ԊuȊOɁApPbgɂgK쐬ł܂B̃IvV́AقǐIvVƂ̕p\łB

Display Options
[Display Options]ZNVł́ALv`pPbg̕\@𐧌ł܂B[Update List of Packets in Real Time]͌Ă̒ʂ̃IvVŁA[Automatic Scrolling in Live Capture]IvVƑgݍ킹Ďgp邱Ƃł܂BLɂƁA߂ŃLv`pPbg~ŁALv`ׂẴpPbg\܂B

Ӂ@[Update List of Packets in Real Time][Automatic Scrolling in Live Capture]ꏏɎgpƁAقǑʂłȂf[^Lv`ꍇłACPUɑׂ̕܂BA^CŃpPbgmFKvȂÃIvV͗ƂgȂق悢ł傤B

[Hide Capture Info Dialog]IvVgƁALv`ALv`pPbg̐ƃp[ZgvgRƂɕ\鏬ȃEBhE\悤ɂȂ܂B

Name Resolutionݒ
[Name Resolution]ZNVł́ALv`MACi2wjAlbg[Nwi3wjAgX|[gi4wjŎIȖO̎{𐧌ł܂BWireshark̖OɂẮǍ_܂߁A5͂ŏڂ܂B


tB^g
tB^gƁA͑Ώۂ̃pPbgImɎwł܂BꌾłƁAtB^́Aǂ̃pPbgΏۂɊ܂ނO邩̏`\łB\ȂpPbg΁AtB^쐬ďOł܂BpPbgȊOȂƂꍇ́ApPbg\tB^쐬΂悢̂łB
Wiresharkɂ́A傫2ނ̃tB^܂B

ELv`tB^́ApPbgLv`ĂۂɓKp̂ŁAw肳ꂽ\ɊÂÃpPbĝ݂Lv`܂B
EfBXvCtB^́ALv`ς̃pPbgɓKp̂ŁAw肳ꂽ\ɊÂAsvȃpPbg\ɂAKvȃpPbĝ݂\肷̂łB

܂̓Lv`tB^Ă݂܂傤B

Lv`tB^
Lv`tB^́ApPbgLv`ĂۂɓKp܂BLv`tB^gȗR̓ptH[}Xɂ܂BgtBbN͈͕̓̔͂svłƂ킩ĂꍇALv`tB^ŃtB^s΁ApPbg̃Lv`ɎgCPUZ[uł܂B
Ǝ̃Lv`tB^쐬ł@\́Aʂ̃f[^ꍇɖ𗧂܂BKvȃpPbĝ݂Ɍ肵Ēi߂邱ƂŁA͍Ƃł邩łB

Lv`tB^̎gpƂāAႦ΂܂܂ȃT[rX񋟂ĂT[õgtBbNLv`ꍇ܂BƂ΁A262ԃ|[ggpT[rX񋟂ĂT[õguV[eBOlĂ݂܂傤B͑Ώۂ̃T[o܂܂ȃ|[gŃT[rX񋟂ĂꍇA262ԃ|[g̃gtBbN݂̂ĉ͂邾łJłALv`tB^g262ԃ|[g̃pPbĝ݂Lv`ł܂B̏͂̍ŏɐ悤ɁA[Capture Options]_CAOAȉ̂悤ɂăLv`tB^쐬ł܂B

1D[Capture][Interfaces]IApPbg̃Lv`ɎgC^tF[X̉Eɂ[Options]{^NbNA[Capture Options]_CAOJ܂iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́A_CAO[Options]{^NbNāA[Capture Options]_CAOJ܂jB
2DpPbg̃Lv`ɎgC^tF[XI܂iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́AC^tF[X_uNbNĐ}4-8c[Edit Interface Settings]_CAOJ܂jB
3D[Capture Filter]{^̉ɍ\͂邱ƂŁALv`tB^Kp܂B262ԃ|[gőMgtBbNLv`̂ŁA}4-10̂悤Ɂuport 262vƓ͂܂i\ɂĂ͎̍ŏڂ܂jB
4DtB^쐬A[Start]{^NbNăLv`n߂܂iĖ󒍁FĖ󎞓_ōŐVł1.8.0ł́A[OK]NbNĂ[Start]{^NbN܂jB

}4-10@Capture Options_CAOŃLv`tB^쐬

x̃pPbgLv`ĂmFƁA262ԃ|[gőMgtBbN݂̂Ă͂łBŕKvȃf[^悭͂ł܂B

Lv`/BPF\
Lv`tB^WinPcap͂̂ŁABerkeley Packet FilteriBPFj\ŋLq܂B܂܂ȃpPbg̓c[ł̍\gĂ̂́A唼̃pPbg̓c[BPF\𗝉libpcap/WinPcapCugĂ邩łBlbg[NpPbgxŐ[͂ŁABPF\̒m͕słB

BPF\gč쐬tB^uexpressionijvƌĂсAeX̎1ȏ́uprimitiveiv~eBujvō\Ă܂Bv~eBúi\4-2̂悤Ɂj1ȏ́uqualifieriCqjvƁǍɑ}4-11Ŏ悤ID܂͐l̃Zbg\܂B

\4-2@BPF̏Cq
Cq		
Type	ID␔l̈Ӗ	host, net, port
Dir	ID␔l̓]	src, dst
Proto	̃vgR	ether, ip, tcp, udp, http, ftp

}4-11@Lv`tB^̈
v~eBu@Zq@v~eBu
Cq

ۂɎĂ݂܂傤BsrcCq192.168.0.10ƂIDgݍ킹邱ƂŃv~eBu쐬܂B̃v~eBû݂ƁA192.168.0.10ƂIPAhX̃gtBbN݂̂Lv`ƂɂȂ܂B
_Zqgăv~eBugݍ킹A荂xȎ쐬邱Ƃ\łBg_Zq͈ȉ3łB
E_ωZq@ANDi&&j
E_aZq@ORi||j
Eے艉Zq@NOTi!j

ƁA̎192.168.0.10ƂMIPAhXŁA80ԃ|[gőMgtBbN݂̂Lv`܂

src 192.168.0.10 && port 80

zXgƃAhXɂtB^
tB^̑́Aʏ̃lbg[N@A@Qw肷̂łB󋵂ɂāA@MACAhXAIPv4AhXAIPv6AhXADNSzXgȂǂɊÂătB^s܂B
Ƃ΁Albg[N̂T[oƂ肵ĂAƂzXg̃gtBbNCɂƂ܂傤BT[oŁÃzXgIPv4AhXp邷ׂẴgtBbNLv`tB^AhostCqgč쐬܂B

host 172.16.16.149

IPv6lbg[N̏ꍇ́AhostCqgIPv6AhXɂtB^s܂B

host 2001:db8:85a3::8a2e:370:7334

zXgŃtB^sƂ\łB
host testserver2

zXgIPAhXύX\뜜̂ł΁AetherƂvgRCqɂāAMACAhXŃtB^sƂ\łB
ether host 00-1a-a0-52-e2-a0

]Cq́A̐ݒƑgݍ킹邱ƂŎw肵@𑗐M͈ƂgtBbNLv`ꍇɂ悭g܂BƂ΁AzXgM̃gtBbN݂̂Lv`ȂAsrcCqt܂B

src host 172.16.16.149

172.16.16.149̃T[osRȏꍇɁÃT[oƂf[^݂̂Lv`ȂAdstCqt܂B

dst host 172.16.16.149

^CvCqihostAnetAportjv~eBuŎgpȂꍇ́AhostCqw肵̂Ƃ݂Ȃ܂BđO̗łhostCqȂƂ\łB

dst 172.16.16.149


|[gƃvgRɂtB^

zXgɊÂtB^ȊOɁAepPbgp|[gŃtB^sƂł܂B|[gɂtB^́AT[rX|[gĂT[rXAvP[VɊÂtB^sۂɎgpł܂BƂ΁A8080ԃ|[gŒʐMgtBbN݂̂Lv`ȒPȃtB^͈ȉ̂悤ɂȂ܂B

port 8080

8080ԃ|[gȊOŒʐM邷ׂẴgtBbNLv`ꍇ͎̂悤ɂȂ܂B

!port 8080

|[gɂtB^Ɠ]Cqgݍ邱Ƃ\łBƂ΁AWI80ԂHTTP|[gő҂󂯂ĂWebT[oƂgtBbN݂̂Lv`ꍇAdstCqg܂B

dst port 80

vgRɂtB^
vgRɂtB^gƂŁÃvgRŃtB^sƂł܂B́A|[gɂw肪łȂAAvP[VwȊÕvgRw肷ۂɗp܂BႦ΁AICMPgtBbNQƂꍇɂÃtB^gpł܂B

icmp

IPv6gtBbNȊÔׂẴgtBbNꍇ́A̋Zg܂B

!ip6

vgRtB[hɂtB^
BPF\̒͂̂ЂƂAvgRwb_̊eoCg𒲂ׂāÃf[^ɊÂȃtB^쐬ł@\łBŐ邱̍xȃtB^gƁApPbg̎ẅʒuw̃oCgmF邱Ƃł܂B
Ƃ΁AICMPwb_̃^CvtB[hŃtB^sƂ܂傤B^CvtB[h̓pPbg̈Ԑ擪ɂAItZbgl0ƂȂĂ܂BpPbgŒׂʒuʂɂ́AvgRCqɑăItZbgl[]Lisquare bracketjň͂Ŏw肵܂B̗łicmp[0] ƂȂ܂Bɂ1oCg̐lԋp̂ŁArɗp邱Ƃł܂BƂ΁ABs\iDestination UnreachablejbZ[Wi^Cv3jICMPpPbĝ݂擾ȂAtB^Ŏ̂悤ɓlZqg܂B

icmp[0] == 3

GR[vi^Cv8j̓GR[i^Cv0jICMPpPbg𒲂ׂƂꍇ́A2̃v~eBuORZqg܂B

icmp[0] == 8 || icmp[0] == 0

̃tB^͂܂@\܂AtB^Ɏĝ́ApPbgwb_̂1oCgłBKȂƂɁA[]L̃ItZbgl̂ƂɃoCgRŋ؂ĕt邱ƂŁAԋpf[^w肷邱Ƃł܂B
Ƃ΁AICMP̃^Cv3AR[h1izXgBs\jpPbgLv`tB^쐬Ƃ܂B̓pPbgwb_̃ItZbg0n܂1oCg̃tB[h2ɂȂ܂Bʂ邽߂ɂ́ApPbgwb_̃ItZbg0n܂2oCg̃f[^mFA16i0301i^Cv3AR[h1jƔrtB^쐬܂B

icmp[0:2] == 0x0301

RSTtOZbgꂽTCPpPbgLv`ƂƂ悭܂BTCPɂĂ6͂ŏڂ܂̂ŁAłTCPpPbg̃tOItZbg13ɂƂƂĂB1oCg̃tOtB[hłÃoCg̊erbgɂătOʂƂtB[hłBTCPpPbgł͕̃tO𓯎ɐݒł̂ŁAtcp[13]Ƃ\͌ʓIɃtB^sƂł܂B̒lRSTrbgZbgĂ\邩łBΏۂ̃oCgł̈ʒuw肷邽߂ɂ́Ãv~eBu&Lt邱ƂKvłBRSTtO͂̃oCg4ԖڂȂ̂ŁA4Ԗڂ̃rbgZbgĂ΃tOݒ肳Ă邱ƂɂȂ܂BtB^͎̂悤ɂȂ܂B

tcp[13] & 4 == 4

8Ԗڂ̃rbgPSHtOZbgĂpPbgQƂꍇ́Aɂ̈ʒuw肵܂B

tcp[13] & 8 == 8


Lv`tB^̗
ɂtB^쐬ł邩ǂŁA͂̐ۂ܂ƂĂߌł͂Ȃł傤B\4-3͕M҂悭gLv`tB^̈łB

\4-3@悭gLv`tB^
tB^@
tcp[13] & 32 ==32@URGtOZbgꂽTCPpPbg
tcp[13] & 16 ==16@ACKtOZbgꂽTCPpPbg
tcp[13] & 8 == 8@PSHtOZbgꂽTCPpPbg
tcp[13] & 4 == 4@RSTtOZbgꂽTCPpPbg
tcp[13] & 2 == 2@SYNtOZbgꂽTCPpPbg
tcp[13] & 1 == 1@FINtOZbgꂽTCPpPbg
tcp[13] ==18@TCP SYN-ACKpPbg
ether host00:00:00:00:00:00iۂMACAhXɒuj@w肵MACAhXőMgtBbN
!ether host 00:00:00:00:00:00iۂMACAhXɒujw肵MACAhXȊOőMgtBbN
broadcast@u[hLXggtBbN̂
icmp@ICMPgtBbN
icmp[0:2] == 0x0301@ICMPzXgBs\
ip@IPv4gtBbN̂
ip6@IPv6gtBbN̂
udp@UDPgtBbN̂


fBXvCtB^
fBXvCtB^́ALv`t@CɓKptB^ŁAtB^Ƀ}b`pPbĝ݂\̂łBfBXvCtB^Packet ListyC̏㕔ɂ[Filter]eLXg{bNXɐݒ肵܂B
fBXvCtB^g@̓Lv`tB^葽ł傤B́Aۂ̃Lv`t@C̃f[^𑹂ȂƂȂÃpPbg̃tB^sƂł邩łBtB^̎邾ŁAƂƂ̃Lv`t@CKvɉčĕ\邱Ƃł܂B
fBXvCtB^́ALv`t@CAӖȃu[hLXgpPbgۂɂ𗧂܂BƂPacket ListyCARPu[hLXg͂guƊ֌WȂ̂ŏƂꍇłBƂ͂AARPu[hLXgpPbg͌قǉ͂ɕKvɂȂ邩Ȃ̂ŁA폜AfBXvCtB^ňꎞIɕ\Ȃ悤ɂق悢̂łB
ARPpPbg\ɂɂ́APacket ListyC̏㕔ɂA[Filter]eLXg{bNXɃtH[JXԂŐ}4-12̂悤!arpƓ͂APacket ListyC炷ׂĂARPpPbg܂BtB^폜ɂ́A[Clear]{^NbN܂B

}4-12@Packet ListyC㕔[Filter]eLXg{bNXŃfBXvCtB^쐬

[Filter Expression]_CAOiȒPȍ쐬@j
}4-13[Filter Expression]_CAÓAWiresharkS҂Lv`tB^fBXvCtB^ȒPɍ쐬ł悤ɂĂ@\łB_CAO\ɂ́A[Capture Options][Capture Filter]{^NbNA[Expression]{^NbN܂iĖ󒍁F炭̋Lq͕M҂̊ႢŁAۂ̓CEBhE[Expression]{^NbN邩ACj[[Analyze][Display Filter]IA_CAOɂ[Expression]{^NbNƂKv܂jB
_CAO̍ɂ́Agp\ȃvgRtB[ḧꗗ\ĂAgp\ȃtB^vfwł悤ɂȂĂ܂BtB^쐬ɂ́Aȉ̎菇ɏ]ĂB
1DvgR̉ɂ[+]NbNāAevgRŗp\ȃtB^vfQƂ܂BptB^vfNbNĂB
2DItB^vfƁA̒l̕]@w肵ĂB]@́Ai=jAȂi>jAȂi<jȂǂ̉ZqłB
3Dlw肵āAtB^쐬܂BWireshark񋟂`ς̒lI邩AgŒlݒ肵ĂB
4DtB^̍쐬[OK]{^NbNĂB쐬tB^eLXgŕ\܂B

[Filter Expression]_CAO͏S҂ɂ͔ɕ֗ȋ@\łAtB^̎gp@ł΁A蓮ŃtB^쐬ق悢ł傤BfBXvCtB^͔ɋ͂łA\͊ȒPłB

}4-13@[Filter Expression]_CAOgƃtB^ȒPɍ쐬ł

tB^̕@i쐬@j
Lv`tB^fBXvCtB^́ÃvgRɊÂtB^쐬ۂɎgƂł傤BƂTCP̃guV[eBȌꍇATCP̃gtBbNȊO͌KvȂ̂ŁATCP݂̂\tB^쐬΂悢̂łB
̉ۑʂ̑ʂ猩Ă݂܂傤BTCPɊ֘AguV[eBOs؂lĂ݂܂Bping𑽗pāAICMP̃gtBbNʂɔꍇɁA!icmpƂtB^g΁AICMP̃gtBbN邱Ƃł܂B
rZqg΁Alr邱Ƃł܂BƂTCP/IPlbg[ÑguV[eBȌꍇAIPAhXQƂ邷ׂẴpPbgQƂ邱Ƃ悭܂BrZqu==vg΁A192.168.0.1ƂIPAhX܂ރpPbĝ݂\tB^쐬ł܂B

ip.addr==192.168.0.1

x͒128oCgȉ̃pPbĝ݂\ꍇlĂ݂܂傤B̏ꍇ́u<=vƂrZqtB^Ŏgp΂悢̂łB

frame.len@<=128

WiresharkŎgp\ȔrZq͕\4-4̂ƂłB

\4-4@Wireshark̃tB^ƂĎgpłrZq
Zq	
==	
!=	Ȃ
>	Ȃ
<	Ȃ
>=	ȏ
<=	ȉ

_Zqg΁ÃtB^1ɂ邱Ƃł܂B_ZqgȂƂł΁AtB^̌Iɑ܂BƂ΁A2IPAhX܂ރpPbg\ꍇlĂ݂܂傤B̏ꍇ́AuorvZqgĎ̂悤ɂǂ炩IPAhX܂ރpPbg\鎮΂悢̂łB

ip.addr==192.168.0.1 or ip.addr==192.168.0.2

WiresharkŎgp\Ș_Zq͕\4-5̂ƂłB

\4-5@Wireshark̃tB^ƂĎgpł_Zq

Zq	Tv
and	_
or	_a
xor	rI_a
not	ے

fBXvCtB^̗
tB^̊TO͓܂񂪁AۂɃtB^쐬ۂɂ́AǂȃL[[h≉Zqg悢YނƂł傤B\4-6ɕM҂悭ɎgfBXvCtB^̂܂BꗗɂĂWireshark̃fBXvCtB^̃t@Xhttp://www.wireshark.org/docs/dfref/QƂĂB

\4-6@悭gpfBXvCtB^
RDPgtBbN
SYNtOZbgꂽTCPpPbg
RSTtOZbgꂽTCPpPbg
ARPgtBbNɂ
HTTPgtBbN
̊ǗpgtBbNiTelnet, FTPj
̓dq[gtBbNiSMTP, POP, IMAPj

tB^̕ۑ

Lv`tB^fBXvCtB^R̂悤ɍĂƁApɂɎgtB^邱ƂɋCÂƂł傤BKtB^x쐬Kv͂܂BWiresharkɂ́AtB^ۑ@\Ă̂łBƎɍ쐬Lv`tB^ۑɂ́Aȉ̎菇ɏ]ĂB

1D[Capture][Capture Filters]IA[Capture Filter]_CAOJĂB
2D_CAO̍ɂ[New]{^NbNAVȃtB^쐬܂B
3D[Filter Name]{bNXɃtB^͂܂B
4D[Filter String]{bNXɃtB^͂܂B
5DtB^͂A[Save]{^NbNĕۑ܂B

Ǝɍ쐬fBXvCtB^ۑɂ́Aȉ̎菇ɏ]ĂB

1D[Analyze][Display Filters]I邩APacket ListyC̏㕔ɂ[Filter]{^NbNāA}4-14[Display Filter]_CAOJĂB

}4-14@[Display Filter]_CAOtB^ۑł

2D_CAO̍ɂ[New]{^NbNAVtB^쐬܂B
3D[Filter Name]{bNXɃtB^͂܂B
4D[Filter String]{bNXɃtB^͂܂B
5DtB^͂A[Save]{^NbNĕۑ܂B

Wiresharkɂ́A`ς̃tB^܂A̓tB^ǂ̂悤Ȃ̂DłBƎ̃tB^쐬ۂɁAiWireshark̃wvy[Wƕājpł܂BtB^͖{̗̂łpĂ܂B
