=== ch04.docx
[chap]4́@Wiresharkł̃pPbgLv`̃eNjbN

O͂WiresharkwK̂ŁAۂɃpPbgLv`A͂鏀܂B{͂ł̓Lv`t@CApPbgAĎԂ̕\tH[}bg̈wт܂B܂pPbgLv`邳ɍxȃIvVwсAtB^ɂĂwK܂B

Lv`t@C̈
pPbg͂́ApPbgLv`Ɠɂł킯ł͂܂BʏApPbgLv`āAۑāAꂩ͂Jn܂B̂߁AWiresharkɂ̓Lv`pPbgLv`t@CƂĕۑ@\tĂ܂B܂̃Lv`t@C}[W邱Ƃł܂B


Lv`t@C̕ۑƃGNX|[g
Lv`pPbgۑɂ́A[File][Save As]I܂BƐ}4-1̂悤[Save File As]_CAO\܂BLv`pPbgۑꏊƃt@C`I܂Bw肵Ȃꍇ́A.pcapt@C`ŕۑ܂B

}4-1@[Save File As]_CAOLv`t@Cۑ

[Save File As]_CAO@\gƓ̃pPbĝ݂ۑł邽߁AcオLv`t@C̃TCŶɔɕ֗łB͈͂̃pPbgԍpPbgA}[LOꂽpPbgAfBXvCtB^ɂĕ\ꂽpPbgi}[LOƃtB^ɂĂ͖{͂ł̂قǈ܂jȂǁÃpPbĝ݂ۑ邱Ƃł܂B
Wiresharkł́AeLXgA|XgXNvgACSVAXMLȂǁÃpPbg̓c[̃Lv`t@C̕ۑ`ɃLv`f[^GNX|[g邱Ƃł܂BGNX|[gɂ́A[File][Export]IсAGNX|[gt@C̕ۑ`IĂB[Save As]ۑƂɂA[t@C̎]ۑ`I邱Ƃł܂B

Lv`t@C̃}[W
pPbg͂ĂƁÃLv`t@C}[WȂ邱Ƃ܂B2̃f[^Xg[rAʁXɃLv`gtBbÑXg[gݍ킹肷ƂȂǂɁA悭s܂B
Lv`t@C}[Wɂ́A}[WLv`t@CJA[File][Merge]IA}4-2̂悤[Merge with Capture File]_CAOJ܂B}[Wt@CIAǂ̂悤Ƀ}[W邩I܂B}[W@ɂ́A[Prepend packets to existing file]iݕ\ĂpPbg̑OɃ}[WLv`t@C̃pPbgǉjA[Append packets to existing file]iݕ\ĂpPbǧɃ}[WLv`t@C̃pPbgǉjA[Merge packet chronologically]i^CX^vɉĎnɒǉj3܂B

}4-2@[Merge with Capture File]2̃t@C}[W

pPbg
pPbg͂n߂ƁAcȗʂ̃pPbgɑ邱ƂɂȂ܂BASƃpPbg̐cオĂƁAقǌIɉ͂ȂƑΉȂȂł傤B̂Wiresharkł́A@ɏ]ApPbg}[LO邱Ƃł悤ɂȂĂ܂B܂pPbgvgAQƂ邱Ƃł܂B

pPbǧ
̃pPbgɂ́A}4-3̂悤ɁACtrl-F[Find Packet]_CAOJ܂B

}4-3@Wiresharkœ̃pPbg

pPbǧɂ3̃IvV܂B
[Display filter]IvVł́AtB^̍ڂ͂܂B
[Hex value]IvVł́ApPbg16iioCgRŋ؂jŎw肵܂B
[String]IvVł́ApPbg𕶎Ŏw肵܂B

\4-1ɂꂼ̗Ⴊ܂B

\4-1@pPbg̗
̃^Cv@
Display filter@not ip   ip address==192.168.0.2    arp
Hex value    00:ff    ff:ff     00:AB:B1:f0
String  @@@[NXe[V1@@[U[B@@@hC


̃IvVƂāAyC̎wAgpLN^Zbg̐ݒA̐ݒ肪܂B
IvVݒ肵AeLXg{bNXɌ镶͂āA[Find]NbN΁AɈvpPbg\܂BꍇɂCtrl-NAOꍇɂCtrl-BĂB

pPbg̃}[LO
ɈvpPbgA}[LOĂƂł܂BƂ΃pPbg𕪂ĕۑĂꍇAFtĂƂȒPɌ悤ɂĂꍇȂǁA}[LOƍlł傤B}[LOꂽpPbǵA}4-4̂悤ɍnɔɂȂڗ悤ɂȂ܂BLv`ꂽpPbgt@CɕۑƂɁA}[LOpPbĝ݂ۑ邱Ƃ\łB
pPbg}[LOɂ́ApPbgꗗ̃yCŃpPbgENbNA|bvAbvj[[Mark Packet]IłB܂ApPbgNbNACtrl-MƂł}[LOł܂BCtrl-Mx΃}[LO邱Ƃł܂BpPbg͍DȂ}[LO邱Ƃ\łB̃pPbg}[LOꍇAShift-Ctrl-N܂Shift-Ctrl-BŃ}[LOꂽpPbgɃWv邱Ƃł܂B

}4-4@}[LOꂽpPbgnCCg\ĂB̗ł1Ԗڂ̃pPbg}[LOAÂFɂȂĂ


pPbg̈
ۂ͉̉͂ʏōs邱ƂقƂǂłAf[^Kv邩܂BM҂̓pPbgĊ̏ɓ\ĂẢ͂sȂ炻̓eɎQƂł悤ɂĂ܂Bɕ񍐏쐬ꍇȂǁApPbgPDF`ňł̂ɕ֗łB
Lv`pPbgɂ́A}4-5̂悤ɃCj[[File][Print]I܂B

}4-5@[Print]_CAOpPbg̈ł

[Print]_CAOAIf[^eLXg܂̓|XgXNvgƂĈ邩At@CƂďo͂邱Ƃł܂B[Save File As]_CAOƓ悤ɁA͈͂̃pPbgԍpPbgA}[LOꂽpPbgAfBXvCtB^ɂĕ\ꂽpPbgȂǁÃpPbĝ݂邱Ƃł܂B܂A3̃yĈǂ邩I邱Ƃ\łBIvVI[Print]NbNĂB

Ԃ̕\tH[}bgƑΎԕ\
pPbg͂ɂāAԂ͏dvȗvfłB͂ۂɂ́AʐMɂ鎞ԂƂ̌X𒲂ׂKv܂BWiresharkł͎Ԃ̏dvFāA̃IvV񋟂Ă܂Bł́AԂ̕\tH[}bgƑΎԕ\Ă܂傤B

Ԃ̕\tH[}bg
Wiresharkł́AepPbgɃVXeƂɃ^CX^vL^Ă܂BpPbgLv`ꂽ܂ɂ̏uԂ̃VXeAŏɃLv`ꂽpPbg̑ΓIȎԂ\邱Ƃł܂B
Ԃ̕\ɊւIvV́A}4-6̂悤ɁACj[[View][Time Display Format]ݒł܂BԂ̕\tH[}bĝقAԂ̐xɂĂI\łBbA~bA}CNbȂǂwł܂B{ł͕pɂɂ̃IvVύX̂ŁÂɊĂĂB

Ύԕ\
Wiresharkł́ApPbgLv`ꂽԂ̑ΓIȎԂ\邱Ƃł܂B̋@\g΁At@C̃Lv`Jn_ȊÔǂŃgKꂽÃCxg𒲂ׂ邱Ƃł܂B
ΓIȎԂ\ɂ́ApPbgꗗ̃yCƂȂpPbgIсACj[[Edit][Set Time Reference]I܂B\Ȃ悤ɂɂ́ApPbgIсA[Edit][Set Time Reference]ݒ؂ւ܂B
ΓIȎԂ\悤ݒ肷ƁA}4-7̂悤ɁAԂ̊ƂȂpPbg̎Ԃ̕*REF*ƕ\܂B
ΓIȎԂ̕\́AԂ̕\tH[}bgALv`JnĂ̌oߎԂ\悤ɂĂȂƈӖ܂Bق̃tH[}bg͍ł傤B

}4-6@܂܂ȎԂ̕\tH[}bg

}4-7@Ԃ̊ɂȂpPbg


Lv`IvV̐ݒ
3͂ł̓pPbgLv`̊{̊{ɂĐ܂BWiresharkł͐}4-8Ɏ悤ɁA[Capture Options]_CAO炩Ȃ̐̃IvVIԂƂł܂B_CAOJɂ́A[Capture][Interfaces]IALv`pPbg̃C^[tF[X[Options]{^NbN܂B
[Capture Options]_CAOɂ͂ꂱƂ܂Ă܂ApPbgLv`֗ɂ邽߂ɐ݌vꂽ̂łB[Capture]A[Capture Files]A[Stop Capture]A[Display Options]A[Name Resolution]ɕꂽIvVAЂƂĂ܂傤B

Captureݒ
[Capture][Interface]hbv_Ej[Albg[NC^[tF[XI܂BŃC^[tF[X[J[gwłAEɂ̓Lv`ɎgC^[tF[Ẍꗗ\܂Bhbv_Ej[̉ɁAIC^[tF[XIPAhX\܂B

}4-8@[Capture Options]̃_CAO

3̃`FbN{bNXŁAv~XLX[h̗L؂ւiftHgł͗LɂȂĂ܂jA_ł͎iKɂpcap-ngtH[}bgŃpPbgLv`AeLv`pPbg̃TCYoCgŐ肷邱Ƃł܂B
Ẽ{^ł́ACX⃊[gł̐ݒ肪\łigp\ȏ󋵂̏ꍇjB̉ɂobt@TCỸIvV́AWindowsڃVXeł̂ݗpł܂BfBXNɏޑOɁAJ[lobt@ɕۑLv`pPbgf[^̗ʂw肷邱Ƃł܂Bʂ̃pPbghbvItĂ邱ƂɋCtȂAʏ킱̒l͕ύX܂B[Capture Filter]IvVŃLv`tB^ݒ肵܂B

Capture Fileݒ
[Captre File]ł́ApPbg܂Lv`Ăt@Cɕۑ̂ł͂ȂALv`pPbgIɃt@Cɕۑł܂B̂߃pPbg̕ۑȂyɂȂ܂BЂƂ̃t@CA邢̓t@CZbgƂĕۑ邱ƂA܂̓Oobt@gč쐬t@C̐Ǘ邱Ƃ\łB̃IvVgɂ́A[File]eLXg{bNXɊSȃt@CpXƃt@C͂܂B
ʂ̃pPbgLv`ꍇAɂ킽ăLv`sꍇɂ́At@CZbg֗łBt@CZbgƂ́Ȁɂĕނ̃t@CO[vɂ܂Ƃ߂̂łBt@CZbgƂĕۑɂ́A[Use Multiple Files]IvVI܂B
Wiresharkł͂܂܂ȃgKgāAt@CTCY⎞ԂȂǂ̏ƂɃt@CZbgǗł܂B̃IvVLɂɂ́A[Next File Every]IvVitTCỸgK̏Aԃx[X̃gK̉jIAgKlƒPʂw肵܂BƂ΃Lv`pPbg̗eʂ1MBɒB邲ƂɁA邢͐}4-9̂悤ɃLv`1o߂邲ƂɐVȃt@C쐬gK邱Ƃł܂B

}4-9@1Ƃɍ쐬ꂽt@CZbg

IvVgݍ킹Ďgp邱Ƃ\łBƂ΂قǂ̃gK𗼕w肷ƁAf[^1MBLv`邩A邢1o߂邩Aǂ炩̏ƐVȃt@C쐬܂B
[Ring Buffer With]IvVł́At@CZbg쐬̍ۂɃOobt@g܂B͂FIFOiŏɓĂ̂ŏɏAɓĂ͍̂ŏ̏I܂ő҂jłBZpł́uOobt@vɂ͕̈Ӗ܂AWiresharkł͍Ō̃t@C݂̏I_łɃf[^ۑ̕KvꍇAŏ̃t@C㏑悤w肷邱Ƃw܂B̃IvVIƁAVK쐬t@C̍ő吔wł܂B1ԂɐVt@C쐬悤ݒ肵AOobt@u6vɐݒ肷Ƃ܂傤B6Ԗڂ̃t@C쐬ƃOobt@TCNobNHHA7Ԗڂ̃t@C쐬ɁAŏ̃t@C㏑܂B̐ݒƁAVf[^͏܂܂An[hfBXÑf[^t@C̐6ȏɑȂȂ܂B
[Stop Capture After]IvVgƁA萔̃t@C쐬ƁALv`~悤ݒł܂B

Stop Captureݒ
[Stop Capture]ł́ÃgKɒBƃLv`~悤ݒł܂B̃t@CZbgꍇAt@CTCY⎞Ԃ̊ԊuA܂pPbg̐ɂăgKł܂B̃IvV͐قǐt@CIvVƂ̕p\łB

Display Options
[Display Options]ł́ALv`pPbgǂ̂悤ɕ\邩Ǘł܂B[Update List of Packets in Real Time]͌Ă̒ʂ̃IvVŁA[Automatic Scrolling in Live Capture]IvVƑgݍ킹Ďgp邱Ƃł܂BLɂƁAŌɃLv`pPbg܂\ALv`ׂẴpPbg\܂B

Ӂ@[Update List of Packets in Real Time][Automatic Scrolling in Live Capture]ꏏɎgpƁAقǑeʂłȂf[^Lv`ꍇłAvZbTɑ̕S܂BA^CŃpPbg`FbNȂ΂ȂȂRȂÃIvVgȂقł傤B

[Hide Capture Info Dialog]IvVgƁAvgRʂɃLv`pPbg̐ƃp[ZgȃEBhE\ł܂B

Name Resolutionݒ
[Name Resolution]IvVł́AMACiC2jAlbg[NiC3jAgX|[giC4j̖O邱Ƃł܂Bh[obNHH܂Wireshark̖OɂẮA5͂ŏڂ܂B


tB^g
tB^gƁAǂ̃pPbg͂邩𐳊mɎwł܂B܂tB^́ApPbg܂ނO邩̏߂\Ȃ̂łB\ȂpPbg΁AtB^쐬Ď菜܂Bɂ悭pPbgȂAꂾ\tB^쐬΂̂łB
Wiresharkɂ́A2ނ̃tB^܂B

ELv`tB^̓pPbgLv`ĂŒɎgp̂ŁA̍\Ɋ܂߂܂͏OƎw肵pPbĝ݂Lv`܂B
EfBXvCtB^͂łɃLv`pPbgɓKpA̍\ɊÂĕsvȃpPbgBAKvȃpPbĝ݂\܂B

܂Lv`tB^Ă݂܂傤B

Lv`tB^
Lv`tB^̓pPbgLv`ĂŒɎgp܂BLv`tB^gȗR͂̃ptH[}Xɂ܂B͂̕KvȂgtBbN킩ĂꍇALv`tB^ŃtB^΁ApPbg̃Lv`Ɏg̏\͂Z[uł܂B
ʂ̃f[^ꍇAJX^̃Lv`tB^쐬ł@\𗧂܂B֌ŴpPbĝ݂mɕ\邱ƂŁA̓vZXł邩łB
̃T[rX񋟂ĂT[oɊւgtBbN͂ƂȂǂALv`tB^ĝЂƂƂ܂BƂ΁A262ԃ|[ggpT[rX񋟂ĂT[õguV[eBOlĂ݂܂傤BT[o܂܂ȃ|[gŃT[rX񋟂Ă̂Ȃ΁A262ԃ|[g̃gtBbN݂̂̂͑ςłAtB^g΂ꂪ\łB̏͂̍ŏɐ悤ɁA[Capture Options]_CAOgāAtB^쐬ł܂B

1D[Capture]_CAOJA[Interfaces]IApPbg̃Lv`ɎgC^[tF[X̉ɂ[Options]{^NbNA[Capture Options]_CAOJ܂B
2DpPbg̃Lv`ɎgC^[tF[XIсALv`tB^I܂B
3D[Capture Filter]{^̉ɍ\͂ALv`tB^Kp܂B262ԃ|[gʂgtBbNLv`̂ŁA}4-10̂悤Ɂuport 262vƓ͂܂i\ɂĂ͎̍ŏڂ܂jB
4DtB^쐬A[Start]{^NbNăLv`n߂܂B

}4-10@Capture Options_CAOŃLv`tB^쐬

K؂ȃTvW߂A262ԃ|[gʂgtBbN݂̂͂łBœf[^悭͂ł܂B

Lv`/BPF\
Lv`tB^WinPcapɂēKpłABerkeley Packet FilteriBPFj\g܂B̃pPbg̓c[ł̍\gĂ̂́AقƂǂ̃pPbg̓c[libpcap/WinPcapCugĂÃCuBPFgpł邩łBlbg[NpPbgx܂Ő[@艺Ăɂ́ABPF\̒msłB
BPF\gč쐬tB^uexpressionijvƌĂсAe1܂͕́uprimitiveiv~eBujvō\Ă܂Bv~eBu1܂͕́uqualifieriqjvō\i\4-2̂悤ɁjÂƂɐ}4-11Ŏ悤ɁAID܂͐܂B

\4-2@BPFqHHHHH
q@@
^Cv@Dir@Proto
ID܂͐ɂ鎯ʎq@@hostAnetAport
Dir@ID܂͐Ƃ̓]w肷@@srcAdst
Proto@̃vgRւ̃}b`肷@@etherAipAtcpAudpAhttpAftp

}4-11@Lv`tB^̈
v~eBu@Zq@v~eBu
q

鎮̗vfł́Asrčq192.168.0.10IDꏏɂȂāAv~eBu`܂B̃v~eBû݂ƁA192.168.0.10IPAhX̃gtBbN݂̂Lv`܂B
_Zqgăv~eBugݍ킹A荂xȎ쐬邱Ƃ\łBg_Zq3܂B
EAZq@ANDi&&j
E㉉Zq@ORi||j
Eے艉Zq@NOTi!j

ƂΎ̎́A192.168.0.10IPAhXŁA80ԃ|[gʉ߂gtBbN݂̂Lv`܂

src 192.168.0.10 && port 80

zXgƃtB^̎w
tB^͒ʏÃlbg[N@킩AO[vꂽ@𒆐SƂ܂B󋵂ɂ܂A̋@MACAhXAIPv4AhXA܂DNSzXgȂǂƂɃtB^̂łB
Ƃ΃lbg[N̂T[oƂ肵ĂzXg̃gtBbNCɂȂƂ܂傤B̃T[ohostqgAzXgIPv4AhXɊ֘A邷ׂẴgtBbNLv`tB^쐬܂B

host 172.16.16.149

IPv6lbg[NɂꍇAɎ悤hostqgāAIPv6AhXɃtB^܂B

host 2001:db8:85a3::8a2e:370:7334

zXgŃtB^邱Ƃł܂B
host testserver2

zXgIPAhXύXĂ\CɂȂȂAethervgRqǉāAMACAhXŃtB^邱Ƃ\łB
ether host 00-1a-a0-52-e2-a0

̗̂悤ɁA]̌qHtB^Ƒgݍ킹AzXgʉ߂邩ǂɃgtBbNLv`ꍇɎg܂BƂ΁AzXg痈gtBbN݂̂Lv`ȂAsrcqǉ܂B
src host 172.16.16.149

T[o172.16.16.149^킵zXgɌf[^݂̂Lv`ȂAdstqg܂B
dst host 172.16.16.149

^CvqihostAnetAportjv~eBuƈꏏɎgpȂꍇ́AhostqƂ݂Ȃ܂BđO̗łhostq폜܂B
dst 172.16.16.149


|[gуvgRtB^

zXgł̃tB^łȂA|[głtB^邱Ƃł܂B|[gtB^́Am̃T[rX|[ggĂT[rX܂̓AvP[Vł̎gp\łB8080ԃ|[gʉ߂gtBbN݂̂Lv`ȒPȃtB^̗܂B
port 8080

8080ԃ|[gʉ߂ȊÔׂẴgtBbNLv`ꍇ͎̂悤ɂȂ܂B
!port 8080

|[gtB^Ɠ]qgݍ邱Ƃ\łBƂ΁AWIHTTP80ԃ|[gő҂󂯂WebT[o֌gtBbN݂̂Lv`ꍇAdstqg܂B
dst port 80

vgRtB^
vgRtB^gƁÃvgRŃtB^邱Ƃł܂B|[gł͒`łȂAAvP[VCvgRHƍ킹ꍇɎg܂B܂ICMPgtBbN`FbNꍇȂǂɂ̃tB^֗łB
icmp

IPv6gtBbNȊÔׂẴgtBbNꍇ́Aꂪg܂B
!ip6

vgRtB[htB^
BPF\̐^̗͂̂ЂƂAvgRwb_ׂ̂ẴoCg𒲂ׂāÃf[^x[XɂʂȃtB^쐬ł@\łBŐ邱̍xȃtB^gƁApPbg̓̈ʒuÃoCg邱Ƃł܂B
Ƃ΁AICMPwb_̃^CvtB[hŃtB^Ƃ܂傤B^CvtB[h̓pPbg̈Ԑ擪ɂAItZbg0ɂȂĂ܂BpPbgŒׂʒuʂɂ́AvgRq̉ɂXNGAuPbgŁAoCgItZbgɂ܂B̗łicmp[0] ƂȂ܂B1oCg̐l߂̂ŁAr邱Ƃł܂BƂ΁A^Cv3Bs\iDestination UnreachablejbZ[WICMPpPbĝ݂擾ȂÂ悤ɃtB^œlZqg܂B
icmp[0] == 3

GR[vi^Cv8j܂̓GR[i^Cv0jICMPpPbĝ݂𒲂ׂɂ́A2̃v~eBuORZqg܂B
icmp[0] == 8 || icmp[0] == 0

̃tB^͂܂@\܂ApPbgwb_̏1oCgtB^܂BKȂ̂́AXNGAuPbg̃ItZbg̐̂ƂɁARŋ؂ăoCgtB^ɕt΁A߂Ăf[^̒wł邱ƂłB
Ƃ΁A^Cv3AR[h1ƂĎʂAׂĂICMPBs\AzXgBs\pPbgLv`tB^쐬Ƃ܂B̓pPbgwb_̃ItZbg0ŁA݂ɗׂ荇1oCg̃tB[hłBpPbgwb_̃ItZbg0Ŏn܂f[^2oCg`FbNA16il0301i^Cv3AR[h1jƔrtB^쐬܂B
icmp[0:2] == 0x0301

TCPpPbgLv`ꍇɂ悭ĝARSTtOZbgłBTCPɂĂ6͂ŏڂ܂BłTCPpPbg̃tOItZbg13ɂƂƂĂB̓tOtB[hƂĂ1oCgȂ̂łAꂼ̃tÕoCgŃVOrbgƂĎʂƂAʔtB[hłHHTCPpPbgł͕̃tO𓯎ɐݒł̂ŁAPtcp[13]l͌ʓIɃtB^邱Ƃł܂B̂̂RSTrbg\Ă\邩łHHHĒׂoCg̈ʒuw肷KvÂ߂ɂ͂̈ʒũ݂v~eBuɁAЂƂ̃ApThi&jŕt܂BRSTtO͂̃oCg4\Ă̂ŁÃrbg4ɐݒ肷΃tOݒ肵ƂɂȂ܂HHHBtB^͂̂悤ɂȂ܂B
tcp[13] & 4 == 4

8ŕ\rbgʒuŎʂHHPSHtOZbĝׂẴpPbgꍇ́Aɂ̈ʒug܂B
tcp[13] & 8 == 8


Lv`tB^̃Tv
݂̏󋵂ɍtB^쐬ł邩ǂŁA͂̐̐񂪌܂܂B\4-3͕M҂悭gLv`tB^̈łB

\4-3@ʓIȃLv`tB^
tB^@
tcp[13] & 32 ==32@URGtOZbgTCPpPbg
tcp[13] & 16 ==16@ACKtOZbgTCPpPbg
tcp[13] & 8 == 8@PSHtOZbgTCPpPbg
tcp[13] & 4 == 4@RSTtOZbgTCPpPbg
tcp[13] & 2 == 2@SYNtOZbgTCPpPbg
tcp[13] & 1 == 1@FINtOZbgTCPpPbg
tcp[13] ==18@TCP SYN-ACKpPbg
ether host00:00:00:00:00:00iMACj@MACAhXʉ߂gtBbN
!ether host 00:00:00:00:00:00iMACjMACAhXʉ߂ȂgtBbN
broadcast@u[hLXggtBbN̂
icmp@ICMPgtBbN
icmp[0:2] == 0x0301@ICMPBs\AzXgBs\
ip@IPv4gtBbN̂
ip6@IPv6gtBbN̂
udp@UDPgtBbN̂


fBXvCtB^
fBXvCtB^́A쐬ꂽLv`t@CɓKptB^ŁAtB^ɈvpPbĝ݂\܂BpPbgꗗ̃yC̏㕔ɂ[Filter]eLXg{bNXɃtB^Lq܂B
fBXvCtB^̓Lv`tB^g@ł傤Bۂ̃Lv`t@C̃f[^ύX邱ƂȂÃpPbg\邱Ƃł邩łBƂƂ̃Lv`t@C̃pPbg\ȂAeLXg{bNXɋLqtB^΂悢̂łB
tB^́ALv`t@C͂ɖ֌W̃pPbgiARPu[hLXgpPbgȂǁjꎞIɏɂ܂BȂAARPu[hLXgpPbg͌ŉ͂ɕKvɂȂꍇ̂ŁALv`tB^gAfBXvCtB^ňꎞIɕ\Ȃ悤ɂق֗Ȃ̂łB
ARPpPbg\Ȃ悤ɂɂ́ApPbgꗗ̃yC̏㕔ɂA[Filter]eLXg{bNXɈړ܂B!arpƓ͂A}4-12̂悤ɁApPbgꗗ̃yC炷ׂĂARPpPbg폜܂BtB^폜ɂ́A[Clear]{^NbN܂B

}4-12@[Filter]eLXg{bNXŃfBXvCtB^쐬

[Filter Expression]_CAOiȒPȕ@j
}4-13[Filter Expression]_CAÓAWiresharkS҂Lv`tB^fBXvCtB^쐬xĂ@\łB_CAO\ɂ́A[Capture Options][Capture Filter]{^NbNA[Expression]{^NbN܂B
_CAO̍ɂ́Agp\ȃvgR̈ꗗ\ĂAevgRŎgp\ȃtB^vfwł܂BtB^쐬ɂ́Aȉ̎菇ɏ]ĂB
1DvgR̉ɂ[+]NbN΁AevgRŗp\ȃtB^vf邱Ƃł܂BptB^vfNbNĂB
2DItB^vfƁA̕]l̕]@w肵ĂB]@́ACR[i=jAȂi>jAȂi<jȂǂ̉ZqłB
3D]lw肵āAtB^쐬܂BWireshark񋟂]lI邩AgŒlIĂB
4DtB^쐬IA[OK]{^NbNĂB쐬tB^eLXgŕ\܂B

[Filter Expression]_CAO͏S҂ɂ͔ɕ֗ȋ@\łAtB^̎gp@ł΁A蓮ŃtB^쐬ق悢ł傤BfBXvCtB^͔ɋ͂łA\͊ȒPłB

}4-13@[Filter Expression]_CAOg΁AȒPɃtB^쐬ł

Filter Expression\\i@j
Lv`tB^fBXvCtB^́ÃvgRIʂƂɎgƂł傤BƂTCP̃guV[eBȌꍇ́ATCP̃gtBbNȊO͕KvȂ̂ŁATCPȊÔ̂tB^OĂ܂܂傤B
̉ۑʂ̑ʂ猩Ă݂܂傤BguV[eBÔ߂ping𑽗pāAICMP̃gtBbNʂɔƂ܂B!icmpƂtB^g΁AICMP̃gtBbN폜邱Ƃł܂B
rZqg΁Alr邱Ƃł܂BƂTCP/IPlbg[ÑguV[eBȌꍇAIPAhXQƂ邷ׂẴpPbgKvł傤BrZqu==vg΁A192.168.0.1ƂIPAhX܂ރpPbĝ݂\tB^쐬ł܂B
ip.addr==192.168.0.1

x͒128oCgȉ̃pPbĝ݂\Ƃ܂傤B̏ꍇ́u<=vƂrZqAtB^̎Ŏgp΂悢̂łB
frame.len@<=128

WiresharkŎgp\ȔrZq͕\4-4̂ƂłB

\4-4@Wireshark̃tB^ƂĎgpłrZq
Zq@

Ȃ
Ȃ
Ȃ
ȏ
ȉ

_Zqg΁ÃtB^1̕\ƂĎgp邱Ƃł܂B_ZqgȂƂł΁AgpłtB^Iɑ܂BƂ΁A2IPAhX܂ރpPbĝ݂\Ƃ܂傤B̏ꍇuorvZqgāÂ悤ɂǂ炩IPAhX܂ރpPbg\鎮΂̂łB
ip.addr==192.168.0.1 or ip.addr==192.168.0.2

WiresharkŎgp\Ș_Zq͕\4-5̂ƂłB

\4-5@Wireshark̃tB^ƂĎgpł_Zq

Zq@Tv
_
_a
rI_a
ے

fBXvCtB^̃Tv
tB^̊TO͒PłAۂɃtB^쐬Ƃɂ́AǂȃL[[h≉Zqg悢YނƂł傤B\4-6͕M҂ƂpɂɎgfBXvCtB^̈ꕔłBׂẴXgɂ́Ahttp://www.wireshark.org/docs/dfref/QƂĂB

\4-6@ʂɎgpfBXvCtB^
RDPgtBbNNAɂ
SYNtOZbgTCPpPbg
RSTtOZbgTCPpPbg
ARPgtBbNNAɂ
ׂĂHTPgtBbN
NAeLXgǗgtBbNHHiTelnet܂FTPj
NAeLXgemailgtBbNHHiSMTPAPOPAIMAPj

tB^̕ۑ

tB^gpĂƁÃtB^pɂɎgƂ܂BtB^x쐬Kv͂܂BWiresharkɂ́AtB^ۑ@\Ă̂łBtB^ۑɂ́Aȉ̎菇ɏ]ĂB

1D[Capture][Capture Filters]IA[Capture Filter]_CAOJĂB
2D_CAO̍ɂ[New]{^NbNAVȃtB^쐬܂B
3D[Filter Name]{bNXɃtB^̖O͂܂B
4D[Filter String]{bNXɎۂ̃tB^̎͂܂B
5DtB^͂A[Save]{^NbNĕۑ܂B

JX^̃fBXvCtB^ۑɂ́Aȉ̎菇ɏ]ĂB

1D[Analyze][Display Filters]IA܂̓pPbgꗗ̃yC̏㕔ɂ[Filter]@{^NbNāA}4-14̂悤[Display Filter]_CAOJĂB

}4-14@[Display Filter]_CAOtB^ۑł

2D_CAO̍ɂ[New]@{^NbNAVȃtB^쐬܂B
3D[Filter Name]{bNXɃtB^̖O͂܂B
4D[Filter String]{bNXɎۂ̃tB^̎͂܂B
5DtB^͂A[Save]{^NbNĕۑ܂B

Wiresharkɂ́ArgC̃tB^܂A̓tB^ǂ̂悤Ȃ̂łBƎ̃tB^쐬ۂɁAWireshark̃wvy[Wƍ킹ėpł܂BtB^̗͖{ʂĎgp܂B

