HpPbg 

WiresharkgguV[eBO 

Chris Sanderscv@Ėꐣ@

IC[EWp
{ŎgpVXeAíAꂼeЂ̏WA܂͓o^WłB{ł A(R)A}[N͏ȗĂ܂B

Copyright 2007 by Chris Sanders. 
Title of English-language original: Practical Packet Analysis, ISBN 978-1-59327-149-7. 
Japanese-language edition copyright 2008 by O'Reilly Japan, Inc. All rights reserved. 
Japanese translation rights arranged with No Starch Press, Inc., San Francisco, California through 
Tuttle-Mori Agency, Inc., Tokyo

{́AЃIC[EWpNo Starch Press, Inc.̋ɊÂ|󂵂̂łB{łɂĂ̌́AЃIC[EWpۗL܂B
{ł̓eɂāAЃIC[EWṕAő̓w͂ĐmĂ܂A{̓eɊÂ^pʂɂĂ͐ӔC𕉂˂܂̂ŁAB
{闼eƐ_ɂBނ̋͂ȂĂ͖{͓̖ڂȂ낤B
uOIɐ_lɗȂB
΂Ɏ𗊂Ă͂߂łB
ɂA_lɂȂB
_lǂ΂悢Ă܂Bv

\\⼌ 3 :5.6ihttp ://www.ibs.org/bibles/japanese/pdf/ot/proverbs.pdfpj

Ė҂܂

dołAŋ߂̏h͖LANgƂƂ낪ȂĂ܂BALANAg̕sႠ܂񂩁H
ƂA͕KpPbgLv`ĉʐMpPbg͂ǂm߂܂BpPbgĂƁuvlbg[NƂ̂͂ȂƂȂ܂ˁB
{ɂ̂̓pPbgLv`Ă݂AƂƂƁAǂ݉AƂƂłBƂmΉ͂Ȃǂ͊ȒPɂł܂ATS΂̒g[@肵ĉ̍˂~߂邱Ƃ\łB낢ȃlbg[NŃpPbgĂƁÂuvƂoĂ̂łA{ł͂̂ƂɂlAWiresharkƂ΂炵\tgEFAʂĊwł܂B
̃\tgEFÁAꂪ܂̃t[ijŔzzĂƂ̂Mقǂ悭łĂ܂BAÍ̃pPbgDǂĂĉǂĂ̂ŁAǂ̂ɂȂȂ͂Ȃ̂łB̑ʂȋ@\ɐGāAŎgΎgقǗǂĂ邱Ƃł傤B
lbg[N̕׋ȂāAłĂ邾ƂƂʔȂ̂Ȃ̂łApPbg𒼂ɌĂ̓ǂĂƁAsvcɊyȂĂ̂łB܂ƂɂĂ݂ĂBƕa݂ɂȂ܂B
ЂƂӁBl̃vCoV[͑d܂傤B
2007N124
ÉɂăzeLAÑpPbg`Ȃ
iAÂƂɗĂ̂łj
cv 

܂

M҂ŏɃRs[^ɂ̂9΂̂ƂłBRs[^1N炢ŉĂ܂܂BƂƉƑ̓Rs[^قǗTł͂ȂAoďC邱Ƃ͌oϓIɕs\łB̂߁AM҂͕׋ăRs[^͂ŏC悤ɂȂ܂BꂪAZpɑ΂鋻ɂȂ̂łB
ZƑwł͔̋MӂɕςA̔Mӂɂ\͂炿ARƃlbg[NRs[^̖ɂĕ׋悤ɂȂ܂BāAWiresharkvWFNgiEtherealƌĂ΂ĂjƏôłB̃\tgEFA͕M҂ɂ܂VEĂ܂BV@AvgRǂ݉ZpgɂƂŁARs[^lbg[ÑguV[eBO\͂͋قǏオ܂B
pPbg͂̂΂炵Ƃ́Aꂪ|s[ȕ@ɂȂAlbg[NɊwԂƂłƂƂłB{̒mdŕK{ƂȂĂ̂́A[U[O[vAWikiAuÔł܂BpPbg͍͂̃lbg[NǗ邽߂ɕKvȒmłA{͂ꂪǂ̂悤ɋ@\Ă̂wԑƂȂł傤B
Ȃ̖{Ȃ̂H
ȂApPbg͂Ăق̖{ł͂ȂA{𔃂ׂȂ̂Ƌ^Ɏvł傤B̓^Cgɂ܂BuHpPbǵvi gPractical Packet AnalysishjB܂A{ł͌EőΖʂƂ悭ViIʂāAHIȃpPbg͂wԂƂł̂łB{̑Oł́ApPbg͂Wireshark𗝉邽߂̑Om܂B㔼ł́AX̃lbg[NǗőHIȃViIɉĉĂ܂B
lbg[NZpҁAlbg[NǗҁACIOARs[^̋ZpҁAfXN[NlAłĂ{瑽̒mƃpPbg͂ɊւeNjbNwԂƂłł傤B 

RZvgƃAv[`
M҂͂̂т肵lԂȂ̂ŁARZvgƂς̂т邱ƂɂȂł傤B͖{̌ɂĂ܂BZpIȃRZvgƂ͂ǂĂZppꂪȂÂт肵ɂ͂Ȃ܂񂪁AłłJWAȐɂȂ悤w͂łBmŗv̂𓾂āAߕsȂLqĂ܂B
{ɃpPbg͂wтƎvĂ̂ȂA{̑OŏЉĂRZvg𗝉Kv܂B㔼𗝉邽߂ɕsłBȂ̐EŋNƂ܂ViIǂނƂ͂ł܂񂪁A{ŃRZvgwłȂΎۂ̖ɑƂɉ邱Ƃ͓ł傤B
ȉ͖{̊e͂̊ȒPȐłB 
1̓pPbg͂ƃlbg[N̊b
pPbg͂Ƃ͂Ȃł傤Hǂ̂悤ɋ@\̂ł傤HǂĂ̂ł傤H̏͂ł̓lbg[N̒ʐMƃpPbg͂̔ɊbIȕwт܂B 
2̓P[uɂ肱
̏͂ł́Albg[NɂǂXjbt@zûɂďqׂĂ܂B 
3 WiresharkTv
Wireshark͂ǂœ\AǂĎĝAł̂AȂĂ̂ȂWireshark̊{ɂďqׂĂ܂B 
4 Wiresharkł̃pPbgLv`̃eNjbN
WiresharkgpPbgLv`̊bwт܂B 
5 Wireshark̍xȋ@\
{gɂAxȋ@\gĂ݂܂傤B̏͂ł͍xȋ@\@艺Ai͖ڗȂ@\ɏœ_𓖂Ă܂B 
6͈ʓIȃvgR
̏͂ł́AƂ悭gvgRApPbgxł͂ǂ邩Љ܂BevgRŋN𗝉邽߂ɁA炪ǂ@\邩Ŋwł܂傤B 
7̓P[XX^fBibҁj
̏͂AEŋNƂɂViIoĂ܂BeViI͓ǂݐi߂₷`ŏĂÃViI̖Ả́Aĉ􂪐荞܂Ă܂B̊{IȃViIł͐̃Rs[^ĂȂ̂ŁApPbg͂n߂̂ɂ傤ǂ悢ՓxɂȂĂ܂B 
8̓P[XX^fBilbg[N̒xƐ키j
lbg[N̖łƂ̂́Albg[N̒xłB̏͂ł̓lbg[N̒xɊւɏœ_𓖂Ă܂B 
Tvt@Cɂ 
9̓P[XX^fBiZLeB́j
lbg[NǗ҂ɂƂāAlbg[NZLeB͂Ƃ֐S̍bł傤B̏͂ł́ApPbg͂ɂăZLeB@wт܂B 
10͖ LAÑXjbtBO
HɂĂ̍Ō̏͂́ALANł̃XjbtBO̓łB̏͂ł́ALLANƖLAÑpPbg͂̈ႢɂėAȒPȃViIʂāA܂łɊw񂾂Ƃ𖳐LANłǂĝwт܂B 
11͐E
Ō̏͂ɂ́A{ǂ񂾌pPbg͂̕׋𑱂邽߂ɕ֗ȃc[WebTCgW߂܂B
t^ Winny{bg̃pPbg
t^́AĖ҂ɂ{ŃIWȉ낵łB{̌ł͈ĂȂWinny{bg֘ÃguV[eBOɂĊwт܂B

{̎g
{ɂ2̎gƕM҂͎vĂ܂B1́A11̏͂ǂł䂫ApPbg̗͂[߂邽߂̃eLXgƂĎg@BE̖ɉViIfڂĂ㔼ɓɏd_u܂B1̎ǵA{t@XƂĎg@BpɂɎgp킯ł͂ȂWireshark̋@\oĂKv͂܂B@\gƂ̃t@XƂĖ{{IɒuĂΖɗƂł傤B

Tvt@Cɂ
{ŎgĂLv`t@Cׂ͂āA{{łWeby[Wihttp ://www.oreilly.co.jp/books/9784873113517/j\łB{őp邽߂ɁÃTvt@C_E[hĂƈꏏɖ{ǂނƂ߂܂B
̃Tvt@CPacket Analysis InstituteWireshark UniversityɎQĂLaura Chappell̎ō쐬ꂽłBTvt@C̃Xg͈ȉ̂Ƃł B 
5 
 	filedownload.dmp 

 	ftp-netbios3.pcap 

 	suspectemployeechat.dmp


	Ė󒍁F{ŃIWi̕t^ł́ATṽpPbgLv`t@CpӂĂ܂BƂ̂AWinnyʐM̏ꍇ͒ʐM肪lłA{bgʐM̏ꍇ̓{bg{bg_E[hĂW[{̂܂܂Ă܂߂łB
6 
 arp.pcap 

 dhcp.pcap 

 dns.pcap 

 ftp.pcap 

 http.pcap 

 icmp.pcap 

 msnms.pcap 

 telnet.pcap 


7 
 barryscomputer.pcap 

 bethscomputer.pcap 

 destunreachable.pcap 

 evilprogram.pcap 

 ftpclientdenied.pcap 

 ftpserverdenied.pcap 

 hauntedbrowser.pcap 

 http-fault-post.pcap 

 ipfragments.pcap 

 slowdownload.pcap 

 tcp-con-lost.pcap 


8 
 double-vision.pcap 

 email-troubles.pcap 

 gnutella.pcap 

 http-client-refuse.pcap 

 icmp-tracert-slow.pcap 

 slowdownload.pcap 

 torrential-slowness.pcap 

 ftp-uploadfailed.pcap 


9 
 blaster.pcap 

 covertinfo.pcap 

 ftp-crack.pcap 

 hackersview.pcap 
 osfingerprinting.pcap 


 portscan.pcap 

 printerproblem.pcap 


ӌƎ 
 dosattack.pcap 

10 
 80211traffic.pcap 

 FailedWepAuth.pcap 

 SuccessfulWepAuth.pcap



{̕\L
{ł́Aȉ̕\LgpĂ܂B
i Boldj
dvȗp܂B
i Constant WidthjTvR[hAR}hAϐAA֐ANXAOԁA\bhAW[AlAt@C̓eAR}h̏o͂Ȃǂ܂B
̑i Constant Width BoldjR[h̏dvȕƁÂƂɑł܂Ȃ΂ȂȂR}heLXg܂B

̃ACRƂƂɋLڂĂéAqgAāA܂͈ʓIȒӎ\܂B

ӌƎ
{i{|Łj̓eɂẮAő̓w͂Č؂ъmFĂ܂Asmȓ_A⍬悤ȕ\APȌAɋCÂ邱Ƃł傤B{ǂŋCÂƂ́A̔łŉPł悤ɒm点Ă΍KłB̉ɊւĂȂǂ}܂B
ЃIC[EWp
160-0002sVh⒬26Ԓn27CeWFgvUr1F
db 03-3356-5227 
FAX 03-3356-5261
dq[ japan@oreilly.co.jp

{ɊւZpIȎӌɂẮÄɓdq[ipj𑗂ĂB 
info@nostarch.com
{Weby[Wɂ́A\ATvR[hAǉ񂪌fڂĂ܂Bȉ̃AhXŃANZXł܂B 
http://www.oreilly.co.jp/books/9784873113517/ 
http://www.oreilly.com/catalog/9781593271497/ij 
http://www.nostarch.com/packet.htmij 
http://www.chrissanders.org/PPA/iҁj
IC[Ɋւ邻̑̏ɂẮÃIC[WebTCgQƂĂB 
http://www.oreilly.co.jp

ӎ
܂ÃvWFNgI邽߂̗͂ƔEς^Ăꂽ_ɊӂBނTodoXgʂĂȂȂAXgXŉԂꂻɂȂƂɂĂ܂B
BillATylerAChristinaÂق́uNo Starch Pressṽ`[o[Aɂ̖{@^A̂ŎRɂ点ĂĂ肪ƂBGerald CombsɂWiresharkvÕeiX𑱂邻̔MӂƁAZpIȕҏWĂꂽƂɊӂĂ܂Bɂ̂Laura ChappellŁAޏ̓pPbg͂̃g[jOp̃f[^񋟂Ă܂B̖{ł̃Lv`t@CgĂ܂B
lIȂƂł́ATina NanceAEddy WrightAPaul FlethcerɊӂBނ͖{ołƂÃLA̒łƂ傫Ȉ̋Ƃ𐬂菕Ă܂Bނ͐M̒u鑊kłȂȗFlłBA{̎Mɗ݂͂Ăꂽ䖝Fl܂BMandyABarryABethAChadAJeffASarahABrandonA{ɂ肪ƂBȂȂ{邱Ƃ͂łȂł傤B
łÅӂ̂قƂǂ͈闼eAKennethJudy SandersɂBAȂ̓Rs[^GƂ͈xȂǁAłׂ̂Ă̂łBȂ̎ւɎvƂꌾȏɁAɂCN̂͂܂BꂳA̖{5NOɎ̑O狎Ă܂A̖{邱Ƃ͂łȂǁAȂ͂̐S̒ɂĎ܂Ă܂BȂĂꂽ邱Ƃɑ΂ḾA̍sׂĂɑÂĂ܂B̖{́AȂĂꂽRłB 


ڎ

Ė҂܂ vii
܂ ix
1́@pPbg͂ƃlbg[N̊b 1
1.1@pPbg͂Ƃ́H 1
1.2@pPbgXjbt@̕] 2
1.2.1@T|[gĂvgR 2
1.2.2@[U[thǂ 2
1.2.3@RXg 2
1.2.4@Xjbt@̃T|[g̐ 3
1.2.5@OS̃T|[g 3
1.3@pPbgXjbt@̎dgݥ 3
1.3.1@W 3
1.3.2@ϊ 3
1.3.3@ͥ 3
1.4@Rs[^͂ǂ̂悤ɒʐM̂ 4
1.4.1@lbg[NvgR 4
1.4.2@OSIQƃf 5
1.4.3@vgȒݍp 7
1.4.4@f[^̃JvZ 8
1.4.5@vgRf[^jbg 8
1.4.6@lbg[Nn[hEFA 9
1.4.7@gtBbN̕ޥ 14 
2́@P[uɂ肱ޥ 17
2.1@v~XLX[h̎gp 18
2.2@nuō\ꂽlbg[Nł̃XjbtBO 18
2.3@XCb`ō\ꂽlbg[Nł̃XjbtBO 20
2.3.1@|[g~[O 20
2.3.2@nu̎gp 22
2.3.3@ARPLbV|C]jO 23
2.3.4@Cain & Abel̎gp 24
2.4@[^ō\ꂽlbg[Nł̃XjbtBO 27
2.5@lbg[N} 28
3́@WiresharkTv 29
3.1@Wireshark̗j 29
3.2@Wireshark̗_ 29
3.2.1@T|[gĂvgR 29
3.2.2@[U[thǂ 30
3.2.3@RXg 30
3.2.4@Xjbt@̃T|[g̐ 30
3.2.5@OS̃T|[g 30
3.3@Wireshark̃CXg[ 30
3.3.1@VXev 31
3.3.2@Windowsł̃CXg[ 31
3.3.3@Linuxł̃CXg[ 33
3.4@Wireshark̊{ 33
3.4.1@ŏ̃pPbgLv` 34
3.4.2@CEBhE 35
3.4.3@ݒʥ 36
3.4.4@pPbg̐F 37
4́@Wiresharkł̃pPbgLv`̃eNjbN 41
4.1@pPbǧƃ}[LO 41
4.1.1@pPbǧ 41
4.1.2@pPbg̃}[LO 42
4.2@Lv`t@C̕ۑƃGNX|[g 43
4.2.1@Lv`t@C̕ۑ 43
4.2.2@Lv`f[^̃GNX|[g 43
4.3@Lv`t@C̃}[W 44
4.4@pPbg̈ 45 
ځ@ 
4.5@Ԃ̕\tH[}bgƑΎԕ\ 45
4.5.1@Ԃ̕\tH[}bg 45
4.5.2@Ύԕ\ 46
4.6@Lv`tB^ƃfBXvCtB^ 47
4.6.1@Lv`tB^ 47
4.6.2@fBXvCtB^ 47
4.6.3mFilter Expressionn_CAO 48
4.6.4@tB^͂ō饥 49
4.6.5@tB^̕ۑ 51
5́@Wireshark̍xȋ@\ 53
5.1@O 53
5.1.1@Wireshark̖Oc[ 53
5.1.2@OLɂ饥 54
5.1.3@Ǒ_ 54
5.2@vgRͥ̕ 55
5.3@TCPXg[̕\ 56
5.4mProtocol Hierarchy StatisticsnEBhE 58
5.5@Gh|Cg饥 58
5.6@lbg[ŃuΘbv 59
5.7mIO GraphsnEBhE 61
6́@ʓIȃvgR 63
6.1@ARP 63
6.2@DHCP 64
6.3@TCP/IPHTTP 65
6.3.1@TCP/IP 66
6.3.2@ZbV̊m 66
6.3.3@f[^M̊Jn 67
6.3.4@HTTP̒ʐM 68
6.3.5@ZbV̏I 68
6.4@DNS 70
6.5@FTP 71
6.5.1@CWDR}h 72
6.5.2@SIZER}h 72
6.5.3@RETRR}h 72
6.6@TELNET 73
6.7@MSNbZW[T[rX 74
6.8@ICMP 76
6.9@܂Ƃߥ 78
7́@P[XX^fBibҁj 79
7.1@TCP̒ʐMQ 79
7.2@͂ȂpPbgICMPR[h 81
7.2.1@擞Bs\ 81
7.2.2@|[gBs\ 82
7.3@IPtOe[V 82
7.3.1@IPtOe[Vs邩ǂ 83
7.3.2@ԂɑgݗĂ饥 84
7.4@ڑs\ 85
7.4.1@Ă邱ƥ 85
7.4.2@pPbg͊Jn 85
7.4.3@ͥ 86
7.4.4@܂Ƃߥ 87
7.5@Internet Explorer̈ 87
7.5.1@Ă邱ƥ 88
7.5.2@pPbg͊Jn 88
7.5.3@ͥ 88
7.5.4@܂Ƃߥ 89
7.6@FTPT[oƂ̒ʐM 89
7.6.1@Ă邱ƥ 90
7.6.2@pPbg͊Jn 90
7.6.3@ͥ 90
7.6.4@܂Ƃߥ 91
7.7@̂ȂI 92
7.7.1@Ă邱ƥ 92
7.7.2@pPbg͊Jn 92
7.7.3@ͥ 92
7.7.4@܂Ƃߥ 93
7.8@̃vO 94
7.8.1@Ă邱ƥ 94
7.8.2@͊Jn 94
7.8.3@ͥ 94
7.8.4@܂Ƃߥ 99
7.9@l@ 99 
8́@P[XX^fBilbg[N̒xƐ키j 101
8.1@_E[h̒x̌ 101
8.2@[eBO̕s 104
8.2.1@Ă邱ƥ 104
8.2.2@pPbg͊Jn 105
8.2.3@ͥ 106
8.2.4@܂Ƃߥ 108
8.3@dɌ饥 108
8.3.1@Ă邱ƥ 108
8.3.2@pPbg͊Jn 109
8.3.3@ͥ 109
8.3.4@܂Ƃߥ 110
8.4@T[oۂĂH 111
8.4.1@Ă邱ƥ 111
8.4.2@pPbg͊Jn 111
8.4.3@ͥ 111
8.4.4@܂Ƃߥ 112
8.5@BitTorrent̑J 113
8.5.1@Ă邱ƥ 113
8.5.2@pPbg͊Jn 113
8.5.3@ͥ 113
8.5.4@܂Ƃߥ 115
8.6@[T[oɗꍞPOP 115
8.6.1@Ă邱ƥ 116
8.6.2@pPbg͊Jn 116
8.6.3@ͥ 116
8.6.4@܂Ƃߥ 117
8.7@GnutellaJ 117
8.7.1@Ă邱ƥ 117
8.7.2@pPbg͊Jn 118
8.7.3@ͥ 118
8.7.4@܂Ƃߥ 121
8.8@l@ 121
9́@P[XX^fBiZLeB́j 123
9.1@OS̃tBK[vg 123
9.2@|[gXL 124
9.3@v^̔× 125
9.3.1@Ă邱ƥ 125
9.3.2@pPbg͊Jn 125
9.3.3@ͥ 125
9.3.4@܂Ƃߥ 126 
9.4FTPT[oւ̐N 126
9.4.1@Ă邱ƥ 126
9.4.2@pPbg͊Jn 127
9.4.3@ͥ 127
9.4.4@܂Ƃߥ 129 
9.5Blaster[ 129
9.5.1@Ă邱ƥ 129
9.5.2@pPbg͊Jn 129
9.5.3@ͥ 129
9.5.4@܂Ƃߥ 131 
9.6Bꂽ񥥥 131
9.6.1@Ă邱ƥ 131
9.6.2@pPbg͊Jn 131
9.6.3@ͥ 131
9.6.4@܂Ƃߥ 132 
9.7nbJ[̎_ 132
9.7.1@Ă邱ƥ 133
9.7.2@pPbg͊Jn 133
9.7.3@ͥ 133
9.7.4@܂Ƃߥ 135
10́@LAÑXjbtBO 137
10.1@1̃`lXjbtBO 137
10.2@LAÑC^[tF[X 138
10.3@LANJ[h̃[h 138
10.4@Windowsł̖LAÑXjbtBO 140
10.4.1@AirPcap̐ݒ襥 140
10.4.2@AirPcapgpPbgLv` 141
10.5@Linuxł̖LAÑXjbtBO 143
10.6@802.11̃pPbg 144
10.6.1@802.11̃tO 145
10.6.2@r[Rt[ 146
10.7@LANL̏񥥥 147
10.8@LANL̃tB^ 148 
10.8.1@BSSIDŃtB^O 148
10.8.2@LAÑ^CvŃtB^O 148
10.8.3@̃f[^^CvŃtB^O 148 
10.9LANɐڑłȂ 150
10.9.1@Ă邱ƥ 150
10.9.2@pPbg͊Jn 150
10.9.3@ͥ 150
10.9.4@܂Ƃߥ 153
10.10l@ 153
11́@E 155
Ƃ 158
t^Winny{bg̃pPbgͥ 159
A.1@1FWinnypPbgǂ 159
A.1.1@P2PʐMWinny 160
A.1.2@WinnyʐM̉ͥ 161
A.1.3@܂Ƃߥ 163
A.2@2FECXA[A{bg̒ǐե 164
A.2.1@ECXA[̕ώ 164
A.2.2@{bgiݑj̓ 165
A.2.3uʐMv̉ͥ 166
 172

1
pPbg͂ƃlbg[N̊b
Rs[^lbg[Nł́A 100̖\\PȂXpCEFẢe畡Gȃ[^̐ݒG[܂Ł\\Ă܂BĂׂĂ̖vɉ邱Ƃ͕s\łBmƃc[pӂ邱ƂAō̏ɂȂ͂łBׂẴlbg[N̖̓pPbgx܂Ō@艺邱Ƃł܂Bł͌ڂ킢AvP[V̏X炯oAMpł悤ɌvgRӂ̂ł肤邱Ƃ}炸ؖĂ܂̂łBlbg[N̖藝邽߂ɂ́AׂĂ炯oĂpPbgKv܂BpPbg̓AvP[Vɂ肪ȃj[̌ԈႢڂOtBbNȂAMłȂ]ƈɂĂ܂邱Ƃ܂BpPbgɂ͂Ȃ̔閧ȂApPbgxłł邱Ƃ΁A܂܂lbg[N𐧌䂵邱Ƃł悤ɂȂ܂B
ꂪpPbg͂̐EłB{̓pPbg͂̐Eɓэł
܂B{ʂāAlbg[N̒ʐM𒲂ׂOɃpPbg͂Ƃ͉wсA
قȂViI𒲍邽߂ɕKvȁAbIȔwim𓾂邱Ƃł܂B
܂ApPbg̓c[Wireshark̋@\̎gAlbg[N̒x̉A
{glbNɂȂĂAvP[V̓Aۂ̃ViIʂẴnb
J[̒ǐՏpwԂƂłł傤B{ǂݏI邱ɂ́Axȃp
Pbg͂̋Zp̓Ă͂łB̋Zpp΁Albg[N
N鑽̍Ȗ邱Ƃłł傤B 
1.1pPbg͂Ƃ́H
pPbgXjbtBOvgR͂ƌĂ΂邱ƂpPbg͂Ƃ́Albg[NŋNĂ邱Ƃ藝₷邽߂ɁAf[^Lv`ĉ͂邱ƂӖ܂BpPbg͂͒ʏAXjbt@gčs܂BXjbt@Ƃ́AP[uʂĂ鐶̃lbg[Nf[^Lv` c[łBpPbg͂̓lbg[N̓𗝉Albg[NɒN̂Agp\ȑшgĂ̂Albg[N̎gps[NɂȂ鎞Ԃ͂AU∫ӂsׂȂĂȂASłȂׂAvP[V͉m邽߂̎菕Ă܂B
Xjbt@vOɂ́At[Əpǂ̎ނ܂BevO͂ꂼႤړÎ߂ɐ݌vĂ܂BƂLȃpPbg̓vOƂāAtcpdumpiR}hC̃vOjAOmniPeekA Wireshark܂BOmniPeek Wireshark GUIx[X̃Xjbt@łB 

1.2pPbgXjbt@̕]
pPbgXjbt@ɂ͂܂܂Ȏނ܂Bǂg߂ɂ́Aȉ̓_lKv܂B 
T|[gĂvgR 

[U[thǂ 

RXg 

OS̃T|[g 

Xjbt@̃T|[g̐ 


1.2.1T|[gĂvgR

pPbgXjbt@͂܂܂ȃvgR߂邱Ƃł܂BقƂǂ̃Xjbt@́ADHCPAIPAARP̂悤ȈʓIȃvgR߂ł܂Aɂ͐VvgR߂łȂ̂܂BXjbt@IԂƂ́Agp\̃vgRT|[gĂ邩mF܂傤B 

1.2.2[U[thǂ

pPbgXjbt@vÕCAEgACXg[̂₷Aʏ̗̑܂傤BpPbg͂̌oقƂǂȂ̂ł΁Atcpdump̂悤ȍxȃR}hC̃pPbgXjbt@ׂ͔ł傤BtɌoLxȂAxȃvÔق悢܂B 

1.2.3RXg

pPbgXjbt@̂Ƃ́Ap̐iɕCGt[̐i݂邱ƂłB𕥂ȂĂA悢pPbgXjbt@ł܂B 

1.2.4Xjbt@̃T|[g̐


ƂXjbt@vO̊{}X^[ĂAVȖ邽 ̃T|[gKvɂȂƂł傤BT|[g]ۂɂ́AJ҂̃hLgAJĂtH[⃁[OXgTĂ݂ĂBWireshark̂悤ȃt[̃pPbgXjbt@ł͊J҂̃T|[g͂܂Ȃ܂񂪁A[U[̃R~jeBĂꍇ悭܂B̃[U[v҂̃R~jeBł̓fBXJbV̂߂̌fAWikiuO񋟂ĂApPbgXjbt@ɂĂ葽̂Ƃm菕Ă܂B 
1.2.5 OS̃T|[g
cOȂAׂẴpPbgXjbt@ǂ OSłg킯ł͂܂BXjbt@ĝǂOSƂɊmF܂傤B 

1.3pPbgXjbt@̎dg
pPbgXjbt@̏́Aȉ3̃Xebvɕ邱Ƃł܂BȂ킿AWAϊAĉ͂łB 
1.3.1W

ŏ̃Xebvł́ApPbgXjbt@̓XjbtBOlbg[NɐڑĂC^[tF[Xv~XLX[hɐ؂ւ܂B̃[hł́Albg[NJ[h͓̃lbg[NZOg𗬂邷ׂẴlbg[NgtBbNĎ邱Ƃł܂B 

1.3.2ϊ

̃Xebvł́ALv`ꂽoCif[^ǉ\Ȍ`ɕϊ܂B̍xȃR}hCx[X̃Xjbt@́A܂ł܂B̃Xebvł̓lbg[Ñf[^͔ɊbIȃxł̉߂sꂸA͂̂قƂǂ̓Gh[U[̎ɂ䂾˂܂B 

1.3.3


3̂čŌ̃Xebvł́ALv`ϊꂽf[^ۂɉ͂܂B̃Xebvł́AXjbt@pălbg[Nf[^Lv`Aof[^ɃvgR肵AăvgR̓͂܂B
ɁA͕͂̃pPbglbg[N̂ق̗̑vfr邱Ƃōs܂B 

1.4Rs[^͂ǂ̂悤ɒʐM̂
pPbg͂Sɗ邽߂ɂ́ARs[^mǂĒʐMĂ̂𗝉Kv܂B̐߂ł OSIQƃfAlbg[Ñf[^t[AT|[gn[hEFAƂlbg[NvgR̊b׋܂B 
1.4.1lbg[NvgR
݂̃lbg[ŃAevbgtH[ƃVXe̔ɑ̑gݍ킹Ő藧Ă܂B̒ʐMx邽߂ɁAlbg[NʐM𓝎lbg[NvgRƌĂ΂鋤ʂ̌gpĂ܂BʓIȃlbg[NvgRƂāATCPAIPAARPADHCP܂BvgRX^bNƂ́AvgR_IɃO[v̂łB
lbg[NvgŔA̋@\ɂăVvɂGɂȂ肦܂B܂܂ȃlbg[NvgŔAꂼꐫ傫قȂꍇ܂BقȂ_͎Ɉȉ̋@\łB
t[
M̃VXeAM̃VXẽf[^]̑xグ艺肷邽߂̃bZ[W𐶐邱
pPbg̉mF
M̃VXeAf[^MƂm点邽߂ɑM̃VXeɕԐM郁bZ[W̓]̂
茟o
M̃VXeAMꂽf[^]ɔjĂȂ؂邽߂ɎgpR[ĥ
G[
ŏ̓]̊Ԃɔjf[^ē]邱

f[^Xg[AIɓ]邽߂ɏ̂ɕ邱
f[^̈Í
lbg[N]f[^ی삷邽߂ɈÍp@\
f[^̈k
lbg[N]f[^̃TCY炷߂ɁA]ȏ폜@\ 
1.4Rs[^͂ǂ̂悤ɒʐM̂ 
1.4.2 OSIQƃf
vgŔAOSIQƃfƌĂ΂ƊEW̎QƃfɁA̋@\ɂĕĂ܂B̃f 1983N ISOiInternational Organizationfor StandardizationFەW@\jɂāAISO7498ƂČJ܂B
OSIQƃf́Albg[NʐM̃vZXȉ 7̊KwɕĂ܂B 
AvP[VwiC7j 

v[e[VwiC6j 

ZbVwiC5j 

gX|[gwiC4j 

lbg[NwiC3j 

f[^NwiC2j 

wiC1j


7Kw琬 OSIQƃfi} 1-1j݂邨ŁAlbg[NʐMƂ̂₷ȂĂ܂Bŏw̃AvP[Vw̓lbg[N\[XɃANZX邽߂̎ۂ̃vO\Ă܂Bŉw͕wŁAۂ̃lbg[Nf[^̓]swłBew̃vgŔAf[^ʑŵ߂ɃpbP[W邽߁AAgċ@\܂B 

} 1-1 OSIQƃf 7̊Kw

OSIQƃf͋ƊEĂX^_[hȏ̉̂ł܂BvgR̊J҂́ÃfɐmɏKv͂܂Bۂ̂ƂAlbg[Nf OIQƃfł͂܂BƂ΁A DDiDDFčhȁjfDސl܂B{ OIQƃf̊TOɂ̂ƂďĂ邽߁A DDfɂĂ͌y܂B
OSIQƃf̊eKw̋@\ƁAewŎgpĂvgR̗낢ƌĂ܂傤B 
1.4.2.1AvP[Vw

OSIQƃf̍ŏwłAvP[VẃAlbg[N\[XɃANZX邽߂̎i[U[ɒ񋟂܂B͒ʏGh[U[邱ƂłB̑włAlbg[Nׂ̂Ă̍Ƃ̊_ƂȂC^[tF[X񋟂܂B 

1.4.2.2v[e[Vw

v[e[VẃAMf[^AvP[VwǂނƂł`ɕϊ܂B̑wŃf[^ǂGR[h܂̓fR[h邩́AMf[^̃AvP[Vw̃vgRɈˑ܂B̑wł̓f[^̈Ŝ߂̈Í╜̂܂܂Ȍ`삵܂B 

1.4.2.3ZbVw

ZbVw 2̃Rs[^Ԃ̑ΘbAʐMfoCXԂ̐ڑ̊mAǗAIƂZbVǗ܂B܂ZbVẃAʐMSdȂ̂dȂ̂𖾊mɂAʐM𓂓˂ɐؒf̂ł͂ȂꂢɏIƂ@\܂B 

1.4.2.4gX|[gw


gX|[gw̎vȖړIƂāAʑwɐMłf[^nƂƂ܂Bt[Af[^̕ƍč\zA萧Ƃ@\̂ŁAgX|[gw2_Ԃ̃f[^̂G[Ȃōs킯łBM̍f[^]ۏ؂邱Ƃ͋ɂ߂ē߁AOSIQƃfłׂ͂Ă̑wM̕ۏ؂̂߂ɋ@\܂BgX|[gw͐ڑm̃T[rXƐڑmȂ̃T[rX񋟂܂Bt@CAEH[ƃvLVT[o͂̑wœ삵܂B 
1.4.2.5lbg[Nw

lbg[Nw͕Iȃlbg[NԂł̃f[^̃[eBO񋟂ĂAOSIQƃf̒łƂGȑwłBlbg[NzXg̘_IȃAhXiƂ IPAhXj̊ǗS܂B܂ApPbg̕AvgR̓AꍇɂĂ͌茟os܂B[^͂̑wœ삵܂B 

1.4.2.6f[^Nw

f[^Nw͕wʂăf[^]i񋟂܂B̑w̎ȖړÍAIȃfoCX肷邽߂̃AhXǗAf[^̐ۏ؂邽߂̃G[`FbN񋟂邱ƂłBubWƃXCb`͂̑wœ삷镨IȃfoCXłB 

1.4.2.7w


w OSIQƃf̍ŉwłAlbg[Nł̃f[^]ɂ镨IȔ}̂łB̑wł́AdAnuAlbg[NA_v^As[^AP[uȂǁAgp邷ׂẴn[hEFA̕IdCIȂ̂܂Bw͐ڑmяIAʐM\[XLi񋟂AMfW^AiOA܂͂̋tɕϊ܂B
\ 1-1ł́AOSIQƃf̊ewɂAƂʓIɎgpĂvgRꗗɂĂ܂B 
\ 1-1 OSIQƃf̊ewŎgp\IȃvgR
wvgR
AvP[VwHTTPASMTPAFTPATELNET
v[e[VwASCIIAMPEGAJPEGAMIDI
ZbVwNetBIOSASAPASDPANWLink
gX|[gwTCPAUDPASPX
lbg[NwIPAICMPAARPARIPAIPX
f[^NwEthernetAToken RingAFDDIAAppleTalk

1.4.3vgȒݍp
OSIQƃfł́Af[^͂ǂ̂悤ɏʑw܂͉ʑwɗĂ̂ł傤Hlbg[N]ŏ̃f[^́A𑗐MVXẽAvP[Vwn܂܂Bf[^͂ꂼ̕@ OSIQƃf 7̊Kw𑗐M̃VXe̕w܂ŉĂAM̃VXeɑ܂BM̃VXe͕wŃf[^MAf[^͍ŏw̃AvP[Vw܂ŎM̃VXe̊ewオĂ܂B
OSIQƃf̊ewɂ邳܂܂ȃvgRɂĒ񋟂T[rX́Ad邱Ƃ͂܂BƂ΁AwŃvgR̃T[rX񋟂΁Ȃwł̃vgR͓T[rX񋟂邱Ƃ͂܂B MƎM̃Rs[^ł́Aw̃vgR͈v܂BM̃Rs[^̃C7̃vgR]f[^ÍꍇAM̃Rs[^̃C 7̃vgR̓f[^𕜍邱Ƃ߂܂B} 1-2͒ʐM 2̃NCAgɂ OSIQƃf̐}łBЕ̃NCAg̍ŏwŉwʂAЕ̃NCAgɓBセ̋tǂ邱ƂŒʐM藧܂B

} 1-2MƎM̃VXeɂēwŋ@\vgR
OSIQƃf̊eẃA̒܂͒̑wƂʐMł܂BƂ΁AC 2̓C 1уC 3̃f[^Mł܂B 
1.4.4f[^̃JvZ

ewmʐM邽߂ɂ́Af[^JvZKv܂BJvZƂ́Awb_tb^ǉ邱ƂłBƂ΃gX|[gwZbVwf[^MꍇAgX|[gw͎̑wɃf[^nOɃwb_ǉ܂B 

1.4.5vgRf[^jbg


JvZƂ́APDUiProtocol Data UnitFvgRf[^jbgj𐶐邱Ƃ܂BPDUƂ́AMf[^ƒǉꂽwb_уtb^񂷂ׂĂ܂݂܂B
f[^ OSIQƃfɏ]ĊKw~ĂƂAPDU͂܂܂ȃvgRǉĂwb_ƃtb^ɂđ傫ȂĂ܂BPDU ͕wɓBƍŏIIȌ`ƂȂAM̃Rs[^ɑ܂BM̃Rs[^́Af[^OSIQƃf̊KwオĂɂAvgR̃wb_уtb^ PDU菜Ă܂BPDU OSIQƃf̍ŏwɓBƂɂ́AƂƂ̃f[^cĂ܂B 

pPbgƂP DAz܂B{ŃpPbgƂPgƂ́A OIQƃfׂ̂Ă̑wǉwb_ƃtb^܂ D̂ƂwĂ܂B 
1.4.6lbg[Nn[hEFA

ł͂ꂩlbg[Nn[hEFAĂ܂傤Bł̓nuAXCb`A[^ƂʓIȃlbg[Nn[hEFAɏœ_𓖂Ă܂傤B 

1.4.6.1nu 



nuƂ͒ʏA}1-3Netgear̃nû悤ȁARJ-45̃|[g𕡐̔ɂ܂Bnu4|[gƂɏ^Ȃ̂AƌɃbN}Egpɐ݌vꂽ48|[g̑^̂̂܂ł܂Bnu͒ʐM̂߂Ƀlbg[NfoCXɐڑ悤ɐ݌vĂ܂B
nuOSIQƃf̕wœ삷Af[^̒psfoCXłB

} 1-3T^I 4|[g̃C[Tlbgnu
̃foCX́AfoCXׂ̂Ẵ|[gɑMꂽpPbg`ipj܂BƂ΁ARs[^ 4|[gnũ|[g 1ɐڑĂāA|[g2ɐڑĂRs[^Ƀf[^𑗐MꍇAnu̓pPbg|[g1A2A3A4ׂ̂ĂɑM܂B|[g 3ƃ|[g 4ɐڑĂNCAǵAނ̂߂̃f[^ł͂Ȃ̂ł̃f[^𖳎Aj܂B̂߁Asvȃlbg[NgtBbN܂B
Ƃ̎ЈɃ[𑗂ꍇzĂB[̑薼ɂ́u}[PeBO̊F܂ցvƂ܂A[̓}[PeBOœĂl݂̂ɑM̂ł͂ȂÅƂ̎ЈSɑM܂B}[PeBO 
Ė󒍁FłnúAVFA[hnuAs[^nûƂłB
̎Ј̓[ł邱Ƃ܂Ã[J܂BȂ瑼̎Ј̓[łȂƂ΁Ajł傤B̕svȒʐMƖʂȎԂȂ邩ŕł傤Bꂪnű@\łB
} 1-4̓nu̎gpɂĉN邩}ŕ\Ă܂B̐}ł́ARs[^ARs[^BɃf[^𑗐MĂ܂BȂARs[^Af[^𑗐MƂAnuɐڑĂ邷ׂẴRs[^M܂BRs[^B݂̂f[^ۂɎMÃRs[^͂j܂B
nuɂĂ̍Ō̒ӂ́Anu͔d[hiM𓯎ɂłȂj

} 1-4Rs[^ ARs[^ BɃnuʂăf[^𑗐MƂ̃gtBbN̗
̂ݓ삷ƂƂłBꂪXCb`ƈႤƂŁAXCb`͑MɂłSd[hŎgpł܂B
݂̍xȃlbg[N̑́Aq闝RŃnuł͂ȂXCb`gĂ܂Anű@\𗝉邱Ƃ́ApPbg͂sŔɏdvłB 
1.4.6.2XCb` 
xȃlbg[Nɂănuɑւŗǂ̋@ƂāAXCb`܂BnuƓAXCb`̓pPbg𒆌p悤݌vĂ܂A傫ȈႢ܂BnuƓXCb`͒ʐMoHfoCXɒ񋟂܂AXCb`gʐM͂ƂĂIłBXCb`ׂ͂Ẵ|[gɃf[^ 
Ė󒍁FłXCb`́A}l[WgXCb`̓XCb`OnûƂłB
M̂łȂAMRs[^ɂ̂݃f[^𑗐M܂Bڂ́AXCb`̓nuƂ悭Ă܂Bۂɂ͕\ʂɂƎ̂ĂȂ΁AǂȂ̂Ȃł傤i} 1-5jB
傫ȃXCb`́Ax_ŗL̃\tgEFA Web̃C^[tF[X

} 1-5bN}Eg^ 24|[gC[TlbgXCb`
ĊǗ邱Ƃł܂B̃XCb`̓}l[WgXCb`ƌĂ΂Albg[NǗۂɕ֗Ȃ܂܂ȋ@\Ă܂B̃|[gL܂͖ɂA|[g̏ڍׂ\AݒύXA[gXCb`ċNł܂B
XCb`̓pPbgM𑀍삷邽߂̍xȋ@\Ă܂B̃foCXƒڒʐMł悤ɂ邽߁AXCb`̓foCXAhXŊǗ܂B܂AXCb` OSIQƃf̃f[^Nwœ삷ƂƂłB
XCb`́AڑĂ邷ׂẴfoCX̃C2̃AhXAgtBbŇԂ̂悤ȓCAMe[uɋL^Ă܂BpPbgMƁAXCb`̓pPbgɂ郌C 2̃wb_ǂ݁ACAMe[uQƂĂǂ̃|[gɃpPbg𑗐M邩肵܂BXCb`͓̃|[gɂpPbg𑗐MȂ߁Albg[NgtBbNIɌ炷Ƃł܂B
} 1-6̓XCb`ʂgtBbN̗}ŎĂ܂B̐}łARs[^ARs[^BɃf[^𑗐MĂ܂B̗ł́ARs[^̓XCb`ɐڑĂÃRs[^ʐMɋCÂƂȂARs[^A̓Rs[^Bɒڃf[^𑗂Ă܂BɁAɕʐM邱Ƃł܂B 
1.4.6.3[^
[^̓XCb`nunCxȋ@\xȃlbg[NfoCXłB[^͂܂܂Ȍ`̂̂܂A͑OʂɃCWP[^viLEDjtĂĔwʂɃ|[g܂B|[g̐̓lbg[N̑傫Ɉˑ܂i} 1-7jB[^ OSIQƃf̃C 3œ삵A2ȏ̃lbg[NԂŃpPbg]܂Blbg[NԂ̃gtBbN̗w邱ƂA[eBOƂ܂B 

} 1-6XCb`ʂăRs[^ ARs[^ BɃf[^𑗐Mۂ̃gtBbN̗

} 1-7K̓lbg[N̂߂̏ȃ[^
قȂނ̃pPbgAǂđ̃lbg[Nɓ]邩肷vgRA[eBOvgRƂ܂B[eBOvgRɂ͂̎ނ܂B[^͒ʏAlbg[ÑfoCXʂ邽߂ɁAIPAhX̂悤ȃC 3̃AhXgp܂B
[eBO̊TOC[WȒPȕ@́Aʂ艈̋ߏ̉Ƃl邱ƂłBꂼ̒ʂɂ͉ƂAeƂɂ͌ŗL̏Z܂i}1-8jBʂɏZłƂ΁A̒ʂ艈ׂ̂ẲƂ̊Ԃs邱Ƃł܂B́AXCb`ɐڑ邱ƂɂāAlbg[NZOĝׂẴRs[^ƒʐMłƂƂƂ悭Ă܂BȂA̒ʂ̗אlK˂邽߂ɂ́A̐l͓HWɏ]Kv܂B
ʂfĒʐMĂ݂܂傤B} 1-8̃oCXg[g 503hbOEbh[ 202ɍsȂ΂ȂȂƂ܂B̂߂ɂ́AI[NXg[gʂăhbOEbh[ɍsȂ΂܂BAlbg[NZOgfꍇōlĂ݂ĂB192.168.0.3̃foCX192.168.0.54̃foCXƒʐMKvꍇA10.100.1.1̃lbg[Nɍs 


} 1-8[eBOƋߏ̒ʂƂ̔r
߂ɂ́A[^ʂȂ΂܂BĒʐMfoCX݂lbg[NZOg̃[^ʂ܂B
lbg[Ñ[^̑傫␔́Albg[N̑傫@\ɂĕς܂Blz[ItBX̃lbg[N̏ꍇ́Albg[N̒ɒuꂽ[^݂̂ō\Ăł傤AƂ̃lbg[Nł͂̃[^܂܂ȕɒuA炷ׂĂ͒̋ȃ[^⃌C3XCb`ɐڑĂł傤BC 3XCb`̓XCb`îŁA[^̂悤ȋ@\rgCĂ܂B
lbg[N\}ɂGƁA܂܂ȃ|Cgʂf[^̗
𗝉邱Ƃłł傤B} 1-9̓[eBÔ悭`Ă
B̗ł́A2̃lbg[N1̃[^ŐڑĂ܂Blbg[ 
lbg[NAlbg[NB
Rs[^BRs[^W
Rs[^D
} 1-9Rs[^ ARs[^ XɃ[^ăf[^𑗐MƂ̃gtBbN̗
NÃRs[^lbg[NB̃Rs[^ƒʐMꍇAMf[^͕K[^ʂȂ΂܂B 
1.4.7gtBbN̕

lbg[NgtBbŃAu[hLXgA}`LXgAjLXg 3ɕނ邱Ƃł܂B͂ꂼقȂĂ܂Bɂălbg[Ñn[hEFApPbgǂ̂悤Ɉ܂܂B 

1.4.7.1u[hLXg

u[hLXgpPbǵAlbg[NZOg̃nuAXCb`A[^ׂ̂Ẵ|[gɑM܂Bu1.4.6.1nuvł܂Anu̓u[hLXgł܂B 

1.4.7.2}`LXg

}`LXǵA1̑M畡̈ɓɃpPbg𑗐MiłBł菬ȑшgAłVvɂ̎iĂ܂BgtBbŃAɓB邽߂ɉf[^ꂽɂāAǂœK邩܂܂B}`LXg̃gtBbN𐳊mɑł邩ǂ́AX̃vgR̎ɑ傫ˑĂ܂B}`LXg̎Ȏ@́ApPbgMVXe}`LXgO[vƂăO[vÃO[vɃAhXU邱ƂłBꂪ IP}`LXg̓łB}`LXgO[vɃAhXU邱ƂɂāApPbg󂯎ׂłȂRs[^ɃpPbg𑗐MȂ悤ɂ܂B 

1.4.7.3jLXg

jLXgpPbg̓Rs[^Rs[^֒ڑM܂BjLXgǂ@\邩́AgpvgRɂČ܂܂B 

1.4.7.4u[hLXghC


u[hLXgpPbg͓̃ZOĝׂẴfoCXɑMƂƂvoĂBقȂ}̂ʂĐڑĂ镡̃nuXCb`Ȃ鋐ȃlbg[Nł́A1̃XCb`瑗Mꂽu[hLXgpPbǵAXCb`XCb`ւƒpAlbg[N̑̃XCb`ɓB܂B
u[hLXgpPbgB͈͂u[hLXghCƂ܂B̓[^ʂ炸ɃRs[^Rs[^ɒړBłlbg[NZOgw܂B}1-10͏ȃlbg[N2̃u[hLXg 
1.4Rs[^͂ǂ̂悤ɒʐM̂ 

} 1-10u[hLXghC̓[^ɓB܂
hC̗Ă܂B[^ɓB܂łu[hLXghCȂ̂ŁAu[hLXgpPbg̓u[hLXghC񂵂܂B
[eBOƋߗׂ̉ƂƂ̊֌WOɐ܂Au[hLXghC̓ɂĂƂ܂Bu[hLXghC͋ߗׂ̒ʂ肾ƍlĂ݂ĂB|[`ɗċ񂾂A̒ʂɂl͂𕷂Ƃł܂B̒ʂ̐lƘbꍇ́A|[`u[hLXgiԁĵł͂ȂAڂ̐lƘb@Kv܂B
Ŋw񂾂Ƃ́ApPbg͂̕sς̊błBlbg[ÑguV[eBȎOɁAlbg[NʐMŉNĂ邩𗝉Ȃ΂܂B̏͂ł͂̊TOɊÂAlbg[NʐM̂荂xȌɂċc_Ă܂B 

2
P[uɂ肱

A悢pPbgLv`n߂邽߂̍Ō̃XebvɈڂ܂Bł́AXjbt@lbg[N̂ǂŎg肷@wт܂B
cOȂXjbtBÓAPɃm[g PClbg[N|[gɐڑăpPbgLv`΂悢Ƃ̂ł͂܂i}2-1jBۂɂ́ApPbg͂Xjbt@Ȃlbg[N̈ʒu߂قƂ܂B
Xjbt@
} 2-1Xjbt@zuʒu߂邱ƂAƂȂ
ȂXjbt@̔zuƂƁAlbg[N@̎ނɑłBnuAXCb`A[^ƂÃlbg[NŎgĂ 3̎ȃlbg[N@́Aꂼꂪ܂`ŒʐM߁AXjbt@zuۂɂ͂̓_\lȂ΂Ȃ܂B
̖̏͂ړÍA܂܂ȃlbg[Ng|Wł̃Xjbt@̔zu@𗝉邱ƂłBXjbt@𐳂ꏊŎg߂ɂ́AnuXCb`A[^ꂼ̊ŃpPbgLv`Ƃ悢@wԕKv܂BXjbt@̔zu@𗝉OɁAv~XLX[hNICAꂪǂ삷̂AȂꂪpPbg͂ɕKvȂ̂AwKĂ܂傤B 
2.1v~XLX[h̎gp
lbg[NŃpPbgĎɂ́Av~XLX[hT|[g
 NICiNetwork Interface CardFlbg[NC^[tF[XJ[hjKv
łB
NICv~XLX[hłȂꍇANIC͎ł͂ȂpPbg
ĂAjĂ܂܂Bv~XLX[ĥƂ́AƂC
 2̃AhX̂̂łȂĂAׂẴpPbgLv`܂B
Xjbt@ׂ͂ẴpPbgLv`A͂ɕKvȏ^Ă܂B 

܂ނقƂǂ OŁAv~XLX[h́A
2.2nuō\
ȂƎgpł܂Bv~XLX[hgp邽߂̌ȂȂAXjbt@gׂł͂܂B
ꂽlbg[Nł̃XjbtBO
nuō\ꂽlbg[Nł̃XjbtBOƂȒPłBłɊw񂾂ƂApPbg̓nûׂẴ|[gɗ܂BāAnuɐڑĂRs[^̒ʐM͂邽߂ɂ́Anű󂢂Ă|[gɃXjbt@CXg[ꂽRs[^iȉAXjbt@pRs[^jڑ邾ł悢̂łBŐ} 2-2ɂ悤ɁAXjbt@́AnuɐڑĂ邷ׂẴRs[^̒ʐM邱Ƃł܂B 

} 2-2nuō\ꂽlbg[Nł́AׂĂXjbtBOł
2.2nuō\ꂽlbg[Nł̃XjbtBO 

{ł̓Xjbt@XjbtBOłRs[^͈̔͂AuXjbtBOł͈́vƂgŎĂ܂B
cOȂAnuō\ꂽlbg[ŃAł͂قƂǎgĂ܂Bnu 1 1̒ʐMȂ߁AʐM̒x̌ɂȂ܂BāAnuʂĐڑĂRs[^́AʐM悤ƂĂ鑼̃Rs[^Ƒш敝荇ƂɂȂ܂B2ȏ̃Rs[^ɒʐM悤ƂƁA} 2-3Ɏ悤ȃpPbg̏Փ˂N邽߁ApPbgĂ܂đKv܂B
pPbg𑗐MpPbg𑗐MRs[^Rs[^
nu

} 2-3 2̃Rs[^ɃpPbg𑗐MƁApPbg̏Փ˂N
Փ˂ƁARs[^̓pPbg 3 4ƑMȂ΂ȂȂ߁Albg[ÑptH[}XIɗĂ܂܂B݂̃lbg[NnułȂXCb`gpĂ闝R͂ɂ܂B
nuō\ꂽlbg[ÑRs[^̒ʐMXjbtBOƂACȂ΂ȂȂ̂̓Lv`pPbg̗ʂłBv~XLX[hNIĆAnus邷ׂẴpPbgLv`邽߁A͂f[^̗ʂcɂȂ܂B̏͂ł͂IɃpPbg͂邽߂̃eNjbNЉĂ܂B 
2.3XCb`ō\ꂽlbg[Nł̃XjbtBO
݂ƂʓIȂ̂́AXCb`ō\ꂽlbg[NłBXCb`
u[hLXgAjLXgA}`LXgi 3̕ނ̏ڍׂɂ
Ă1͂QƁj̃f[^Iɓ]lbg[N@łBɁAXCb
`͑Sd̒ʐM\Ȃ߁Af[^̑MƎM𓯎ɍsƂł܂B
AXCb`ō\ꂽlbg[Nł̃XjbtBÓAnuō\
ꂽlbg[NقǒPł͂܂B}2-4ƂAXCb`ɐڑ
ꂽXjbt@́Au[hLXgpPbgƃXjbt@CXg[Ă
Rs[^̃pPbg邱ƂłȂ̂łB
Rs[^D

Rs[^A
XjbtBOł͈̓Xjbt@Rs[^ERs[^F
Rs[^BRs[^C
} 2-4XCb`ō\ꂽlbg[Nł́AXjbt@CXg[ĂRs[^ڑĂ|[gXjbtBOłȂ
XCb`ō\ꂽlbg[NŁÃRs[^̒ʐMLv`3̎ȕ@ƂāA|[g~[OAARPLbV|C]jOAnugpƂ@܂B 
2.3.1|[g~[O
|[g~[ÓAXCb`găpPbgLv`ƂȒPȎiłB~[O𗘗p΁ÃRs[^MpPbgLv`邱Ƃł܂B|[g~[Ogp邽߂ɂ́A^[QbgƂȂ}ViȉA^[Qbg}VjڑĂXCb`AR}hgđ삷Kv܂BāAXCb`|[g~[OT|[gĂ邱ƁÃXCb`ɁAXjbt@pRs[^ڑ邽߂̋󂫃|[g邱ƂKvłB
|[g~[OgpƂ́AXCb`̃R}hCC^[tF[XgÃ|[g̒ʐM𑼂̃|[gɃRs[i~[Oj悤ɁA 
2.3XCb`ō\ꂽlbg[Nł̃XjbtBO 
R}h͂Kv܂i} 2-5jBƂ΁A|[g 3̃pPbgLv`ɂ́AXjbt@pRs[^|[g 4ɐڑA|[g 3|[g 4Ƀ~[O悤ɐݒ肷΂悢̂łBɂāA|[g 3̃Rs[^̒ʐM邱Ƃł悤ɂȂ܂B

} 2-5|[g~[OɂāAXjbtBOł͈͂L邱Ƃł
|[g~[Ô߂̃R}h́AXCb`̃[J[ɂĈقȂ܂B\ 2-1́Aȃ[J[̃R}hꗗłB
\ 2-1[J[Ƃ̃|[g~[Ô߂̃R}h
[J[|[g~[ÕR}h
VXRset span < ~[O> < ~[O>
GeVXset port mirroring create < ~[O> < ~[O>
m[eport-mirroring mode mirror-port < ~[O> monitor-port < ~[O>

|[g~[OgpƂ́A~[OĂ|[g̃X[vbgɒӂĂBXCb`̒ɂ́A2ȏ̃Rs[^̒ʐM𓯎ɉ͂ł悤ɂ邽߁Ã|[g 1̃|[gɃ~[Oł̂܂BȂAƂ 24|[g̃XCb`ŁA100MbpsASdŒʐM23|[g̒ʐM1̃|[gɃ~[OꍇlĂ݂ĂB4,600Mbps̃pPbg 1̃|[gɗ邱ƂɂȂ܂BȂ΂Ȃ̊mŃ|[gʂpPbg̗ʂIȌE𒴂邱ƂɂȂApPbg̑lbg[N̒xNƂɂȂ܂BXCb`͒ʐM}邽߂ɁAȂpPbgׂĔjAobNv[~肵܂BpPbgLv`ۂɂ́Â悤ȏ󋵂ɂȂȂ悤ɋCĂB 
2.3.2nu̎gp
XCb`ō\ꂽlbg[NŃpPbgLv` 1̕@́Anugp邱ƂłBpPbgLv`Rs[^ƃXjbt@pRs[^Anuɐڑ邱Ƃœlbg[NZOgɒuĂ܂̂łB
̐lX́Â悤Ƀnugp邱Ƃ͕ssׂƎvĂ܂A|[g~[OgȂŁALv`Rs[^ڑĂXCb`ɕIɐG邱Ƃ\Ȃ΁Anu̎gp̓XjbtBO銮ȕ@Ƃ܂B
XCb`ō\ꂽlbg[NŁAnugpăRs[^̒ʐMXjbtBO邽߂ɕKvȂ̂́AnuƐ{̃lbg[NP[ułBXjbt@pRs[^ăXCb`̂ꏊɍsA^[Qbg}ṼP[u𔲂܂BĔP[uƃnuڑAXjbt@pRs[^nuɐڑ܂BɁAnuƃXCb`ڑ܂BŁAXjbt@pRs[^ƃ^[Qbg}Vu[hLXghCɑ݂邱ƂɂȂ܂BŃ^[Qbg}VMpPbǵAnuɐڑĂ邷ׂẴRs[^Ƀu[hLXg邱ƂɂȂAXjbt@pPbgLv`邱Ƃł悤ɂȂ܂i} 2-6jB

} 2-6nugƂŁA^[Qbg}VƃXjbt@pRs[^𓯂u[hLXghCɒuƂł
قƂǂ̏ꍇAnugΑSd̒ʐMdɔ邱ƂɂȂ܂Bnu̎gp͍ŗǂ̕@Ƃ͂܂񂪁A|[g~[OT|[gĂȂꍇ́A̕@g܂B 
2.3XCb`ō\ꂽlbg[Nł̃XjbtBO 

łɌĂƁA CEOgĂRs[^̃P[u𔲂̂͊yƂɂȂł傤B
nugpہAꂪXCb`ł͂Ȃ{ɃnuȂ̂mFĂBlbg[Nn[hEFÃx_̒ɂ́A@\ȃXCb`nuƂĔ̔ĂƂ낪܂BnugȂ΁AXjbt@͎gMpPbgLv`邾ɂȂĂ܂܂Bnuł邩ǂ́A2̃Rs[^nuɐڑāÃpPbgLv`ł邩ǂmFΕ܂Bꂪł΁A͖{̃nuƂƂɂȂ܂B 
2.3.3 ARPLbV|C]jO
1͂ł́ApPbg̃AhXɂ̓C 3̂̂ƃC2̂̂2ނƂƂwт܂BC 2̃AhXiMACAhXj́AC 3̃AhXɘAĎgp܂B{ł́iċƊE̕Wł́jAC3̃AhX IPAhXƌĂт܂B
C3gplbg[N@ׂ͂āAIPAhXg܂BXCb` OSIQƃf̃C 2œ삷邽߁ARs[^ɃpPbg]邽߂ɂ́AMACAhXIPAhXւ̕ϊA܂͂̋t̕ϊKvɂȂ܂BARPiAddress Resolution ProtocoljƌĂ΂郌C 3̃vgRʂāA̕ϊ̃vZXĂ܂B
Rs[^ IPAhXɌĒʐMƂA IPAhX}V MACAhXm邽߂ ARPNGXg𔭐M܂BY IPAhX}VA邢͂ IPAhX}Vǂɂ邩mĂ@͂̃NGXgɉAŏIIȁA͈ꎟIȈłMACAhXm点܂BM̃Rs[^́AMACAhX̏IPAhX̏i傪ꂼvĂȂĂ\܂jɁAf[^𑗐M邱Ƃł킯łBoH̏̓XCb` ARPLbVɋL^邽߁ARs[^f[^𑗐M邽т ARPNGXg̃u[hLXg𑗐MKv͂܂B
ARPLbV|C]jOiARPXv[tBOƂĂ΂j͖{AʐMւ̊荞݂DoSUiDenial of Service attackFT[rXs\Ujd|邽߂ɁAUAhXpPbgRs[^lbg[N@ɑM邱ƂłBȂAXCb`ō\ꂽlbg[NŁÃRs[^̃pPbgLv`iƂĂgƂł܂B
ARPLbV|C]jOg΁AU MACAhX܂ ARPpPbgXCb`⃋[^ɑMAlbg[N@xƂł̂łi}2-7jB 
ʏ̒ʐM	ARPLbV|C]jO
^[Qbg}V	[^


Xjbt@	Xjbt@
} 2-7 ARPLbV|C]jOɂāA^[Qbg}V̒ʐMɊ荞
2.3.4 Cain ! Abel̎gp
ARPLbV|C]jOgpɂ́A܂c[CXg[ĕK
vȏW߂Kv܂Bł́ALȃZLeBc[łA
Oxid.itihttp ://www.oxid.itjCain & Abelg܂Bł̓CXg[
݂ĂB
Cain & AbelCXg[AXjbt@pRs[^ IPAhXA
^[Qbg}VÃRs[^ڑĂ郋[^̏ȂǂW߂K
v܂B
Cain & AbelNƁAEBhẼgbvɂ̃^u͂
iARPLbV|C]jÓACain & Abel̑̋@\1ɂ܂jB
ARPLbV|C]jÓAmSniffern^uŗp邱Ƃł܂BmSniffern
^uNbNƁA̕\\͂łi} 2-8jB
ȉ̎菇ɉāACain & AbeĺuXjbt@v@\ipPbgLv`
AXjbtBO@\ł͂ȂAARPXv[tBŐ@\jgāA
lbg[ÑRs[^XLĂB 
1.	
c[o[̍2ԖځANIC̃ACRɎACRNbN܂B߂ẴACRNbNƁAXjbtBOɗpNIC𕷂܂BARPLbV|C]jO𗘗plbg[NɐڑĂNICIĂB 

2.	
NICIAmOKnNbNĂBCain & Abel̃Xjbt@@\LɂȂ܂B

3.
m{nACRNbNAmOKnNbNĂBlbg[ÑRs[^̃Xg쐬܂i} 2-9jB 


2.3XCb`ō\ꂽlbg[Nł̃XjbtBO 

} 2-8 Cain ! Abeĺm Sniffern^u

} 2-9 Cain ! Abel̃lbg[Noc[
ŁA󂾂\Ƀlbg[NɐڑĂRs[^MACAhXAIPAhXAx_L̏Ȃǂ̈ꗗ\܂B̏𗘗pāAARPLbV|C]jOgp܂B
EBhẺɂ́AmSniffern^uŎgpł@\̃^u\Ă͂łBRs[^̃Xg쐬AmARPn^uNbN܂BmARPn^uNbNƁA㉺2ɕꂽ̕\\܂BARPLbV|C]jO̐ݒ菇͈ȉ̂ƂłB 
1.	
c[o[ɂm{nACRNbN܂BE 2ɕꂽEBhE\܂B 

2.	
̕\ŁAARPLbV|C]jOɂʐM̊荞݂\ȃRs[^̃Xg\܂B^[Qbg}VIPAhXNbNƁAE̕\ɂ͎c̃Rs[^̃Xg\܂B 

3.	
E̕\ŁA^[Qbg}VڑĂ郋[^IPAhXNbNAmOKnNbN܂i} 2-10jBŁAWĨRs[^ƃ[^IPAhXAC̃EBhȄ㕔̕\ɕ\܂B 



} 2-10 ARPLbV|C]jO𗘗pă^[Qbg}VI
4.	ŌɁAc[o[ɂ鉩Fƍ̕˔\̃}[NNbN܂BŁACain & AbelARPLbV|C]jO@\LɂȂA^[Qbg}Vƃ[^̒ʐM̊ԂɊ荞ނƂł悤ɂȂ܂B
ARPLbV|C]jOsƁA㕔̕\ɂ ARPLbV|C]jOsĂRs[^̏񂪁A̕\ɂ͂̃Rs[^ĒʐMĂ邷ׂẴRs[^̏񂪕\܂B 
2.4[^ō\ꂽlbg[Nł̃XjbtBO 
ŁAXjbt@gĒʐM͂ł悤ɂȂ܂BpPbg̃Lv`IAFƍ̕˔\}[NNbN΁AARPLbV|C]jO~邱Ƃł܂B 

ALbV|C]jÓAlbg[N̍\ɒӂĎgpĂBƂ΁A 1GŃt@CT[o𗘗pĂāApPbgLv`ĂRs[^ 100M̏ꍇȂǁA
̃pPbgꏊł͂̕@gׂł͂܂Bȏ󋵂 ALbV|C]jO𗘗p΁Aʂ̃pPbgʐMɊ荞łRs[^ɗꍞ݂܂ÃRs[^{glbNɂȂĂ܂܂Bł͂Ȃ̃Rs[^ DU󂯂Ă̂ƓƂɂȂAlbg[ÑptH[}XA͂܂Ȃł傤 B 
2.4[^ō\ꂽlbg[Nł̃XjbtBO
XCb`ō\ꂽlbg[Nł̃pPbgLv`̕@́Â܂܃[^ō\ꂽlbg[Nłg܂B[^܂ރlbg[Nł́Ãlbg[NZOgɂ܂悤ƂƂɃXjbt@ǂɐݒu邩AƂƂlȂ΂܂B
łɊw񂾂ƂAu[hLXghC̓[^œr؂Ă܂܂B
pPbg[^ʉ߂ƁAM̃Rs[^͉mF̃pPbgM
̃Rs[^ԂĂ܂ŒʐM邱Ƃ͂ł܂B[^܂
ł́A[^ɐڑĂ邷ׂẴlbg[NZOgĎKv
܂B
̃lbg[NZOg̃[^ɐڑĂꍇlĂ݂܂傤i} 2-11jBlbg[N D́Albg[NBălbg[N ÃRs[^ƒʐMĂ܂Blbg[ND̃Rs[^Albg[NÃRs[^ƒʐMłȂƂ肪Ƃ܂傤B
܂lbg[NDɃXjbt@ݒuĂ݂܂傤Bƃlbg[NA
MpPbg邱Ƃ͂ł܂Albg[NAԂĂ͂
mF̃pPbg܂BŃlbg[NBɃXjbt@ݒu
Ă݂ƁAlbg[NB̃[^pPbgjĂ邱Ƃ܂B
ŁǍlbg[NB̃[^̐ݒɂ邱Ƃ܂B[
^̐ݒ𒼂Ζ͉łB̃ZOgɃXjbt@ݒuȂ
΂ȂȂRA̗Ⴉ番Ǝv܂B 
Ė󒍁FIIɓ̃Rs[^̒ʐMLv`ꍇ́Aقǃ{glbNɂȂ炸ɍςނł傤B
lbg[NA

lbg[ND
} 2-11lbg[N D̃Rs[^Albg[N AƒʐMłȂ
2.5lbg[N}
܂Ńlbg[NɂĂ̐̒ŁA̃lbg[N}Ă܂Blbg[N}i܂̓lbg[N\}jɂ́Albg[ÑRs[^lbg[N@킪ǂ̂悤ɐڑĂ邩`Ă܂B
Xjbt@̐ݒuꏊ肷ɂ́Albg[N}𖾊mɂ邱ƂԂłBlbg[N}̓guV[eBO͂ɔɖɗ̂ŁA\ȂɎ茳ɒuĂ܂傤BƏڍׂȃlbg[N}~Ƃv܂BguV[eBOɂő̓ւ́AXɂĖ肪ǂɂ邩肷邱Ƃɂ܂B 
3
WiresharkTv

pPbg͂ɎgXjbt@ɂ͂܂܂Ȏނ܂A{łWireshark
グĂ܂B̏͂łWireshark̗jAACXg[Ɗ{I
gp@wт܂B 
3.1 Wireshark̗j
Wiresharkɂ͒j܂BWireshark̓JUXVeBɂ~Y[wŃRs[^TCGXw񂾃WFhER[YiGerald CombsĵłB1988N GPLiGNU Public LicensejɂJ܂i̖O EtherealjB
EtherealJꂽ 8NAR[Y͐VȃLA߂Ă܂ŋ΂߂
ƂސE܂BcOȂސEƂEthereal̒쌠Ă
߁AR[Y EtherealȏJ邱ƂłȂȂĂ܂܂B
ɁAR[Y Ethereal̊J`[́A2006N΂ WiresharkƂV
ȏW擾܂B
Wireshark͔ɐlCAIɐĂ܂BJɂ 500l̐lĂ܂BEtherealƂ̃vO͂JĂ܂B 
3.2 Wireshark̗_
Wiresharkɂ́AXpPbg͂slɂƂĕ֗Ȃ܂܂ȓ܂B1͂ŏqׂXjbt@̕]ڂɏ]Wireshark]Ă݂܂傤B 
3.2.1T|[gĂvgR
݁AWireshark IP DHCP̂悤ȈʓIȂ̂AAppleTalkBitTorrent̂悤ȓ̃[J[\tgEFAłgȂƒ̂܂ŁA850̃vgRT|[gĂ܂BWireshark̓I[v\[X fƂĊJĂAWireshark̃Abvf[gƂɐVvgRǉĂ܂BWiresharkT|[gĂȂvgR΁Ał̃vgRT|[gR[h Wireshark̊J҂ɒ񋟂邱Ƃł܂BƂ͂ĂAWiresharkT|[gĂȂvgR͂قƂǂ܂񂪁B 
3.
2.2[U[thǂ

Wiresharkɂ͑̃Xjbt@ɔהɕ₷C^[tF[XĂ܂BWireshark͌₷CAEgGUIx[X̃AvP[VłBƂ΃f[^̓vgRƂɐFĂȂǁA[UreB݌vɂȂĂ܂Btcpdump̂悤ȓȃR}hCC^[tF[X̃AvP[VƈႢAWireshark̓pPbg͂n߂悤ƂlɂƂĎg₷c[Ƃ܂B 

3.
2.3RXg


Wireshark̓I[v\[XŁAGPLCZX̂Ɩœ肷邱Ƃł
܂BlpłppłANłWireshark_E[hĎgƂ
ł܂B 
3.
2.4Xjbt@̃T|[g̐

\tgEFȂP͂̃T|[gɂČ܂ƂĂߌł͂܂BWireshark̂悤ȃt[ŌJĂ\tgEFAɂ́AT|[gƂ݂̂܂BI[v\[X̃\tgEFÃT|[ǵA[U[ɗĂ镔܂BK^ȂƂɁAWireshark̃[U[R~jeB̓I[v\[XvWFNg̒łɊłBWireshark Weby[Wɂ́AIChLgAJ҂̂߂ WikiAFAQAJ҂QĂ郁[OXgɓo^邽߂̕@ڂĂ܂BWireshark̊J҂́AuĂ悤ȂƂ͂܂B 

3.2.5 
OS̃T|[g


WiresharḱAWindowsAMac OSXALinuxȂǁA̎v OŜقƂ
T|[gĂ܂BWiresharkWeby[WŁAT|[gĂ OS̈ꗗ
邱Ƃł܂B 
3.3 Wireshark̃CXg[
Wireshark̃CXg[͋قǊȒPłB̐߂ł́AWireshark̃VXevmFAWindowsLinuxꂼWiresharkCXg[@ 
3.3̃CXg[ 
wт܂傤B 
3.3.1VXev
WiresharkCXg[OɁAVXeȉ̗v𖞂ǂmFĂB 
	CPU 400MHzȏ 

	60MBȏ̋󂫗e 

	v~XLX[hT|[gĂNIC 

	WinPcappPbghCoiWindowŝ݁j


WinPcappPbghCóAPcappPbghCoWindows APIłB̃hCoɂĐ̃pPbgf[^Lv`AtB^OANICv~XLX[hɐ؂ւł悤ɂȂ܂BWinPcappPbghCóAhttp://www.winpcap.orgł܂B 

ʂŃ_E[h邱Ƃł܂Aɂ͂Ă̂ł̕Kv܂BɓĂ͂ł̓삪mFꂽo[Wł
̂ŁA͌ʂɃCXg[ÃpbP[WCXg[邱Ƃ߂܂B
3.3.2 Windowsł̃CXg[
܂AWireshark Weby[Wihttp ://www.wireshark.orgjAŐVłWireshark_E[hĂBWebTCǵmGet ItnNbNA~[TCgIĂBpbP[W_E[hAȉ̎菇ŃCXg[ĂB
1. .exet@C_uNbNA\ꂽ_CAOŁmNextn{^NbN܂B 

2.	
gpǂ݁AӂȂmI Agreen{^NbN܂B 

3.	
CXg[R|[lgI܂Bł͉ύXmNextnNbN܂i} 3-1jB 

4.	
mNextnNbN܂B 

5.	
Wireshark̃CXg[͂AmNextn{^NbN܂B 

6.	
WinPcapCXg[邩ǂ̃_CAO\̂ŁAmInstallWinPcapn`FbN{bNXIɂȂĂ邱ƂmFAmInstalln{^NbN܂i} 3-2jBCXg[n܂܂B 

7.	
Wireshark̃CXg[̓rŁAWinPcappPbghCõCXg[ 



} 3-1CXg[R|[lgI

} 3-2 WinPcappPbghCoCXg[
n܂܂B_CAO\̂ŁmNextn{^NbNAgpǂłmI Agreen{^NbNĂB 
8.	
WinPcappPbghCoCXg[܂BImFinishn{^NbN܂B 

9.	
Wireshark̃CXg[܂BImNextn{^NbN܂B 


10.	CXg[̏I_CAO\̂ŁAmFinishn{^NbN܂B 
3.4̊{ 
3.3.3 
Linuxł̃CXg[

܂ACXg[pbP[W肵܂BAׂĂ LinuxfBXgr[VpbP[W񋟂Ă킯ł͂܂B 

3.3.3.1 
RPMx[X̃VXe


RedHat̂悤RPMx[X̃fBXgr[VWiresharkCXg[ꍇ́Aȉ̎菇ɏ]ĂB 
1.	
WiresharkWebTCgAK؂ȃCXg[pbP[W_E[hĂB 

2.	
R\[JA rpm -ivh wireshark-0.99.3.i386.rpmsĂBt@C̓_E[hpbP[Ŵ̂ɕςĂB 

3.	
ˑpbP[WCXg[ĂȂꍇ́ACXg[ēxu2.ṽR}hsĂB 


3.3.3.2 DEBx[X̃VXe
Debian Ubuntû悤 DEBx[X̃fBXgr[V WiresharkCXg[ꍇ́Aȉ̎菇ɏ]ĂB 
1.	
WiresharkWebTCgAK؂ȃCXg[pbP[W_E[hĂB 

2.	
R\[JA apt-get install wiresharksĂ B 


3.4 Wireshark̊{
Wireshark悭CXg[ł΁AɂgƂł܂BɂȂ̓Xjbt@ɂ̂łIc\܂Iۂ̂ƂAWireshark͋Nł͓ɋ͕̂\܂Bʔ̂ɂ͉f[^KvłB 
	Ė󒍁FFedora CoreCentOSȂǂ̃VXeł yumgƂł܂BC^[lbgɐڑĂŃR\[JA 
yum 	install wireshark-gnome
sĂBGPGL[̃G[oĂ܂Ƃ́A 
rpm 	--import /usr/share/doc/fedora-release-5/RPM-GPG-KEY-fedora
sAL[C|[gĂiFedora Core5̏ꍇjBFedora Core 5ȊOŃC|[gɂ́A5YfBXgr[Vɍ킹ĒĂB
3.4.1ŏ̃pPbgLv`
WiresharkŃpPbg͂ɂ́A܂pPbgLv`Ȃ΂܂Bulbg[NɏQȂ̂ɂǂăpPbgLv`̂낤HvƋ^Ɏv܂B̍lɂ 2̊ԈႢ܂B1̓lbg[Nɂ͏ɏQ݂ƂƂłB^ȂS]ƈɃ[𑗐MāAׂĂɓ͂ǂmFĂȂB
1̊ԈႢ́ApPbg͂́AQƂ̂ł͂ȂƂƂłBۂ̂ƂAlbg[NǗ҂̓guV[eBOQ̂Ȃlbg[N̉͂ɎԂĂ܂Blbg[ÑguV[eBOʓIɍs߂ɂ́Albg[NȏԂɂƂ̏񂪕KvȂ̂łBƂ΁ADHCP̏Q悤ƂƂɂ́ADHCP̃gtBbNǂ̂Ȃ̂𗝉ĂKv܂B܂lbg[Nُ̈邽߂ɂ́AȏԂmĂȂ΂ȂȂƂƂłB
Ŋ{͏IłBpPbgLv`Ă݂܂傤I 
1.	
WiresharkN܂B 

2.	
Cj[́mCapturenIAmInterfacesnNbN܂BpPbgLv`łNIC̈ꗗAIPAhXƂƂɃ_CAOɕ\i} 3-3ĵŁALv`NIĆmStartn{^NbN܂B 



} 3-3pPbgLv` NICI 
3.	
pPbg̃Lv`n܂AWireshark̃EBhEɃLv`ꂽpPbg\܂B̃EBhEɂ̓pPbgɂẴT}\܂i} 3-4jB 

4.	
҂ď\ɃpPbgLv`łAmStopn{^NbN܂B


ȏ̎菇ŃpPbgLv`IƁAWireshark̃CEBhEɃf[^\܂Bʂ̃f[^Ɉ|邩܂񂪁ACEBhE̋@\𗝉΁AقǓƂ͂܂B 
	Ė󒍁Fso[W̓ftHghideȂ̂ŃpPbg̃T}\܂B
3.4̊{ 

} 3-4pPbg̃T}\
3.4.2CEBhE
pPbg͒ɈԂ悭̂ÃCEBhEł傤Bɂ̓Lv`ꂽׂẴpPbgA₷`ɃtH[}bgĕ\Ă܂BLv`pPbggāAWireshark̃CEBhĚĂ݂܂傤i} 3-5jBCEBhEɂ́A3̃yC܂B

} 3-5 3̃yC̃CEBhE
CEBhE 3̃yC̕\݂͂ɈˑĂ܂BpPbgꗗ̃yCiijpPbgNbNƁApPbgڍׂ̃yCiijɂ̃pPbg̏ڍׂ\܂B܂AoCĩyCiijł̃pPbg̃oCif[^邱Ƃł܂B 
3.
4.2.1pPbgꗗ̃yC

ĩyCɂ́ALv`t@Cɑ݂pPbg̈ꗗApPbgԍALv`ꂽԁApPbg̑MƑMApPbg̃vgRȂpPbgɊ܂܂ƂƂɕ\Ă܂B 

3.
4.2.2pPbgڍׂ̃yC

ĩyCɂ́ApPbg̏ڍׂc[ɕ\Ă܂Bc[͍ŏ܂肽܂Ă܂AWJ邱ƂłׂĂ̏邱Ƃł܂B 

3.
4.2.3oCĩyC


ĩyCɂ́AtH[}bgO̐̃pPbg\Ă܂B܂AP[uʂpPbg̖{̌`łB̂܂܂ł͉͂ɍƂƂƎv܂B 

 3̃yC̈Ⴂ藝ĂĂBpPbg͂ł́ACEBhEԂ悭g܂B
3.4.3ݒ
Wireshark͂܂܂ȃJX^}CY\łBdvȂ̂Ă݂܂傤B
Wireshark̐ݒʂ́ACj[́mEditnmPreferencesnNbNƕ\܂i} 3-6jB
Wireshark̐ݒʂ́AmUser InterfacenAmCapturenAmPrintingnAmNameResolutionnAmProtocoln 5̃ZNVɕĂ܂B 
3.4.3.1m
User InterfacenZNV

Wiresharkł̃f[^̕\@ݒł܂Bł́AEBhȄꏊL邩ǂAyC̃CAEgAXN[o[̈ʒuApPbgꗗ̃yC̈ʒuAf[^\Ƃ̃tHgAEBhẼJ[Ȃǂݒł܂B 

3.4.3.2m
CapturenZNV


ftHgNICAv~XLX[hftHgŎgp邩ApPbgꗗ̃yCɃA^CɃLv`pPbg\邩ȂǁALv`̕@ɂĐݒł܂B 
3.4̊{ 

} 3-6ݒʂ WiresharkJX^}CY
3.4.3.3m
PrintingnZNV

f[^vgAEgۂ̃IvVݒł܂B 

3.4.3.4m
Name ResolutionnZNV

MACAhXARs[^A|[gԍ̖O邩ǂݒł܂B܂AÕNGXg̍ő吔ݒł܂B 

3.4.3.5m
ProtocolsnZNV

vgR̕\@ɂẴIvVݒł܂BׂẴvgRݒł킯ł͂܂񂪁A܂܂ȕύX\ȃvgR܂BȂÃIvV͓ɗRȂΕύXȂق悢ł傤B 

3.
4.4pPbg̐F


WiresharkŃpPbgLv`ƁApPbgꗗ̃yCŃpPbg܂܂ȐFɐF邱ƂɋCÂł傤i} 3-7jB̐F̓_Ɍ߂Ă悤Ɍ܂Ał͂܂B 

} 3-7vgRƂɐFA₷ȂĂ

{ł̃gtBbNƂṔApPbgꗗ̃yCɕ\ĂÃpPbĝƂƎvĂBƂ DÑgtBbNƌƂɂ́ApPbgꗗ̃yCɕ\Ă邷ׂĂ DÑpPbĝƂłB
epPbg̓vgRƂɐFĂ܂BƂ΁ADNS̃gtBbN͐AHTTP̃gtBbN͗΂ƂłBvgRƂɐFĂ邨ŁApPbgꗗ̃yCɕ\Ă邷ׂẴpPbg 1 1mFKv܂BȃLv`t@CƂɁA̐F̋@\̂ŉ͂啝ɃXs[hAbv邱Ƃ邱Ƃł傤B
F̃[́AmColoring Rulesn_CAOŐݒ肪\łBݒ͈ȉ̎菇ōs܂B 
1.
WiresharkN܂B 

2.
Cj[́mViewnNbN܂B 

3.	
mColoring RulesnNbNAmColoring Rulesn_CAO\܂i} 3-8jBF̃[̈ꗗ\̂ŁAD݂̐FɕύX܂B



} 3-8mColoring Rulesn_CAOŁApPbg̐F[ݒ肷
Ƃ΁AHTTP̃gtBbN̔wiFftHg̗΂烉x_[ɕς菇́Aȉ̂ƂłB 
3.4̊{ 
1.	
WiresharkNACj[́mViewnmColoring RulesnNbNāAmColoring Rulesn_CAO\܂B 

2.	
ꗗHTTP̐F[NbN܂B 

3.	
mEditn{^NbN܂i} 3-9jB 



} 3-9mColoring Rulesn_CAOł́AFƔwiFݒł
4.	
mBackground Colorn{^NbN܂B 

5.	
FIAmOKn{^NbN܂B 

6.	
mOKn{^2񉟂ăCEBhEɖ߂܂B 

7.	
YpPbgAݒ肵FɕύXĂ܂B


WiresharkgăpPbg͂ĂƁAvgR̃vgR葽\Ă邱ƂɋCÂł傤BFĂ邱Ƃłꂪ蕪₷Ȃ̂łBƂ DHCPT[oɏQN IPAhX̊蓖Ă܂ȂȂꍇADHCP̃gtBbNFɐFĂ΁ACEBhEFɐ܂܂BāADHCP̃gtBbN̑IʂeՂɂȂA悭pPbg͂ł悤ɂȂ܂B 
4
Wiresharkł̃pPbgLv`̃eNjbN
O͂ŏ߂ẴpPbgLv`͂܂̂ŁALv`pPbg̊{Iȑ@ɂĂb܂BpPbg̃}[LOALv`t@C̕ۑALv`t@C̃}[WAvgAEgAԂ̕\tH[}bg̕ύXwт܂B 
4.1pPbǧƃ}[LO
pPbg͂n߂ƁAcȗʂ̃pPbgɑ邱ƂɂȂ܂BASƃpPbg̐cオĂƁAقǌIɉ͂ȂƑΉȂȂł傤B̂Wiresharkł́A@ɏ]ApPbg}[LO邱Ƃł悤ɂȂĂ܂B 
4.1.1pPbǧ
̃pPbgɂ́AmFind Packetn_CAOg܂i} 4-1jBCj[́mEditnmFind PacketnNbN܂B܂ACtrl-Fł_CAO\邱Ƃł܂B 

} 4-1 Wiresharkœ̃pPbg
pPbǧɂ́AmDisplay filternAmHex valuenAmStringn 3̃IvV܂BmDisplay filternIvVł́AtB^̍ڂ͂܂itB^ɂĂ͌qjBmHex valuenсmStringnł́ApPbg 16i܂͕Ŏw肵܂B\4-1ɂꂼ̗Ⴊ܂B̃IvVƂāAmSearch inniyCjAmString OptionsnigpLN^Zbg̐ݒjAmDirectionnij܂B
\ 4-1pPbg̗
̃^Cv
Display filter not ipAip address==192.168.0.1Aarp
Hex value 00:ffAff:ffA00:AB:B1:f0
String [NXe[V1A[U[BAhC

IvVIAeLXg{bNXɌ镶͂āAmFindn{^NbN΁AɈvpPbg\܂Bꍇɂ Ctrl-NAOꍇɂ Ctrl-BĂB 
4.1.2pPbg̃}[LO
pPbgɁA}[LOĂƂł܂B}[LOꂽpPbǵA}4-2̂悤ɍnɔɂȂڗ悤ɂȂ܂B܂ALv`ꂽpPbgt@CɕۑƂɁA}[LOpPbĝ݂ۑ邱Ƃ\łBpPbg𕪂ĕۑĂꍇAFtĂƂȒPɌ悤ɂĂꍇȂǁA}[LO̎g͂낢날܂B

} 4-2}[LOꂽpPbgƂĂȂpPbgƂ̔rBʂƂ͈ႤFŕ\B̐}ł 1Ԗڂ̃pPbg}[LOĂ
pPbg}[LOɂ́ApPbgꗗ̃yCŃpPbgENbNA
|bvAbvj[mMark PacketnIłB܂ApPbgN
bNACtrl-MƂł}[LOł܂BCtrl-Mx΃}[
LO邱Ƃł܂B̃pPbg}[LOꍇAShift-Ctrl-
N܂ Shift-Ctrl-BŃ}[LOꂽpPbgɃWv邱Ƃł܂B 
4.2Lv`t@C̕ۑƃGNX|[g 
4.2Lv`t@C̕ۑƃGNX|[g
pPbg͂́ApPbgLv`Ɠɂł킯ł͂܂BʏApPbgLv`āAۑāAꂩ͂Jn܂B̂߁AWiresharkɂ̓Lv`pPbgLv`t@CƂĕۑ@\tĂ܂B 
4.2.1Lv`t@C̕ۑ
Lv`pPbgۑɂ́ACj[́mFilenNbNAmSave AsnI܂B܂́AL[{[h Shift-Ctrl-Słۑ\łBmSave file asn_CAO\̂Łi} 4-3jALv`t@Cۑ
ꏊƃt@C`I܂Bw肵Ȃꍇ́A.pcapt@C`
ۑ܂B

} 4-3mSave file asn_CAOLv`t@Cۑ
Wiresharkł́A͈͂̃pPbgԍpPbgA}[LOꂽpPbgAfBXvCtB^ɂĕ\ꂽpPbgȂǁÃpPbgۑ邱Ƃł܂BɂALv`t@C̃TCYȂ菬邱Ƃ\łB 
4.2.2Lv`f[^̃GNX|[g
Wiresharkł́AeLXgA|XgXNvgACSVAXMLȂǁÃpPbg̓c[̃Lv`t@C̕ۑ`ɃLv`f[^GNX|[g Ƃł܂BGNX|[gɂ́ACj[́mFilenmExportnNbNAۑ`IĂBmSave AsnۑƂɂAmt@C̎ށnۑ`I邱Ƃł܂B 
4.3Lv`t@C̃}[W
pPbg͂ĂƁÃLv`t@C}[WȂ邱Ƃ܂BWiresharkɂ́ALv`t@C}[W@ 2܂BLv`t@C}[Wɂ́Aȉ̎菇ɏ]ĂB 
1.	
}[WLv`t@CJ܂B 

2.	
Cj[́mFilenmMergenIAmMerge with Capture Filen_CAOJ܂i} 4-4jB 



} 4-4mMerge with capture filen 2̃t@C}[W
3.	}[Wt@CIAǂ̂悤Ƀ}[W邩I܂B}[W@ɂ́AmPrepend packets to existing fileniݕ\ĂpPbg̑OɃ}[WLv`t@C̃pPbgǉjAmMerge packetchronologicallyni^CX^vɉĎnɒǉjAmAppend packetsto existing fileniݕ\ĂpPbǧɃ}[WLv`t@C̃pPbgǉj3܂B
}[WLv`t@CGNXv[WiresharkɃhbOhbv邱ƂŁÃt@C}[Wnɕ\邱Ƃł܂B 
4.5Ԃ̕\tH[}bgƑΎԕ\ 
4.4pPbg̈
ۂ͉̉͂ʏōs邱ƂقƂǂłAf[^Kv邩܂BLv`pPbgɂ́ACj[́mFilenmPrintnI܂i} 4-5jB

} 4-5mPrintn_CAOpPbg̈ł
mPrintn_CAOAIf[^eLXg܂̓|XgXNvgƂ
Ĉ邩At@CƂďo͂邱Ƃł܂BmSave file asn_CAO
Ɠ悤ɁA͈͂̃pPbgԍpPbgA}[LOꂽpPbgA
fBXvCtB^ɂĕ\ꂽpPbgȂǁÃpPbĝ݂
邱Ƃł܂B܂A3̃yĈǂ邩I邱Ƃ
\łBIvVImPrintnNbNĂB 
4.5Ԃ̕\tH[}bgƑΎԕ\
pPbg͂ɂāAԂ͏dvȗvfłB͂ۂɂ́AʐMɂ鎞ԂƂ̌X𒲂ׂKv܂BWireshark͎Ԃ̏dvFāA̃IvV񋟂Ă܂Bł́AԂ̕\tH[}bgƑΎԕ\Ă܂傤B 
4.5.1Ԃ̕\tH[}bg
Wiresharkł́AepPbgɂ̓VXeɃ^CX^vL^Ă܂BpPbgLv`ꂽƂ̃VXeAŏɃLv`ꂽpPbg̑ΓIȎԂ\邱Ƃł܂B
Ԃ̕\ɊւIvV́ACj[́mViewńmTime Display Formatn ݒł܂i}4-6jBԂ̕\tH[}bĝقAԂ̐xɂĂI\łBbA~bA}CNbȂǂwł܂B{ł͕pɂɂ̃IvVύX̂ŁÂɊĂĂB 

} 4-6Ԃ̃IvV͕pɂɕς邱ƂɂȂ
4.5.2Ύԕ\
Wiresharkł́ApPbgLv`ꂽԂ̑ΓIȎԂ\邱Ƃł܂B̋@\g΁ALv`t@CŃf[^̗viNGXgjsĂƂÃNGXgI܂łɂǂ̂炢̎Ԃ邩ȒPɕ܂B
ΓIȎԂ\ɂ́ApPbgꗗ̃yCƂȂpPbgNbNACj[́mEditnmSet Time ReferencenI܂B܂́AԂ̊ƂȂpPbgNbNACtrl-TĂBxJԂ΁A邱Ƃł܂B
ΓIȎԂ\悤ݒ肷ƁAԂ̊ƂȂpPbg̎Ԃ̕ *REF*ƕ\܂i} 4-7jB 

} 4-7Ԃ̊ɂȂpPbg
4.6Lv`tB^ƃfBXvCtB^ 

ΓIȎԂ̕\́AԂ̕\tH[}bgm BCniLv`JnĂ̌oߎԁjɂĂȂƈӖ܂Bق̃tH[}bgł͍ł傤B
4.6Lv`tB^ƃfBXvCtB^
4.2.1߂ŁAtB^gpPbg̕ۑɂĐG܂BtB^gƂɂāÃpPbĝ݂\邱Ƃł܂BtB^͕ŕ\ApPbg̕\/\ WiresharkɎw܂B
Wiresharkɂ́ALv`tB^ƃfBXvCtB^2ނ܂B 
4.6.1Lv`tB^
Lv`tB^́ApPbgLv`ĂŒɎgp̂ŁAWinPcapɂKp܂BLv`tB^̍\͑̃pPbg̓c[łgpłꍇ܂BmCapture Optionsn_CAOALv`gtBbNw肷邱Ƃł܂B
Lv`tB^́ÃT[rX񋟂ĂT[oɊւgtBbN͂Ƃɖɗ܂BƂ΁A262ԃ|[ggpT[rX񋟂ĂT[õguV[eBOlĂ݂܂傤BT[o܂܂ȃ|[gŃT[rX񋟂Ă̂Ȃ΁A262ԃ|[g̃gtBbN݂̂̂͑ςłAtB^g΂ꂪ\łBȉ̎菇ŃtB^쐬ĂB
1.
mCapture Optionsn_CAOJi} 4-8jALv` NICI܂B

2.
mCapture Filtern{^̉̃eLXg{bNXɃtB^Lq܂B܂́mCapture Filtern{^āAtB^̍쐬x_CAOJAtB^쐬܂B́A262ԃ|[gʂgtBbNLv`̂ŁAeLXg{bNXɁu port 262vƋLq܂i} 4-8jB 

3.	
tB^쐬AmStartn{^NbNăLv`n߂ĂBŁA262ԃ|[gʂgtBbN݂̂Lv`܂B 


4.6.2fBXvCtB^
fBXvCtB^́A쐬ꂽLv`t@CɓKptB^łBtB^ɈvpPbĝ݂\܂BpPbgꗗ̃yC̏㕔ɂeLXg{bNXɃtB^Lq܂B
fBXvCtB^̓Lv`tB^g@ł傤Bۂ 

} 4-8mCapture Optionsn_CAOŃLv`tB^쐬
Lv`t@C̃f[^ύX邱ƂȂÃpPbg\邱Ƃł邩łBƂƂ̃Lv`t@C̃pPbg\ȂAeLXg{bNXɋLqtB^΂悢̂łB
tB^́ALv`t@C͂ɖ֌W̃pPbgiARPu[hLXgpPbgȂǁjꎞIɏɂ܂BȂAARPu[hLXgpPbg͌ŉ͂ɕKvɂȂꍇ̂ŁALv`tB^gAfBXvCtB^ňꎞIɕ\Ȃ悤ɂق֗Ȃ̂łB
ARPpPbg\Ȃ悤ɂɂ́Aȉ̎菇ɏ]ĂB 
1.	
pPbgꗗ̃yC̏㕔ɂAmFilterneLXg{bNXɈړ܂B 

2. 	!arpƓ͂ EnterL[܂i} 4-9jBtB^폜ɂ́AeLXg{bNX̒gEnterL[܂B 



} 4-9mFilterneLXg{bNXŃfBXvCtB^쐬
4.6.3mFilter Expressionn_CAO
mFilter Expressionn_CAOi} 4-10j́AWiresharkS҂Lv`tB^fBXvCtB^쐬xĂ@\łB_CAO\ɂ́ACj[́mAnalyzenmDisplay FilternIAmDisplay Filtern 
4.6Lv`tB^ƃfBXvCtB^ 

} 4-10mFilter Expressionn_CAOg΁AȒPɃtB^쐬ł
_CAÓmExpressionnNbN܂B
mFilter Expressionn_CAO̍ɂ́Agp\ȃvgR̈ꗗ\ĂAevgRŗp\ȃtB^vfwł܂BtB^쐬ɂ́Aȉ̎菇ɏ]ĂB 
1.	
vgR̍ɂm+nNbN΁AevgRŗp\ȃtB^vf邱Ƃł܂BptB^vfNbNĂB 

2.	
ItB^vfƁA̕]l̕]@w肵ĂB]@́ACR[i =jAȂi >jAȂi <jȂǂ̉ZqłB 

3.	
]lw肵āAtB^쐬܂BWireshark񋟂]lI邩AgŒlw肵ĂB 

4.	
tB^쐬AmOKn{^NbNĂB쐬tB^eLXgŕ\܂B 


4.
6.4tB^͂ō

mFilter Expressionn_CAO͏S҂ɂ͔ɕ֗ȋ@\łAtB^̎gp@ł΁A蓮ŃtB^쐬ق悢ł傤BfBXvCtB^͔ɋ͂łA\͊ȒPłB̍\WiresharkƎ̂̂łBtB^̍\̎ނƂ̗Ă܂傤B 

4.
6.4.1̃vgRtB^O


Lv`tB^fBXvCtB^́ÃvgRIʂƂɎgƂł傤BƂTCP̃guV[eBȌꍇ́ATCP ̃gtBbNȊO͕KvȂ̂ŁATCPȊÔ̂tB^OĂ܂܂傤B
guV[eBÔ߂ping𑽗pāAICMP̃gtBbNʂɔꍇlĂ݂܂傤B !icmpƂtB^g΁AICMP̃gtBbN폜邱Ƃł܂B 
4.6.4.2rZq
rZqg΁ApPbgr邱Ƃł܂BƂΓ IPAhX܂ރpPbgꍇAu ==vƂrZqgāA ip.addr==192.168.0.1ƂtB^͂΁A192.168.0.1ƂIPAhX܂ރpPbĝ݂\邱Ƃł܂B
܂A128oCgȉ̃pPbĝ݂\Ƃ悤ȍxȎgł܂B̏ꍇ́Au<=vƂrZqgāA frame.pkt_len<=128ƂtB^΂悢̂łB
WiresharkŎgp\ȔrZq͕\4-2̂ƂłB 
\ 4-2 Wireshark̃tB^ƂĎgpłrZq
Zq
== 
!= Ȃ
> Ȃ
< Ȃ
>= ȏ
<= ȉ

4.6.4.3_Zq
_Zqg΁ÃtB^1̕\ƂĎgp邱Ƃł܂B_ZqgȂƂł΁AgpłtB^Iɑ܂B
Ƃ΁AOq̗ł͓ IPAhX܂ރpPbĝ݂\Ă܂Bx 192.168.0.1܂ 192.168.0.2ƂIPAhX܂ރpPbgꍇlĂB̏ꍇA ip.addr==192.168.0.1 or ip.addr==192.168.0.2ƂtB^g΂悢̂łBWiresharkŎgp\Ș_Zq͕\ 4-3̂ƂłB 
\ 4-3 Wireshark̃tB^ƂĎgpł_Zq
ZqTv
and _
or _a
xor rI_a
not ے

4.6Lv`tB^ƃfBXvCtB^ 
4.6.4.4tB^̃Tv
tB^̊TO͒PłAۂɃtB^쐬Ƃɂ́AǂȃL[[h≉Zqg悢YނƂł傤B{łׂ͂ẴL[[h≉ZqЉ͂܂̂ŁAWireshark WebTCgQƂĂB\ 4-4ɃtB^̂̃TvڂĂ܂B 
\ 4-4Lv`tB^ƃfBXvCtB^̃Tv
tB^
host www.example.com www.example.com ̃gtBbN\
host www.example.com and not (port 80) www.example.com HTTPi80 ԃ|[gjȊÕgtBbN\
!dns DNS ̃gtBbNȊO\
not broadcast and not multicast jLXg̃gtBbN\
ip.dst==192.168.0.1 悪192.168.0.1 ̃gtBbN\

4.6.5tB^̕ۑ
tB^gpĂƁÃtB^pɂɎgƂ܂BtB^x쐬Kv͂܂BWiresharkɂ́AtB^ۑ@\tĂ̂łB
tB^ۑɂ́Aȉ̎菇ɏ]ĂB 
1.	Cj[́mAnalyzenmDisplay FilternIAmDisplay Filtern_CAO\܂i}4-11jB 

} 4-11mDisplay Filtern_CAOtB^ۑł
2.
mNewn{^NbNāAVtB^쐬܂B 

3.mFilter 
nameneLXg{bNXɃtB^̖O͂܂B 

4.	mFilter 
stringneLXg{bNXɃtB^͂܂B 

5.
tB^͂AmSaven{^NbNătB^ۑ܂B


Wiresharkɂ́ArgC̃tB^܂A̓tB^ǂ̂悤Ȃ̂ɂ܂BAɎpIȃtB^쐬邱Ƃłł傤B 
5
Wireshark̍xȋ@\

Wireshark̊{IȎg}X^[A荂xȋ@\gȂ
傤B̏͂ł́AWireshark̖OAvgŔApPbg̃AZ
uȂǂ̍xȋ@\ɂĐ܂B 
5.1O
lbg[Ñf[^ 00 :16:CE:6E:8B:24Ƃ悤ȁAoɂp̃AhXgē]Ă܂BOƂ́AevgRgpAhXʂ̂̂ɕϊvZX̂ƂłBƂ 00 :16:CE:6E:8B:24Ƃ MACAhX́ADNS ARPɂ Marketing-2ƂOɕϊ܂BÍ̂悤ȃAhXǂ݂₷AhXɕϊ邱ƂɂāARs[^ʂ₷悤ɂĂ̂łB
OgāALv`t@Cǂ݂₷΁A͂̎Ԃߖ񂷂邱Ƃł܂BƂDNSg΁ApPbg̑M̃Rs[^eՂɎʂ邱Ƃł܂B 
5.1.1 
Wireshark̖Oc[

Wiresharkɂ́AMACAhXAIPAhXA|[gԍ 3̖Oc[܂B 

5.1.1.1 
MACAhX̖O

ARPgāA00 :09:5B:01:02:03Ƃ悤MACAhX10.100.12.1Ƃ悤IPAhXɕϊ܂BIPAhXɕϊłȂꍇ́AMACAhX̐擪 3oCg Netgear_01 :02:03Ƃ悤 IEEE߂[J[ɕϊ܂B 

5.1.1.2 
IPAhX̖O


192.168.1.50Ƃ悤 IPAhXADNSgp MarketingPC1Ƃ悤ȓǂ݂₷Oɕϊ܂B 
5.
1.1.3|[gԍ̖O

|[gԍ𖼑Oɕϊ܂BƂ80ԃ|[g httpɕϊ܂B 

5.
1.2OLɂ


Cj[́mCapturenmOptionnI邩ACtrl-KāmCaptureOptionsn_CAO\Ăi}5-1jB疼OLɂ邱Ƃł܂B 

} 5-1mCapture Optionsn_CAO疼OLɂ
5.1.3Ǒ_
O͂ƂÂ̂悤Ɍ܂Aȉ̂悤Ȍ_܂B 
	l[T[oNGXgꂽOłȂ΁AO͂ł܂B 

	Ȍ̓Lv`t@CɕۑȂ߁ALv`t@CJтɖOsKv܂B̂߃Lv`t@CJƂɃl[T[oɐڑłȂΖOł܂B 

	DNS̃pPbgLv`t@Cɒǉ邽߁ALv`t@CɂȂ邩܂B 

	Ô߂̏ԂKvɂȂ܂BȃLv`t@CĂăsĂƂɂ́AO͍sȂق悢܂B 


5.2vgR̕ 
5.2vgR̕

Wireshark͊evgRƂ͋̕@\ĂA̋@\găvgR܂܂ȗvfɕ邱ƂŁA͂₷悤ɂĂ܂BƂΐ̃pPbg ICMP͋̕@\gāAICMPL̊ewb_f[^ɕĕ\ƂłB͋@\́ÃpPbgvgRƂWiresharkɕ\|@̂悤Ȃ̂łBWiresharkvgR͋̕@\Ă΁ÃvgRT|[gĂƂ܂B
Wireshark͊epPbg߂̂ɕ̃vgR͋̕@\gp܂Bǂ͋̕@\gp邩́AvOꂽ_琄܂B
cOȂAWiresharkł͋@\IƂ͌܂BftHg̃|[ggpȂvgR͓ɊԈႦ₷łBƂɂ́Agp镪͋@\ύX邱Ƃł܂B
Ƃ΁Aftp-netbios3.pcapJĂ݂ĂB̃t@Cɂ NetBIOSgʐML^Ă܂BȂApPbgNbNăoCĩyCĂ݂΁A炩 NetBIOSł͂ȂpPbg܂܂Ă邱ƂɋCÂł傤BہApPbg 5 8ł́A[U[ƃpX[hMĂ邱Ƃ܂B
ׂĂ݂΁Ãt@CɋL^Ă̂ FTP̒ʐMł邱Ƃł傤B}5-2ɂ́uFTP ServervƂPꂪL^Ă܂BWiresharḱAFTP̒ʐM NetBIOS̃ftHg̃|[g137ԂōsĂ邽߂ɁANetBIOS̒ʐMƂĕ͂Ă܂̂łB

} 5-2 NetBIOS̃gtBbNłȂ FTP̃gtBbN
̖邽߂ɂ́AFTP͋̕@\g悤 WiresharkɎwȂ΂Ȃ܂Bȉ̎菇ɏ]Đݒ肵ĂB 
1.	
pPbgENbNāmDecode AsnI܂Bǂ̃vgR͋̕@\gI_CAO\܂i} 5-3jB 

2.	
mTransportn^uŃhbv_Ej[msource (137)nIAmFTPnNbN܂BŁA137ԃ|[g̃gtBbNFTP͋̕@\p܂B 

3.
mOKn{^NbN΁ALv`t@CɑɕύXKp 



} 5-3mDecode Asn_CAOŕ͋@\w肷
BpPbgꗗ̃yCA͂Ă邩ǂmFĂB

͋@\̕ύX̓Lv`t@Cɂ͕ۑ܂BLv`t@CJтɁA͋@\ύXKv܂B
1̃Lv`t@CłȂAύXJԂsƂł܂B̃Lv`t@CĂƂɕ͋@\̕ύXoĂȂł傤AWiresharkɊoĂĂ܂BmDecode Asn_CAÓmShow Currentn{^NbN΁A܂łɍsύẌꗗ邱Ƃł܂i} 5-4jBmClearn{^ƂŁA̕ύXNA邱Ƃ\łB 
5.3 TCPXg[̕\

Wireshark̂Ƃɗ@\ 1ATCPXg[̕\łB̋@\̓pPbgAGh[U[gpĂAvP[V󂯎f[^̌`ɂĕ\܂BNCAgT[oɑMׂf[^̔jЂATCPXg[ƂĂ܂Ƃ߂ꂽf[^قȒPłBƂ΁AVlITZp҂ǗT[onbLOiNbLOj^Ј̃CX^gbZW[iInstant MessagerFIMj̒ʐM͂悤ƂƂɁA̋@\͖𗧂܂BTvt@C suspectemployeechat.dmpJĂ݂ĂB̃Lv`t@C̒ɂ́AIMNCAg MSN MessengerɂʐML^Ă܂BpPbgꗗ̃yCɕ\ 
5.3 CXg[̕\ 

} 5-4mShow Currentn{^ƍ܂łɍsύẌꗗ\
ĂuMSNMSv MSN Messenger̃gtBbNł邱ƂӖĂ܂B
1 1̃pPbgƁAꂼɏeLXg܂܂Ă邱Ƃł傤B`bgŉbĂ̂m邽߂ɂ́AԂĊepPbgɊ܂܂eLXgȂĂȂ΂܂BTCPXg[g΁AƊȒPɉbĂ̂܂B
TCPXg[\ɂ́ApPbgENbNāmFollow TCP StreamnI܂BTCPXg[̃EBhE\A^킵l̃`bg̓e邱Ƃł܂i} 5-5jB 

} 5-5 TCPXg[ȂڗđR
TCPXg[́AeLXgt@CƂĕۑ܂͈邱Ƃł܂B܂A ASCIIAEBCDICA16iAC̔zÃf[^ɕϊ邱Ƃ\łB 
5.4mProtocol Hierarchy StatisticsnEBhE
ȃLv`t@C͂ƂAƂ΃Lv`pPbĝp[ZgDHCPȂǁAevgRǂ̂悤ȔzɂȂĂ邩mKvꍇ܂B̍ہApPbg 1 1Kv͂܂B
mProtocol Hierarchy StatisticsnEBhE΂悢̂łB̃EBhE̓lbg[Ñx`}[Nm̂ɖ𗧂܂BƂΕi ARP̃gtBbNŜ 10Ȃ̂ɁAꂪ 50ɂȂĂA肪NĂƗ\ł܂B
mProtocol Hierarchy StatisticsnEBhEJɂ́ACj[́mStatisticsnmProtocol HierarchynI܂i} 5-6jB

} 5-6mProtocol Hierarchy StatisticsnEBhEł͊evgR̊\
v100ɂȂȂꍇ܂BLv`ʂ傫ȂƁAŏP
ȉ̊ɂȂĂ܂vgRoĂĂ܂ăJEgȂȂ̂ŁA
pPbg̑ƃvgR̊vȂȂĂ܂łBłA
vgR̔z͂Ȃ萳mƂ܂B 
5.5Gh|Cg
Gh|CgƂ́AʐM̑M⑗M̂ƂłBƂ΁ATCP/IP̒ʐMł́A2̃Gh|Cg܂BM192.168.1.5ƑM192.168.0.8 
5.6lbg[ŃuΘbv 
ƂłBC 2ł́A01 :00:5e:00:00:16 01 :00:5e:01:01:06Ƃ MACAhXGh|CgɂȂ܂B}5-7ɃGh|Cg̗Ⴊ܂ B

Gh|CgAʐMAGh|CgB
00:ff:ac:ce:0b:de 00:ff:ac:e0:dc:0f 
Gh|CgAʐMBGh|CgB 
192.168.1.25 192.168.1.30
} 5-7lbg[ÑGh|Cg
Gh|Cgɏœ_iăpPbg͂邱Ƃł܂BCj[́mStatisticsnmEndpointsnIƁmEndpointsn_CAO\AeGh|Cg̃AhXAMpPbgAoCgȂǂ邱Ƃł܂i}5-8jB_CAÕgbvɂ^uŁAGh|CgvgRƂɕ\邱Ƃł܂BmName resolutionn`FbN{bNXIɂƁAOLɂ邱Ƃł܂B
mEndpointsn_CAÓApPbgꗗ̃yC̃pPbgtB^ƂĎgp邱Ƃł܂BGh|CgENbNƁA̃IvV\܂BAIGh|Cg܂ށA܂͏gtBbN\tB^쐬邱Ƃł܂B܂AIGh|CgF邱Ƃ\łB 
5.6lbg[ŃuΘbv
lbg[ŃuΘbv́Al̉b̂悤2̃zXgiGh|Cgj̊Ԃōs܂BƂ΁Au₟ACHvuCBȂ́HvȕȂCIvƂWƃT[̉bA192.168.1.5̃Rs[^192.168.0.8̃Rs[^̉bɒuƁAuSYNvuSYN/ACKvuACKvƂȂ܂iTCP/IP̒ʐMɂĂ̏ڍׂ6͂Ŋwт܂jB
Cj[́mStatisticsnmConversationsnIƁAmConversationsn_CAO\܂i}5-9jBmConversationsn_CAOɂ́A2̃Gh 
Ė󒍁FWiresharkFGh|Cgɂ͂قɂAUSB̃|[gATCPUDP̃|[gԍAFDDIg[NOȂǂ܂B

} 5-8mEndpointsn_CAOeGh|Cg\
|CgAhXAAAhX BƂAꂼꂪMpPbgoCg
\܂B
mConversationsn_CAO̒ʐM̈ꗗ́A_CAÕgbvɂvgR
NbNƁAGh|Cg̃vgRL̂̂ɐ؂ւ܂B 

} 5-9mConversationsn_CAOɂ͊eGh|Cg̒ʐM\
5.7mIO GraphsnEBhE 
sENbNƁAGh|CgÃgtBbN݂̂\AGh|CgBMgtBbN݂̂\AGh|CgAƃGh|CgB̒ʐM݂̂\AƂtB^쐬邱Ƃł܂B 
filedownload.dmp
5.7mIO GraphsnEBhE
gtBbŇXɂ߂Ƃ悢@́AOtɂĂ݂邱ƂłBWiresharkł́AmIO GraphsnEBhEőMĂf[^̃Ot邱Ƃł܂B̃OtŊevgR̃X[vbgāAlbg[N̓ÂmF邱Ƃł܂B
C^[lbgt@C_E[hƂ IOOtĂ݂܂傤BTvt@Cfiledownload.dmpJĂBCj[́mStatisticsnmIO GraphsnI܂BŁAIOOt邱Ƃł܂Bŏ̂قł͑MoCĝA_E[hn܂ƒˏオĂ邱Ƃ܂i} 5-10jB

} 5-10 IOOtAgtBbŇXm邱Ƃł
̃Ot͂낢ȃJX^}CY\łBƂdvȂ̂XY̐ݒł傤BOt̖ڐ̏kڂԊuύXł܂B
̃Otł́AtB^쐬邱Ƃ\łBő 5̃tB^i\̓fBXvCtB^Lv`tB^Ɠj쐬āAtB^ƂɐF邱Ƃł܂BƂ ARPԁADHCPŕ\tB^쐬΁AX[vbǧXȒPɉ͂邱Ƃł܂B 
܂Ő@\p邩A܂悭Ȃ܂񂪁AWiresharkgĂɂ܂pł悤ɂȂł傤BdvȂ̂́AWireshark̃EBhEƋ@\̎ĝ̂m邱ƂłB̏͂ł́A̋@\g܂B 
6
ʓIȃvgR

̏͂ł́AC^[lbgł悭gvgRЉ܂B̃vgR̃Tvt@CȂAꂼꂪǂ@\Ă̂ɂĊwт܂B̖̏͂ړÍAvgR𗝉pPbg͂ۂɕKvƂȂbmgɂ邱ƂłB̏͂ł͔ɏdvȃvgRЉ܂B̏͂ǂݔ΂Ƃ́Af̃p[g 1Ƀp[g 2邱ƂƓłB̏͂ǂ܂āǍ̏͂𗝉邱Ƃ͂łȂł傤B 

{ł́AevgR̐݌vڍׂɏqׂ邱Ƃ͂܂B̂ɁAevgR RFC̔ԍڂĂ܂B RFCiRequest For CommentsjƂ́A TCP/IPɂvgR̎ɂĒ`ĂhLĝƂłB RFC WebTCg http://www.rfc-editor.orgRFC邱Ƃł܂B
6.1 ARP

ARPiAddress Resolution Protocolj̕׋n߂܂傤BARP̓pPbggȂAVvȃvgRłBARPiRFC 826j́AC 3̃AhXiIPAhXjC 2̃AhXiMACAhXjɕϊvgRŁAXCb`⃋[^̂悤ȃlbg[N@̂ǂ̃|[gɃRs[^ڑĂ邩mF邽߂Ɏgp܂B
ARP̋[Ƃ́AOSIQƃf̃lbg[Nwƃf[^NwƂ 2̑wɂ܂ăT[rX񋟂ĂƂƂłB
Rs[^̃Rs[^ƒʐMƂÃRs[^ǂɂ̂܂mKv܂BXCb`⃋[^ ARPgďꏊmFĂ܂B
Tvt@CĂ݂܂傤i}6-1jBM̃Rs[^iMACAhX 01 :16:ce:6e:8b:24jAuN 192.168.0.1łHvƂpPbg ff :ff:ff:ff:ff:ff 
AhXɑ΂đMĂ܂B

} 6-1 ARṔAvƉ 2̃pPbggȂ
łɊw񂾂ƂAXCb`̓C 2œ삷̂ŃC 3̃AhXF邱Ƃ͂ł܂Bł͂ǂĂ̂ł傤HX~Xɓdb悤ƂƂɁAނ̃t@[Xgl[mȂꍇ͂ǂ邩lĂ݂ĂBdbɍڂĂX~XƂO̐lɁAɓdb΂悢̂łI
ARP̓u[hLXgAhXɗv𑗐M邱ƂɂāANCAg̃C 3AhXm邱Ƃł܂BC 2AhX̃u[hLXguff :ff:ff:ff:ff:ffv ARPNGXg𑗐M΁AXCb`̃u[hLXghC
ׂ̂ẴRs[^ɗvM邱ƂɂȂ܂B
̃pPbǵÃRs[^IPAhX192.168.0.1ǂׂẴRs[^ɕĂ܂BႤ IPAhX̃Rs[^͂̃pPbgj܂B192.168.0.1̃Rs[^́Ag̃C 2AhXԂ܂B
} 6-1 2Ԗڂ̃pPbǵAM̃Rs[^ ARPłB
u192.168.0.1̃C2AhX00 :13:46:0b:22:bałvƂɃVvȂ̂łBőM̃Rs[^͑M̃Rs[^̃C 2AhXm邱ƂłAZbVm邱Ƃł悤ɂȂ܂B 
6.2 DHCPdhcp.pcap 
DHCPiDynamic Host Configuration ProtocoljVvȃvgRłBDHCP
iRFC 2131j́ARs[^ANTPT[õAhXAIPAhXȂǂRs[^ɒ񋟂܂BDHCP̒ʐM̓NCAgT[o^̒ʐMŁANCAg IPAhX DHCPT[oɗvADHCPT[o^Ƃ`ɂȂĂ܂BDHCP̊{Iȋ@\ 4̃Xebv琬藧Ă܂B 1̃pPbgNCAg DHCPDISCOVERpPbgu[hLXgAhX
i255.255.255.255jɑM܂i} 6-2jB

} 6-2 DHCP̒ʐM DHCPDISCOVERpPbg̑Mn܂
NCAg IPAhXlɂ́ADHCPT[ȍꏊmKv܂BDHCPDISCOVERpPbg̓lbg[N DHCPT[oT߂ 
6.3 TCP/IPHTTP 
pPbgłBDHCPT[õpPbg󂯎ƁANCAgDHCPOFFERpPbg𑗐M܂i}6-3jB̃pPbgɂDHCPT[oNCAgɒ񋟂\ IPAhX₻̑̃lbg[N̏񂪊܂܂Ă܂B

} 6-3 DHCPOFFERpPbgT[oNCAgɑM
NCAg DHCPOFFERpPbg󂯎ƁANCAgDHCPREQUESTpPbg𑗐M܂B̎_ł͂܂NCAgɂ̓AhXUĂȂ߁ADHCPREQUESTpPbg̓u[hLXgɑM܂B̃pPbg DHCPT[o݂ꍇɁA DHCPT[o񋟂 IPAhXg|𑼂 DHCPT[oɓ`AȏDHCPOFFER͕KvȂƂƂ`Ă܂BDHCPT[oDHCPREQUESTpPbg󂯎ƁADHCPACKpPbgNCAgɑMA IPAhX̊蓖ĂI܂i} 6-4jB

} 6-4 DHCPACKpPbgNCAgɑM IPAhX̊蓖ĂI
pPbgꗗ̃yCł́ADHCPpPbgɂ́uTransaction IDvƂ IDtĂ܂B ID͕̃NCAg̃gUNVʂ邽߂ɊUĂ܂B̃NCAg̒ʐMƊԈႦȂ悤ɁApPbg͂ۂɂ͂ IDmFĂB
4ނ DHCPpPbgɂĐ܂ALv`t@Cɂ 8
ނ DHCPpPbgL^Ă܂BDHCP̏ڍׂ RFC 2131QƂĂ
B 
6.3 TCP/IPHTTP

TCP/IP͖{ɓoꂷ鑽̒ʐM̊{ƂȂ̂łBƂLgĂlbg[NvgRł̂ŁAڂwł܂傤B
HTTPiHypertext Transfer ProtocolARFC 2616j́AWeby[W]邽߂̃T[o/NCAgVXẽvgRłBHTTP̒ʐM TCP/IP̂悢ƂȂ܂BGoogleŒוAVC\ACɓ̃X|[c`[`FbNƂȂǂ TCP/IP̃vgR1ł HTTPgĂ܂B 
6.3.1 TCP/IP
TCP/IP̃vgŔAOSIQƃf̃C3уC4Ȃvg
RQłBTCPAIPAARPADHCPAICMPȂǁÃvgR܂B
TCPiTransmission Control ProtocolARFC 793j́AC 4̃vgRłB
ߓIŐMAo̒ʐMIɂłvgRŁALg
܂Bo̒ʐMƂ́A1̃Rs[^f[^̑MƎM𓯎ɍs
ƂƂӖ܂B
TCP̋@\Ɨ_́ApPbgƃtÕ^CvɂĈقȂ܂Bꂼ
̃^Cv̋@\Ă܂傤B
IPiInternet ProtocolARFC 791j́AʐM\ɂ邽߂̃AhX񋟂
AC3̃vgRłBIP͒ʐMZbVmȂvgRłA
͋tɌ΁AIPɃohĂ TCP̂قɁAf[^]̐M
mۂ邱Ƃ߂AƂƂłB
Lv`t@CɂTCP/IP̃ZbV̊mn܂AHTTPf[^
vƓ]AăZbV̏I܂łL^Ă܂BNCAgT[o
Ԃ̂̒PȒʐMʂāATCP IP̋@\𗝉܂傤B 
6.3.2ZbV̊m
ق̃Rs[^ƃZbVJnɂ́A3EFCnhVFCN𐬌Kv܂B3EFCnhVFCŃAMi̗ł̓NCAgjƑM̃Rs[^iT[oj̃ZbVm 3̃Xebvł
i}6-5jB

} 6-5 3EFCnhVFCN 3̃Xebv 
ł́ANCAgT[oԂ̃ZbVmĂ݂܂傤BNCAg IPAhX145.254.160.237ŁAT[o IPAhX 65.208.228.223łB 
6.3.2.1 SYNpPbg
3EFCnhVFCŃANCAgT[oSYNpPbg𑗂邱Ƃn܂܂B̃pPbg̐擪 32rbgɂ̓V[PXԍ܂܂ĂANCAgT[oԂł̔ԍ̓AʐMs悤ɂ܂B 
6.3 TCP/IP HTTP 
pPbgڍׂ̃yC TCP̕LĂ݂ƁAMёM悪gpĂ|[gԍAV[PXԍATCP̃^CvȂTCPL̏邱Ƃł܂BŏSYNpPbg̃V[PXԍ0ɂȂĂ܂i}6-6jB 

} 6-6pPbgڍׂ̃yCɕKvȏ񂪕\Ă 

Wiresharkł́AV[PXԍ́uΓIvȔԍƂĈĂ܂B̂߁A{̒lȂłŏ̔ԍ͕K 0ɂȂ܂BŁAV[PXԍ茩₷Ȃ܂B
6.3.2.2 SYN/ACKpPbg
̓T[ỏłBT[o̓NCAg SYNpPbg󂯎ƁÃpPbgɊ܂܂V[PXԍg悤ɂȂ܂B̃pPbgSYN/ACKpPbgƌĂ΂܂BTvt@C2Ԗڂ̃pPbgłB
pPbg ACKɂ́ANCAg瑗MĂV[PXԍ 1̂mFԍƂēYĂ܂BāAT[o SYNpPbg󂯎Ƃ|NCAgɓ`Ă̂łBSYN/ACKpPbg SYŃANCAg SYNpPbgƓ悤ɁANCAgɃV[PXԍ𑗐M邱ƂړIƂĂ܂B 
6.3.2.3 
ACKpPbg

ŌɁANCAg̓T[oɁAACKpPbg𑗂 SYN/ACKpPbg󂯎|m点܂BSYN/ACKpPbgƓ悤ɁAV[PXԍ 1ꂽ̂mFԍƂēYĂ܂BT[o ACKpPbg󂯎΁Af[^̑Mn߂邱Ƃł܂B 

6.
3.3f[^M̊Jn


f[^̂́A3EFCnhVFCNɂČ߂ꂽV[PXԍgčs܂BȂA̓V[PXԍ 1 łȂAMꂽf[^̃TCY܂BTCPɂĂƊwтꍇ́ARFC 793QƂĂB 
6.3.4 HTTP̒ʐM
ȏŃZbVm܂B Weby[W\ƂɎۂɉMĂ邩Ă݂܂傤BHTTP TCP̗gĂ܂B
4Ԗڂ̃pPbgAHTTP̍ŏ̃pPbgłBWeby[WNCAgɑM悤ɗvĂ܂BpPbgڍׂ̃yCŁAHTTP̕LGETNGXg̒gĂ݂Ăi} 6-7jB

} 6-7pPbgڍׂ̃yCAv̏ڍׂ邱Ƃł
̃pPbgɂGETNGXgiRequest Method :GETj܂܂ĂAwww.ethereal.com/download.htmlƂ Weby[W擾悤ƂĂ܂B̂قɂAR[h̎ށi Accept-Charset: ISO-8859-1, ...j⃊t@
iReferrer: http://www.ethereal.com/development.htmlrnjȂǂ̏\܂B
NCAg GETNGXg𑗐MƁAT[o TCPgăf[^̓]n߂܂BT[o̓f[^𑗂OɁAHTTP OKƂbZ[W𑗐MăNGXg𐳂󂯎ƂNCAgɒm点Ă܂B} 6-8iуTvt@Cj4ԖڂGETNGXgA38Ԗڂ OKX|XMĂ܂B 
6.3.5ZbV̏I

f[^̑MIA3EFCnhVFCNƓ悤Ȏ菇ŃZbV
I܂BZbV̏ÍASYNpPbg ACKpPbg̑ɁA
FINpPbg ACKpPbggp܂i} 6-9jB
T[o̓f[^̑MIƁAFIN/ACKpPbgNCAgɑ܂i} 6-10jBFINpPbǵAʐM𐳏ɏI邽߂ɐ݌vꂽpPbgłB
NCAg FIN/ACKpPbg󂯎ƁAACKpPbgT[oɕԂ
܂BACKpPbg̉mFԍ́AFIN/ACKpPbg̃V[PXԍ1
̂ɂȂ܂BŁAT[õf[^̑M͏I܂B̎_ 
6.3 TCP/IPHTTP 

} 6-8 4Ԗڂ̃pPbg GETNGXgA 38Ԗڂ̃pPbg OKpPbg

} 6-9 FIN/ACKnhVFCNɂʐM̏I 

} 6-10pPbgڍׂ̃yCi 40Ԗڂ̃pPbgł FIN/ACKpPbg̏ڍׂ\j
ł̓T[o͂܂f[^M邱Ƃł܂AM邱Ƃ͂܂BZbVIɂ́ANCAgT[o FIN/ACKpPbg𑗂AT[o ACKpPbgԂƂt̏KvɂȂ܂B 
Ė󒍁FnhVFCNƂ΁AʐMZbVmƂ 3EFCnhVFCNɎvт܂AʐMZbVIƂ̂nhVFCNƌĂԂƂ܂B
} 6-11ł΁A40Ԗڂ̃pPbg̓T[o FIN/ACKpPbgNCAgɑMĂƂŁA41Ԗڂ̃pPbg̓NCAg ACKpPbgԂĂƂłB 42Ԗڂ̃pPbg̓NCAg FIN/ACKpPbgŁA43Ԗڂ ACKpPbgŃZbVIĂ܂B 

} 6-11pPbgꗗ̃yC番ZbVI̎菇
6.4 DNS

DNSiDomain Name SystemARFC 1034j́Awww.google.comMARKETING-PC1̂悤ȃhC IPAhXɕϊ@\Ă܂BOSIQƃf̃C3IPAhXŃRs[^ʂ̂ŁAOKvȂ̂łB
DNS̖O͔ɃVvŁAĂ̏ꍇ2̃pPbgŎ܂Bŏ̃pPbǵAuwww.google.comIPAhX͂ȂłHvƂDNST[oւ̖O̗vŁA2Ԗڂ̃pPbǵuwww.google.com IPAhX
XX.XX.XX.XXXłvƂT[ỏłB
DNSpPbg̗Ă݂܂傤i}6-12jB܂192.168.0.114205.152.37.23 http ://www.chrissanders.org̖O̗vMĂ܂B2Ԗڂ̃pPbgł́AvꂽhC IPAhX 208.113.140.24ƂԓȂĂ܂BŁAC 3ł 3EFCnhVFCN\ƂȂAf[^𑗐Mł悤ɂȂ܂B 

} 6-12 DNŚAvƂ̕ԓƂ 2̃pPbgŎ

ۂɃpPbgLv`Ă݂ƁA DNSpPbgĂ邱ƂɋCÂł傤B 1 Weby[Wɂق̃TCg̏\Ă邱Ƃ̂ŁA̖OKvȂ̂łB DNS̃gtBbN݂̂\tB^쐬Aǂقǂ DNSpPbgĂ邩mFĂ݂ĂB
6.5 FTP 
6.5 FTP


FTPiFile Transfer ProtocolARFC 959j́ANCAgT[oԂ̃f[^]̂߂̃C 7̃vgRłB20ԃ|[g 21ԃ|[gg܂BFTP̓NCAgT[o^̃vgRȂ̂ŁAʐMNCAgƃT[o̊Ԃs藈肵܂BFTP TCP𗘗pĂ̂ŁAʐM 3EFCnhVFCNn܂܂i}6-13jB

} 6-13̃vgR̒ʐM 3EFCnhVFCNŎn܂
3EFCnhVFCNIƁAT[o̓NCAgɃEFJbZ[
W𑗂܂BT[o͂̃bZ[WŎ FTPT[oł邱ƂA
OC߂܂i} 6-14jB

} 6-14 FTPʐM̊Jni 4Ԗڂ̃pPbgj
ăNCAg[U[icsandersjƃpX[hiechojT[oɑAT[o͂󂯎|NCAgɓ`܂i} 6-15jB

} 6-15[U[ƃpX[hT[oɑ
FTP̒ʐMł́ApPbgꗗ̃yĆmInfon\ȏ񂪓܂B
ڍׂȏm肽΁ApPbgڍׂ̃yC FTP̕LĂ݂
B
̒ʐM͈ÍĂȂ߁ATvt@C 7Ԗڂ̃pPbgɂ̓pX[h͂ƋL^Ă܂i} 6-16jB 

} 6-16[U[u csandersṽpX[h
NCAǵAFTPT[oƂ̒ʐMɃR}hgp܂BR}hɂ́AfBNgꗗ̕\AfBNg̈ړAt@C̍폜Ȃǂ܂BR}hꗗ RFC 959QƂĂBTvt@C 15Ԗڂ̃pPbgn܂ FTPR}hĂ݂܂傤i} 6-17jB 

} 6-17 15Ԗڂ̃pPbg CWDR}hsĂ
6.5.1 CWDR}h 
CWDR}h̓JgfBNg̕ύX̂߂̃R}hŁANCAgfBNgړ邲ƂɎs܂B
Tvt@Cɂ́AT[õ[gfBNgłu /vֈړ邽߂ CWDR}h܂܂Ă܂BFTPT[oɃOCɁA[gfBNgɈړ CWDR}hsAJgfBNg[gfBNgł邱ƂNCAgɓ`܂B 
6.5.2 SIZER}h
 SIZER}hłB̃R}hsƁAt@C̃TCY\܂B25Ԗڂ̃pPbgŁANCAg SIZER}hgāuMusic.mp3ṽt@CTCYvĂ܂i} 6-18jB

} 6-18 SIZER}hT[oɑMĂ
26Ԗڂ̃pPbgŁAt@CTCY 4,980,924oCgł邱ƂT[oԓĂ܂i} 6-19jB 

} 6-19 SIZER}h̎s
6.5.3 RETRR}h 
RETRiretrievejR}h́AT[ot@C_E[h邽߂̃R}hłi} 6-20jB32Ԗڂ̃pPbgŁANCAg Music.mp3_E[h邽߂ RETRR}hT[oɑĂ܂BT[o͂̃R}h󂯎 
6.6 TELNET 
ƁANCAgւ̃f[^MJn܂B 

} 6-20 RETRR}h̓T[ot@C_E[hR}h

FTP-DATAƂx̃pPbǵAt@C_E[h܂̓Abv[hĂpPbgłB 
6.6 TELNETtelnet.pcap 
TELNETiRFC 854j̓Rs[^[g瑀삷邽߂̃vgRłBŒʐM邽߁AZLeB͖肪܂BT[oAXCb`A[^Ȃǂ̃lbg[N@Ǘ邽߂Ɏg܂B
̃Tvt@Cɂ́ANCAgi192.168.0.2jT[oi192.168.0.1jTELNETŐڑĂlqL^Ă܂BŃf[^̂邽߁AʐMیłB̂߁Advȃf[^ TELNETőMׂł͂܂B

TELNETS SSHgׂłB
NCAgT[oԂłǂȒʐMsĂł傤HTvt@C̍ŏ̂ق̃pPbgŁATELNETL̒ʐMsĂ̂łꂪTELNET̃gtBbNł邱Ƃ܂i} 6-21jB

} 6-21 TELNET̃pPbgi 9Ԗڂ̃pPbgj 
TELNET̃ZbVł́A][gf[^][hw肷IvVgĂ܂BʐMn߂OɃNCAgƃT[oł𓯊Kv̂łB̃IvV́ATvt@C̍ŏ 30炢 pPbgœoꂵ܂B
܂[̂27Ԗڂ̃pPbgłBT[oOpenBSDł邱ƂĂ܂B29Ԗڂ̃pPbgł̓NCAgփOCvvg\ĂANCAg 31Ԗڂ̃pPbgŃ[U[ufakevT[oɑMĂ܂B36Ԗڂ̃pPbgŃT[o̓NCAgɃpX[hvANCAg38Ԗڂ̃pPbgŃpX[huuservԂĂ܂i}6-22jBŁATELNETɊ댯ł傤B̃[U[ƃpX[h͏dvȃT[oǗ邽߂ɎgĂ邩܂BĕōsʐḾAXjbt@ƂƂmΊȒPɓǂݎ邱Ƃł̂łB

} 6-22 TELNETŃpX[h𑗐MƁAƑlɌĂ܂ 
Tvt@Cł͂̂ƁANCAgT[õVF𗘗pĂ
WebTCgping𑗐MĂ܂BpPbgڍׂ̃yCŁATELNETɂ
ʐM̑Sf[^邱Ƃł܂B 
msnms.pcap 
6.7 MSNbZW[T[rX
Ƃ̂CX^gbZ[W̉b𕪐͂Ȃ΂ȂȂƂł傤B5͂ł́AƂ̎ЈCX^gbZW[gĐVlтŃnbLOiNbLOj鑊kĂ܂BCX^gbZW[ɂ͂ނAꂼꎗĂ͂܂Ǝ̃vgRgĂ܂Bł́AMSNbZW[T[rXiMSNMSj̃Tvt@CgāAЈ̉b`Ă݂܂傤 B 
	Ė󒍁FʓIɂ́AЈ͉Ђ̃Rs[^ƃlbg[NgĎdĂ܂̂ŁȀł̂ƂiʐMj𓐒ꂽƂĂ͌ȂłBƂāAӂȂɂȂ蓐邱Ƃ́AvCoV[NQAp[nXgɂȂ肩˂܂Bٗp_ȂǂԏʂȂǂŁAlbg[NQZLeB̒dvی̊ϓ_̒ȂǂŁAӔC҂̏F𓾂ē邱Ƃ͂肦AƂƂAӂ𓾂Ăׂł傤B
6.7 MSNbZW[T[rX 

ƂɂẮACX^gbZW[̎gp֎~|V[邩܂B MSNMSvgRĂ΁Ax炷Ƃłł傤B
Tvt@C̖`́ATCP3EFCnhVFCNłi} 6-23jB

} 6-23 	3EFCnhVFCNɂʐM̊Jn
3EFCnhVFCŇɁA192.168.0.114烍[Jlbg[N̊OɂT[o MSNMSpPbgM܂i} 6-24jB

} 6-24	[Jlbg[NC^[lbg̃T[oƒʐM悤ƂĂ
ŏMSNMSpPbg̓}CN\tg̃T[oƒʐMJn邽߂̂̂łBpPbgڍׂ̃yCɂ悤ɁÃpPbgɂ USRƂ܂܂܂B`bgn߂悤ƂĂ̂ tesla_brian@hotmail.comƂ[AhX[U[ł邱Ƃ܂i}6-25jB

} 6-25 	5Ԗڂ̃pPbg̃pPbgڍׂ̃yCƁA tesla]brian@hotmail.comƂ[AhX[U[`bg悤ƂĂ邱Ƃ
2̃pPbgCALpPbgƌĂ΂A`bgw肷邽߂ɃT[oɑ܂i} 6-26jB

} 6-26 	CALpPbg͂ق̃[U[ƃ`bgJn邽߂Ɏg
6Ԗڂ̃pPbgŁA`bg̃[AhX𑗐MĂ܂i} 6-27jB 

} 6-27 CALpPbg`bg̃[AhX
8Ԗڂ̃pPbgŁAT[oCALpPbg󂯎|NCAgɓ`Ă܂i} 6-28jB

} 6-28 8Ԗڂ̃pPbg 7Ԗڂ̃pPbg̉mF
9Ԗڂ̃pPbgŁA`bĝ߂̏܂B̃pPbgJOIpPb
gƌĂ΂A`bgȉꍇ tesla_thomas@hotmail.comj`bgɎQ
ł邱ƂNCAgɓ`Ă܂i} 6-29jB

} 6-29 JOIpPbg̓[U[m`bgł悤ɂȂƂ`Ă
Tvt@C̎c̕ MSGpPbgłBuCAƃg[}X̃`bgbZ[WMĂ܂B
ȏ̕ǂōŏɎv^́Au{Ƀ`bg̓eǂ߂́HIv
ƂƂł傤B낵ƂɁA yesłBǂł悢̂ MSGp
PbgENbNāAmFollow TCP Streamni5͂Ŋw񂾋@\jIł
BuCAƃg[}X̃`bg̓e͂łi} 6-30jBꂩ
̓CX^gbZW[ł̉bɂ͏\ӂ܂傤B 
6.8 ICMPicmp.pcap 
ICMPiInternet Control Message ProtocolF RFC 792j́AIPvgR 1łBICMP̓[eBeBvgRƂĂقǁAguV[eBOɖ𗧂vgRłB pingR}h ICMPgĂ܂B
ICMP̃gtBbNǂ̂悤Ȃ̂Ă݂܂傤BTvt@Cɂ8̂Ƃ肪L^Ă܂B2̃zXgɑpingpPbgłBŏ̃pPbgĂ݂܂傤i} 6-31jB 
6.8 ICMP 

} 6-30ŒN`bgĂ邩BO̓NrI

} 6-31ŏ pingpPbg
pPbgڍׂ̃yCICMP̕LĂ݂ƁAICMPɏpPb
g܂Bŏ̃pPbg̓^Cv 8iEchoNGXgjłBICMPpPb
gɂ͕Kŕ\^Cv܂܂Ă܂B̐ɂāAM̃R
s[^ł̏@ς̂łBICMP̃^CvꗗɂĂ RFC 792
QƂĂB
EchoNGXg𑗐MEchovCԂĂAƂ̂펯Iȍl
łAۂɃTvt@CłA2Ԗڂ̃pPbg̓^Cv0ICMPpPb
gAȂ킿 EchovCłB
Windows pingR}hł́AEchoNGXg4񑗐M܂B}6-32̃T
vt@Ĉ悤ɂȂĂ܂Bŏ ping̈ł 192.168.0.1́A
EchoNGXg4M4񃊃vCԂĂ܂B悤ɁA72.14.207.99iwww.google.comjł 4 pinĝ肪sĂ܂B 

} 6-32NGXgAvCANGXgAvC ... 
6.9܂Ƃ
̖̏͂ړÍAWiresharkňʓIȃvgRǂ̂悤Ɍ邩wԂƂłBł̓vgR̊ȒPȏЉĂ܂񂪁AevgRRFCǂނƂ߂܂B͂́Ȁ͂Ŋw񂾊TvɁA܂܂ȃViIǂ݉KĂ܂B 
7
P[XX^fBibҁj

A悢{ɓ܂B́AۂɃlbg[NŋNɂẴpPbg͂Ă܂B
̒PȎpPbg͂Ă݂āA̗ŉNĂ̂
܂傤BɌɓXNĂlbg[NQɂĂ
܂B 
7.1 TCP̒ʐMQ

lbg[NQłƂ̂AʐMłȂȂĂ܂ƂłBQN闝R͂Ƃ肠uĂāAQpPbgxł͂ǂȂӂɌ邩Ă݂܂傤Bۂ̃guV[eBOŁAQ̐؂蕪ł悤ɂȂ܂B
tcp-con-lost.pcapƂTvt@CJĂi} 7-1jB10.3.71.7
10.3.30.1̊ԂŁAʂ ACKpPbg 4AMĂ܂B

} 7-1ŏ͕ʂ ACKpPbĝ肪Ă
 5Ԗڂ́Af[^đĂpPbgn܂܂i}7-2jB

} 7-2f[^̍đ͒ʐMsɂȂĂ邱Ƃ
TCṔAMɃf[^𑗂ԑ҂ĂԓȂꍇAf[^đ悤݌vĂ܂BđAŏ̑҂Ԃ 2{̎ԑ҂Ăԓ ȂꍇAxf[^𑗂Ȃ܂BTCP̍đ̎dg݂͐}7-3̂ƂłB

} 7-3xf[^đĂꍇAʐMɏQNĂ\
Windowsł́A9.6b̊Ԃ5đ݂܂i}7-3jBđ5ƂsƁAʐMIf[^͑r܂BWireshark̎Ԃ̕\tH[}bgALv`JnԂ̑ΓIȎԂɐݒ肵Ă΁iCj[́mViewnmTime Display FormatnIAmSeconds Since Beginning of CapturenNbNjAf[^đ܂ł̎ԂĂĂ邱Ƃł傤i} 7-4jB

} 7-4 Windowsł 5đ݂
}7-4ڂĂ݂܂傤B4Ԗڂ̃pPbg̉mFԍi Ack=5840jf[^đĂ5̃pPbg̃V[PXԍi Seq=5840jɂȂĂ܂B
6͂Ŋw񂾂ƂATCP͕̒ʐMʂ邽߂ɃV[PXԍƉmFԍێĂ܂BđꂽpPbg̃V[PXԍ 4Ԗڂ̃pPbg̉mFԍƈvĂƂƂ́A4Ԗڂ̃pPbgrĂ܂ƂƂłBđn܂ꏊ邱Ƃł΁AʐMQȂm肪ɂȂ邩܂B 
7.2͂ȂpPbg ICMPR[h 
7.2͂ȂpPbg ICMPR[h
lbg[N̓ʂmFƂɂƂ悭ĝ pingR}hł傤B^ǂ pingpPbg𑗂肩ApingpPbg󂯎ƕԎł傤B^΁AM悩pingpPbg̕Ԏ͗A擞Bs\ʒmiDestination unreachablejԂĂ܂BXjbt@ ICMPpPbgLv`ƁA pingR}h̕ԓ̏񂪓܂BICMPG[bZ[WƏڂĂ݂܂傤B 
7.2.1擞Bs\destunreachable.pcap 
destunreachable.pcapJĂBŏ̃pPbg 10.2.10.2 10.4.88.8ւ EchoNGXgiICMP^Cv 8jłi} 7-5jB

} 7-5 10.2.10.2 10.4.88.88EchoNGXgM
pPbgڍׂ̃yCɕ\Ă ICMP̕L邱Ƃłڂ邱Ƃł܂BEchoNGXg̃Rs[^ɓ͂΁AEchovCiICMP^Cv 0jԂĂ͂łB
}7-62Ԗڂ̃pPbgƁA^Cv0łȂ^Cv3̃pPbgԂĂ
Ă邱Ƃ܂B́AEchoNGXgMɓBłȂ
܂B

} 7-6^Cv 0łȂ^Cv 3̃pPbgԂĂ 

ICMP^Cvł͂܂Lvȏł͂Ȃ܂񂪁A ICMP̓R[hԍԂĂ܂BƂ΃R[hԍ 1izXgBs\j̓Rs[^ɓBłȂƂƂ\܂BẴ^Cv̓R[hԍĂ܂B 2Ԗڂ̃pPbg𑗐M̂́A 10.2.10.2ʐMRs[^ł͂܂B͂Ȃ킿 EchoNGXgMɓ`ȂƂƂłB
R[h1́AEchoNGXg[^XCb`ʂ͂̂́AM̃Rs[^ɂ͓͂ȂAƂӖłBR[h 1ԂĂƂɂ̓[^XCb`瑗M ARPu[hLXgĂ݂܂傤BARPu[ hLXgɔȂ΁AM̃Rs[^邱ƂłȂƂƂȂ̂ŁA^Cv 3̃R[h 1𑗐M̃Rs[^ɕԂ܂B 
7.2.2|[gBs\
guV[eBOł悭p^[ƂĂ 1̂A
̃|[głT[rXʐM󂯓悤ɂȂĂ邩ǂmF
邱ƂłB
Ƃ΁AFTPT[o 21ԃ|[gڑ\ǂۂɐڑĒׂ
Ƃ܂傤BȂ炩̗R 21ԃ|[gɐڑłȂꍇA^Cv 0A
R[h 2́u|[gBs\vԂĂ܂B
lbg[NǗłICMPpɂɎĝŁA{Iȃ^CvR[hɂĉĂ܂傤BM҂͏ȃNCbNt@XE̊ɒuĂ܂B 
7.3 IPtOe[Vipfragments.pcap 
IP̓lbg[Nf[^]ɎgĂ܂BxɃP[uʂ邱Ƃłf[^̗ʂ͌Ă܂̂ŁAIPɂ̓tOe[VijƂ@\܂BIPtOe[Vg΁A傫ȃf[^đMAMł̃f[^ɑgݗĂƂƂł悤ɂȂ܂B
̐߂ł́AIPtOe[Vɂĕꂽf[^̗Ă܂B
Tvt@Cɂ́ApinĝƂ肪 24L^Ă܂BOq̂ƂApinĝƂ͒ʏ 8̃pPbgōςނ͂łBȂ 24̃pPbgL^Ă̂ł傤H̃Tvt@Cł́A1EchoNGXgɑ΂ EchovCpPbg3ԂĂĂ܂BƂƂ͂܂Aʏ3{̃pPbgMĂ邱ƂɂȂ܂i}7-7jB

} 7-7ł́A EchoNGXg 1ɑ΂ EchovC 3
ping̃f[^TCYftHg傫ƁÂ悤ɕđM܂BWindows̃ftHgłping̃f[^TCY32oCgłATvt@C ping̃f[^TCY 3,072oCgłBC[Tlbgł 1ɑMłpPbg̃TCY̏ 1,500oCgł̂ŁAIP̓pPbg𕪊Ȃ΂Ȃ܂B 
7.3 IPtOe[V 
7.3.1 IPtOe[Vs邩ǂ
pPbgMRs[^́AꂪĂ邩ǂǂĒm̂ł傤HpPbgڍׂ̃yC΂ɕ܂Bipfragments.pcapňȉsĂ݂ĂB 
1.	
1Ԗڂ̃pPbgŁApPbgڍׂ̃yCIP̕L܂B 

2.	
mFlagsn̕LĂB} 7-8̂悤ɁA3̗ɕĂ͂łB More fragments̗ɒڂĂBl1ɂȂĂ܂B́ÃpPbg͕ĂǍɎc̃pPbgƂӖĂ܂B 



} 7-8 Morefragments̃tO 1̏ꍇAꂽpPbgɑ
3.	
2Ԗڂ̃pPbg̓ĂB More fragments̃tO1ɂȂĂ܂B 

4.	
3Ԗڂ̃pPbg More fragments̕Ăi}7-9jB1Ԗڂ2Ԗڂ̃pPbgƈႢÃpPbg More fragments̒l 0ɂȂĂ܂Bł̃pPbg̃f[^ׂ͂đMꂽƂƂłB More fragments̒l10ɂȂ܂B 



} 7-9 MorefragmentstO 0ƂƂ́ÃpPbg̃f[^̓]IƂ
7.3.2ԂɑgݗĂ
ɕł^́AꂽpPbgǂĐԂőgݗĂĂ̂Ał傤BIP͕ꂽpPbg𑗐MƂȀԂItZbglpӂ܂B
pPbgڍׂ̃yCItZbgl邱Ƃł܂BƂ 1Ԗڂ̃pPbg IP̕ƁAItZbgli Fragment offsetj 0ɂȂĂ̂܂B́ÃpPbgꂽpPbg̍ŏ̃pPbgł邱ƂĂ܂B
2Ԗڂ̃pPbgł́AItZbglˑR1480Ƃ傫ȐlɂȂĂ܂
i}7-10jB̒ĺAÕpPbg̃f[^̃TCYɂČ܂܂BÕpPbg̃f[^TCYƃItZbgl𑫂̂ÃpPbg̃ItZbglɂȂ܂B2Ԗڂ̃pPbg̃ItZbgĺAÕpPbg̃f[^TCY 1,480oCgAItZbgl 0Ȃ̂ŁA1480ɂȂ̂łB

} 7-10 2Ԗڂ̃pPbg̃ItZbgl͒ÕpPbg̃f[^TCYɈˑ
3Ԗڂ̃pPbg̃ItZbgĺA2Ԗڂ̃pPbg̃f[^TCY 1,480oCgAItZbgl 1480Ȃ̂ 2960ɂȂ܂i} 7-11jB

} 7-11 IPtOe[VɂpPbg̕
Tvt@Ĉق IPtOe[VłAepPbg̃ItZbglĂ݂ĂBʂ̃pPbg藐Lv`t@Cł́Aꂪv̂ق̂łB 
7.4ڑs\ 
7.4ڑs\

ł͂ꂩAWiresharkgČ̃lbg[NQ̉͂Ă܂傤B̃ViIł́A2l̃[U[Ao[ƃxXoꂵ܂Bނ̓ItBXŗדmɍĂ܂B\ẐŁAIT傤2lɐVRs[^wƂłBȂ͂ 2l̃Rs[^𐳂@\悤ɐݒ肵Ȃ΂Ȃ܂BȂ 2̃Rs[^𔠂oăRZg݁A܂܂ȐݒIāAeXgn߂܂BĂɖɂԂ܂Bo[̃Rs[^͖Ȃlbg[Nɐڑł܂AxX̂̂̓C^[lbgɃANZX邱Ƃł܂BȂ͂ꂩAxX̃Rs[^C^[lbgɃANZXłȂR𒲍A𒼂Ȃ΂܂B 
7.
4.1Ă邱

guV[eBOōŏɂȂ΂ȂƂ́ȀQɂĎĂ邱Ƃ̃Xg邱ƂłB̏ꍇAo[ƃxX͐^VRs[^gĂƂƂĂ܂B܂AIPAhX͎Őݒ肵Albg[NZOg̃Rs[^ EchoNGXg𑗐MƐԂĂƂƂmĂ܂BŌɁA2̃Rs[^̐ݒ͊ɓł邱ƂĂ܂BȂɂȂŐݒ肵̂łB 

7.
4.2pPbg͊Jn


QɂĎĂ邱Ƃ􂢏oAx͒mȂƂǂĒׂ邩ɂčl܂傤Bǂȃ^CṽgtBbNLv`邩AǂɃXjbt@}Vݒu邩l΂悢̂łB
C^[lbgɃANZXłȂAƂ̂Ȃ̂ŁA_Iɂ̓xX̃Rs[^C^[lbgɐڑ悤ƂĂƂ̃pPbgLv`΂悢悤Ɏv܂BāAo[ƃxX̃Rs[^ڑĂlbg[N܂mȂ̂ŁAo[̃Rs[^̃pPbgLv`܂傤B 2̃Lv`t@CAڑł̂ƂłȂ̂Lv`t@C͂܂B2̃t@Cr邱ƂŖ肪͂肷ł傤Bx[XCjOƌĂт܂ BWireshark2̃Rs[^ɃCXg[ĂB 
Ė󒍁Fx[XCjOƂ́AƂΐȏԂڍׂɋL^ĂāAx[XCƂāA͉ǂقȂĂƂƂɒڂ钲@̂ƂłB
7.4.3
܂̓C^[lbgɃANZXłĂo[̃Rs[^̃Lv`t@Cibarryscomputer.pcapj猩Ă݂܂傤BTvt@CJƁAHTTP̒ʐM܂B
} 7-12̂悤ɁA܂ftHgQ[gEFCi192.168.0.10j̃C 2AhXv ARP̃u[hLXg܂Bo[̃Rs[^ ARPNGXg̕ԓ󂯎ƁAWebT[o3EFCnhVFCNn߂܂B̌AT[of[^MĂ܂B

} 7-12o[̃Rs[^ 3EFCnhVFCNA HTTPɂf[^̑MsĂ
HTTP̒ʏ̒ʐMÃlbg[Nłǂ̂悤Ɍ邩̂ŁAxX̃Rs[^̃Lv`t@Cibethscomputer.pcapjĂ݂܂傤BȂƂNĂƂɕ͂łB} 7-13ɂ悤ɁAŏ barryscomputer.pcapƓ悤 ARPNGXg̃pPbgłBȂ ARPNGXg192.168.0.10łȂ 192.168.0.11̃C 2AhXNGXgĂ܂B

} 7-13xX̃Rs[^͕ʂ IPAhX̃C 2AhXvĂ
ARPNGXǧɂ́ANetBIOS̃gtBbNĂ܂i} 7-14jB NetBIOS̃gtBbNAƂƂؖĂ܂B

} 7-14 NetBIOS̃gtBbN͂
NetBIOS͌ÂvgRŁA݂TCP/IP@\ȂƂɎg邱ƂقƂǂłBNetBIOS̃gtBbNĂƂƂ́AxX̃Rs[^TCP/IPgăC^[lbgɃANZX邱ƂłANetBIOSgʐM݂iĂsjƂƂłBNetBIOS̃gtBbNLv`ꂽƂ́Albg[Nɉ肪ƍlĂ悢ł傤B
o[̃Lv`t@CƈႤƂ͂Ȃł傤H ARPpPbg 
7.5 Internet Explorer̈ 
C2AhXvĂ鑊IPAhXقȂƂƂłBo[̃Rs[^̓ftHgQ[gEFCł192.168.0.10̃C2AhXvĂAxX̃Rs[^192.168.0.11̃C2AhXvĎsĂ܂i} 7-15jBftHgQ[gEFC̃AhXvĂ܂B
o[̃Rs[^ 
xX̃Rs[^ 

} 7-15 ARPvĂ IPAhXႤƂ
TCP/IP̐ݒmFĂ݂Atypo܂Bo[̃Rs[^
ł́AftHgQ[gEFC192.168.0.10ŁAxX̃Rs[^ł192.168.0.11
ɂȂĂ܂B192.168.0.11͊ԈAhXłB 
7.4.4܂Ƃ
̐悠Ȃo킷Q̌́Aݒ~Xł邱Ƃł傤B̉\Ƃɂ́Aɓ삵ĂRs[^̃Lv`t@CƔׂĂ݂ĂB̃ViIł́AȃgtBbNƔr邱ƂŁAǂ̃pPbĝ𐳊mɌƂł܂BQ̌ł΁ȀC͂͂邩ɊȒPɂȂ͂łB 
hauntedbrowser.pcap 
7.5 Internet Explorer̈
̃ViÍAȂǗĂlbg[Ñ[U[ł`h́AwvfXNւ̓dbn܂܂B`hɂƁAނ̃Rs[^ɂ͍ŋ߈߂Ă邻łBނ̃uEŨz[y[W͉ĂCۃTCg\悤ɂȂĂ܂܂B蓮ŐݒύXĂARs[^ ċNƌɖ߂Ă܂łBꂩ炠Ȃ͂Ƃ̐^ToA`h̃Rs[^̈Ȃ΂Ȃ܂B 
7.
5.1Ă邱

`h͒Ԃ̉Ђɖ߂ĂAZpIȒm܂ȂƂȂ͒mĂ܂BۂɁAނɂƂăRs[^͗vłȂQ炷̂łB`h̃Rs[^ 2NOɍŵŁAOS Windows XPAuEUInternet Explorer 6ł邱ƂĂ܂B 

7.
5.2pPbg͊Jn


̓`h̃Rs[^ł̂݋NĂȂ̂ŁA`h̃Rs[^
ɑMpPbgLv`邾Ŏ܂BRs[^ċN
ƂɃz[y[W̐ݒ肪߂Ă܂ƂƂ̂ŁAȂ̃R
s[^Ŕނ̃Rs[^ċNƂ̃pPbgLv`Ă݂܂
B
̃ViIł́A`h̃Rs[^WiresharkCXg[Ƃ͂ł
܂̂ŁAnugăpPbgLv`܂B̕@YĂ
܂̂Ȃ 2͂́u2.3.2nu̎gpvQƂĂB`h̃Rs[^
̓dĂ犮SɋN܂ł̊ԁApPbgLv`܂B[
U[𑀍삷Kv͂܂B 
7.5.3
[U[Rs[^ɂ܂GĂȂɂ炸AȐTCPHTTP̃pPbgTvt@CɋL^Ă邱Ƃɋ܂i}7-16jBʏ̋Nɂ͂̂悤ȃpPbgLv`邱Ƃ͂قƂ
܂B

} 7-16[U[Ȃ̑ĂȂ̂ɂ炸ʂ̃pPbgĂA肪邱Ƃ
̃pPbgڂĂ݂ƁAɂ錋_ɒBł傤B
܂AقƂǂ GETNGXg`h̃Rs[^ IPAhX瑗M
Ă邱Ƃ܂BɁA5Ԗڂ̃pPbgƁi}7-17jAf[^
_E[h悤GETNGXg WebT[oɑMĂ邱Ƃ
܂B 
7.6 FTPT[oƂ̒ʐM 

} 7-17 	5Ԗڂ̃pPbg悭ƁAC^[lbgf[^_E[h悤ƂĂ̂
̂ƂARs[^̋NɁAӐ}ȂsĂ邱Ƃ܂BpPbgꗗ̃yC̉̂قƁǍƂȂĂ̂̈[܂B11Ԗڂ12Ԗڂ̃pPbgŁAweatherbug.comƂhC̖OĂ܂i} 7-18jB

} 7-18 weatherbug.com̖ÕpPbgƐl̎肪肾
Ɛl̓Rs[^NƂɃ`h̃z[y[WCۂ̃TCgɕύXĂ鉽łBɒ𑱂ƁAWeatherBug̃fXNgbvvOobNOEhœ삵ĂARs[^ċNƐVVC\_E[h\悤ݒ肳Ă邱Ƃ܂B̃vOACXg[ƁA͉܂B 
7.5.4܂Ƃ
̌̃Rs[^lbg[Nł͂ȂA\tgEFAA
ƂƂ悭܂B̃ViIł́AVCǐՂvO`h
̃Rs[^ɃCXg[ĂÃvO WebuEŨz[
y[WύXĂƂŁA`h̓Rs[^ꂽƎvĂ
܂̂łBWiresharkŃpPbgLv`邱ƂɂāÃvO
obNOEhŒm炸ɓĂƂƂ܂B
pPbgxŌ邱ƂɂāAguV[eBO͂ƂĂȒPɂȂ܂B 
7.6 FTPT[oƂ̒ʐM

̃ViÍAȂƂ FTPT[o\zI̘błBNCAg̓lbg[N̓܂͊O FTPT[oɃANZXAf[^_E[hAbv[h肵܂BFTPT[õ\tgEFACXg[A]ƈg悤Ƀ[U[ƃpX[h쐬܂B ȂAȂ炩̗R FTP̃NCAg\tgEFA FTPT[oɃANZX邱Ƃł܂B 
7.
6.1Ă邱

̃T[óAŐṼAbvf[gƃT[rXpbNKp Windows Server2003ɍ\zĂ܂BFTPT[o삵Ă邱Ƃ͊mFς݂łB܂ANCAg FTPT[oɐڑƂɐ IPAhXƔF؏gĂ邱ƂĂ܂B 

7.
6.2pPbg͊Jn

FTP̓NCAgT[o^̃T[rXȂ̂ŁANCAgƃT[õ̗Rs[^̃pPbgLv`܂BNCAg\tgEFAFTPT[oɐڑ悤ƂƂɁANCAg̃pPbgLv`܂BT[oNCAg\tgEFAɐڑ悤ƂƂɁAT[õpPbgLv`܂B΁ǍNCAgɂ̂T[oɂ̂mFAڂ邱Ƃł܂BNCAgƃT[oWiresharkCXg[ApPbgLv`܂傤B 

7.
6.3


܂̓NCAgʐMn߂邱ƂłĂ邩ǂmFĂ݂܂傤BTvt@C ftpclientdenied.pcapJĂi} 7-19jBFTPT[oł 192.168.0.182 3EFCnhVFCN悤ƂĂ܂AT[o܂BNCAg͂2SYNpPbg𑗐MAZbVm悤ƂĂ܂B

} 7-19NCAg SYNpPbg𑗐MT[oԎȂ̂ŁA 2 SYNpPbg𑗐MĂ
NCAg͂̂ 9bԃT[oɐڑ݁As܂BNCAg
3EFCnhVFCN𐳂n߂悤ƂĂ܂Ǎ̓NCA
g̑ł͂ȂłB
ł ftpserverdenied.pcapĂ݂܂傤B 2̃Tvt@C͂قƂǓɌ܂ALv`^C~OقȂ邽߁ApPbg̃\[X|[gԍiM|[gԍjĂ܂i}7-20jBT[oɂăpPbgLv`łĂ鎖ɒڂĂB̓NCAg瑗ĂpPbgT[o܂œ͂ĂƂƂӖĂ܂B
܂Albg[NQȂǂŒʐMT[o܂œBĂȂ̂ł͂ȂA 
7.6 FTPT[oƂ̒ʐM 
M͓͂Ă邪T[oĂȂAƂƂ킯łB̎ƂČł킯ł͂܂񂪁AȂƂ؂蕪͂łł傤Bŉ_ɂȉ\TA͂邩ɌIɒł킯łB
NCAg

T[o

} 7-20NCAgƃT[õLv`t@C͂قƂǓ
T[opPbgۂ闝Rɂ́AɈȉ 3܂B 
	T[rXғĂȂꍇBFTPT[o삵Ă邱Ƃ͊mFς݂Ȃ̂ŁA͍̗Rł͂܂B 

	T[oɑʂ̃ANZXꍇBT[őeʂ𒴂gtBbNƁAT[oɃANZXłȂȂꍇ܂BT[o͍\zꂽ΂ł܂gĂȂ̂ŁA̗Rł͂܂B 

	pPbgӐ}IɃubNĂꍇBȂƂ̂ł傤ĤłIĂ݂ƁAWindows̃t@CAEH[FTP|[g̃gtBbNubNĂ邱Ƃ܂B 


7.6.4܂Ƃ
pPbg͂ł͏Q͕̂̂̌Ȃ܂BۂɁÃViIł̓t@CAEH[ł邱Ƃ悤ȃpPbg̓Lv`Ă܂łBȂApPbg͂ɂĖ肪T[oɂ邱Ƃ͕܂B
\ASɉeyԖȂ΂ȂȂƂɁApPbg͂ɂĖ̌ǂ̃Rs[^ɂ̂΁ÂԂ̐ߖɂȂł傤B 
7.7̂ȂIhttp fault post.pcap 
[U[̒ɂ͖{ɂǂ悤Ȃl܂Bׂ IT̂ɂ郆[U[ɏoƂ͂܂񂩁HG͂܂ɂ^Cṽ[U[łBlbg[NłȂƁAɒm点Ă܂B
̃ViIł́AG͂鐻iICŒ悤ƂĂ܂B͔ޏi̒tH[𑗐M悤ƂƁA HTTP 403iForbiddenjG[ԂĂƂƂłB̌ WebTCgɂ邱ƂقƂǂłAGȂ̏iɂ܂ɕ̂ŁAi͂Ȃɂꂪ瑤̃~Xł͂ȂƂޏɏؖ悤ɗ݂ɂ܂BȂ͔ޏɂꂪ WebTCg̃G[ł邱ƂؖȂ΂܂B 
7.
7.1Ă邱

G WebTCgŎ悭WebtH[f[^𑗐MłƂ͂܂񂪁Aق̃TCgł͂ƑMłĂ܂B WebTCg̃tH[̃\[Xɂ͓ɂƂ͂܂B 

7.
7.2pPbg͊Jn

G̃Rs[^ WiresharkCXg[pPbgLv`̂ԊȒPłBWiresharkCXg[ăpPbgLv`JnAGɃtH[͂đMĂ炢܂傤B 

7.
7.3


http-fault-post.pcap̓G̃Rs[^24.4.97.251WebT[o216.23.168.114̊Ԃ 3EFCnhVFCNsƂ납n܂܂i} 7-21jB

} 7-21܂ł͏Bʏ 3EFCnhVFCNG̃Rs[^ WebT[oƂŎn܂Ă
̌ANCAgT[oԂ HTTPɂʐMn܂܂BɃpPb
gꗗ́mInfonɁǍƂȂHTTP 403̃bZ[W܂i}7-22jB
9Ԗڂ̃pPbg 403̃G[Ă܂BpPbgENbN 

} 7-22 HTTP403̃bZ[WɌĂ
7.7̂ȂI 
mFollow TCP StreamnIAHTTP̒ʐMĂ݂Ăi} 7-23jBTCPXg[ƁANCAgT[oɃf[^MĂ邱

} 7-23 TCPXg[A̖ł 403̃G[bZ[W
Ƃ܂BŁAT[otH[M|NCAgɓ`ׂȂ̂ɂ炸403̃G[oĂ܂BŁA肪Ȃ̊Ǘlbg[NłȂ WebT[oɂƂƂłł傤B 
7.7.4܂Ƃ
Q̌ɂėĂmF邽߂ł͂ȂAG߂𒅂ꂽƂɖؖ邽߂ɂpPbg͂Kv܂B
̃ViIł́ATCPXg[iɌAGɐĂ炦΁AITւ̔͂ނł傤B 
7.8̃vOevilprogram.pcap 
̃ViI͑Oq̃`h̘bƎĂ܂BȂ獡͂GłB}fBƂ[U[Ȃ̃lbg[NgĂ܂Bޏ̃uEUɉȂƂNĂƂȂɌĂ܂B1̂xuEŨz[y[WŨZLeB WebTCgɕύX܂BāÃ|bvAbvRs[^ɕ\܂B
Rs[^̏CƂlȂAꂪXpCEFÂł邱Ƃł傤BłBAŃXpCEFA\tgĝł͂ȂA}fB̃Rs[^XpCEFẢeǂ̂炢󂯂Ă̂ǐՂĂ݂܂傤B 
7.
8.1Ă邱

̖̂ɑ͕̒Kv܂BȂ̓}fB̃Rs[^̓삪xAuEU₦nCWbNĂ邱ƂmĂ܂Bޏ̃Rs[^ł̓ECX΍\tg삵Ă̂ŁAECXɂĂ͂܂SzKv͂܂B 

7.
8.2͊Jn


XpCEFA֘ÃguV[eBOƂ́ARs[^NƂ̃pPbgLv`̂LłBقƂǂ̃XpCEFÁARs[^NƃAbvf[gȂǂmF邽߂Ɏg WebTCgɃANZX܂B
Rs[^NƓɃpPbgLv`n߁AN܂ł̂悻 1قǃLv`܂B̏ꍇAnug ARPLbV|C]jOpPbgLv`邽߂̂Ƃ悢@ł傤Blbg[Nɂ͑̃gtBbN݂邽߁ALv`tB^gă}fB̃Rs[^̃gtBbN݂̂Lv`悤ɂ܂B 
7.8.3
Ȃ傫ȃLv`t@CɂȂ̂ŁAŏ猩Ă܂傤Bŏ2̃pPbg̓Rs[^̋Nɂ͂悭̂ŁATCP/IP̏Ă܂i} 7-24jB 

} 7-24ŏ 2̃pPbgŃ}fB̃Rs[^ IPAhX擾Aꂪlbg[NŏdĂȂmFĂ
7.8̃vO 
ŏ̃pPbgŁADHCPT[o IPAhXUĂ悤߂Ă
܂B{DHCPT[o牞̃pPbg\Ă͂łA
u[hLXg̃pPbgȂ̂ŃLv`tB^ɂăLv`
悤ɂȂĂ܂B
2Ԗڂ̃pPbgGratuitous ARPƌĂ΂ARPpPbgłBGratuitous ARP
̓u[hLXg ARPpPbgŁAlbg[NɎƓ IPAhX
gĂRs[^ȂǂmF܂B Gratuitous ARPN
GXgɕԎԂĂ΁A IPAhX͂łɒNɎgĂƂ
ƂɂȂ܂B̃Lv`t@Cł͂Ԏ͂܂̂Ŗ
܂B
3Ԗڂ̃pPbgȂׂpPbgłB̃pPbǧ GratuitousARPMĂ̂ŁA̎_ł TCP/IP͂܂ĂԂłi}7-25jB3Ԗڂ̃pPbgŁAÕlbg[N}fB̃Rs[
^ 5554ԃ|[gɃANZX悤ƂĂRs[^܂B

} 7-25}fB̃Rs[^ 3Ԗڂ 5Ԗڂ̃pPbg󂯎鏀܂łĂȂ
̃Rs[^͂܂ʐM󂯓鏀łĂ܂񂩂Aق̃Rs[^͂ȂʐMׂ݂ł͂܂Bă}fB̃Rs[^́AN͂̃pPbgj܂B5Ԗڂ̃pPbǧɓ悤ȃpPbg܂ÃpPbg͑M̃|[g 9898ԂɕςĂ܂i} 7-26jBƂĂłB

} 7-26x}fB̃Rs[^ɃANZX悤ƂĂ
JԂ܂}fB̃Rs[^͂܂ʐM󂯓鏀łĂȂ̂ŁÃpPbgj܂B
}fB̃Rs[^ʐMł悤ɂȂƁÃpPbg󂯎Ă܂܂i10Ԗڂ̃pPbgjB}fB3EFCnhVFCN󂯓T[rXNĂȂ̂ŁARSTpPbgԂĒʐMIĂ܂i}7-27jB
̂Ƃ͉񂩌JԂA}fB̃Rs[^͒ʐMۂ 

} 7-27}fB̃Rs[^ʐMł悤ɂȂĂA RSTpPbgԂĒʐMI
܂B 
7.8.3.1ȃpPbgtB^O
68Ԗڂ̃pPbgAŏ̒ʏ̒ʐMłi} 7-28jB}fB̃Rs[^̓ECX΍\tg̃Abvf[ĝ߂̒ʐMn

} 7-28ECX΍\tg̃Abvf[ĝ߂̃pPbg
܂B̃pPbg͐K̂̂Ȃ̂ŁA^킵pPbĝ݂\邽߁AMcAfee IPAhXtB^O܂傤i} 7-29jB 

} 7-29K̃gtBbNtB^OāApPbgɏœ_𓖂Ă悤

tB^̍͊oĂ܂H McAfeẽT[oƂ̒ʐMtB^Oꍇɂ́A !ip.addr==216.49.88.118Ə΂悢̂łB
7.8.3.2C^[lbg̃ANZX̎
tB^쐬A147Ԗڂ̃pPbgĂ݂܂傤i} 7-30jB

} 7-30 147Ԗڂ̃pPbg̓bZW[pPbgB̃pPbg͏ڂKv
̃bZW[pPbg̓C^[lbg瑗Ă܂BoCĩyCƁAǂbZ[WĂĂ̂܂i}7-31jB肪ƂɁAȂ̃lbg[Nł̓bZW[T[rX͖
ȂĂA}fB͂̃bZ[WƂ͂܂B̏؋ɁA} 
7.8̃vO 

} 7-31 147Ԗڂ̃pPbg̃f[^
fB̃Rs[^͂̃pPbǧ ICMP̃|[gBs\ԂĂ܂i}7-32jB

} 7-32bZW[T[rXɂȂĂ邽߁ARs[^bZ[W󂯎邱Ƃ͂Ȃ
210Ԗڂ̃pPbg肪NĂ܂i} 7-33jB

} 7-33x͒ʐM󂯓Ă
܂łƓ悤ɁA[g̃Rs[^}fB̃Rs[^ 1025ԃ|[gɌ 3EFCnhVFCN悤Ƃ܂Bx͔ޏ̃Rs[^͂󂯓Ă܂܂Bޏ̃Rs[^ŁA1025ԃ|[gŒ񋟂T[rXĂ̂łB͂I 
7.8.3.3̏ڍ
炵΂炭͓Ƃ̌JԂłB}fB̃Rs[^̂
܂ȃ|[gɑ΂ĒʐM݁Â͎͐̂s܂BƂ肠
 357Ԗڂ̃pPbg܂ł͓Ɍׂ̂͂܂i} 7-34jB

} 7-34 357Ԗڂ̃pPbg͊Olbg[N DCERPCpPbg
357Ԗڂ̃pPbg DCERPCƂ RPCiRemote Procedure CalljpPbgƂĂ΂̂łBRPC̓[gRs[^ŃvOs邽 ̃vgRłB̃pPbǵAOlbg[NvOs悤ƂĂ܂BꂪƂ炢͒N܂B
ł͂A}fB̃Rs[^ƃ[g̃Rs[^Ƃ̒ʐMڂĂ܂傤B381Ԗڂ̃pPbgĂBupdates.virtumonde.comƂhC̖O邽߂DNSpPbgłi} 7-35jB

} 7-35ŁA}fB̃Rs[^ DNSgă[g̃Rs[^̖O݂ 
WebTCgɂĉȂ̂\ꂽAC^[lbgŌĂ݂܂傤BvirtumondeɂČƁAXpCEFAT[õzXeBOɂĂ̏񂪂낢oĂł傤B
}fB̃Rs[^virtumondẽT[oƂ̒ʐMڂĂ݂܂BCj[́mStatisticsnmConversationsnIāmConversationsn_CAOJATCP^u\܂B}fB̃Rs[^ 24.6.125.19virtumondẽT[o 208.48.15.13݂̂\悤tB^O Ă
i}7-36jBŕ\pPbgȂ菭ȂȂA₷Ȃ͂łB 

} 7-36mConversationsn_CAO 2̃Gh|Cg̒ʐM݂̂\
	󒍁FmConversationsn_CAOTCP^uy[WŁmAddressBnNbNă\[g΁AmAddressBnu208.48.15.13vŁmAddressAnu24.6.125.19ṽpPbgT܂B̒ʐMENbNAmApplyas FilternmSelectednIāmA<->BnNbN΃tB^Oł܂BmConversationsn_CAOł̃tB^OɂẮAu8.7.3́v̉QlɂȂ܂B
7.9l@ 
ɃpPbgĂƁA386Ԗڂ̃pPbgŔޏ̃Rs[^virtumonde bkinst.exeƂt@C_E[hĂ邱Ƃ܂i}7-37jB

} 7-37}fB̃Rs[^ virtumondẽT[ot@C_E[h悤ƂĂ
̃t@CɂăC^[lbgŒׂĂ݂ƁAXpCEFAAuEUn
CWbNȂǁAšst@Cł邱Ƃł傤B}
fB̃Rs[^ɈĂ̂Ŕ܂B 
7.8.4܂Ƃ
̃ViIł́A}fB̃Rs[^̖̓obNOEhœ삵
 RPC𗘗păXpCEFA_E[hĂ邱ƂłB
قɂw񂾂Ƃ܂B
̉͂́Albg[NŉNĂ邩藝邽߂ɍs܂
B}fB̃Rs[^̃XpCEFAɊƂƂ́Aق̒N
łN肤ƂƂłBǂ̃|[gƃT[rXgĂ邩
̂ŁAt@CAEH[ł̃XpCEFAubN邱Ƃł܂B
XpCEFA͊ȒPɍ폜łƂ͂AƂݒĂ΃XpC
EFA폜Ԃ啝ɏȂ܂B 
7.9l@
̏͂ŎグViI͂ƂĂPłAWiresharkɂpPbg͂lbg[N̈ʓIȃguV[eBOɊ邽߂̑厖ȗKɂȂ܂B{̎c͂̏͂̂悤Ȍ`ŏĂ܂Ȁ͂Ƃ͂܂ł́Aۂ̃pPbg͂ɂďqׂĂ܂B 
8
P[XX^fBilbg[N̒xƐ키j
lbg[NǗ҂́AXlbg[N̒xƐȂĂ͂܂Blbg[N𗘗pĂl̋łƂ̂Albg[NxƂƂłBȂAlbg[N̒x͒pׂƂ킯ł͂܂B
lbg[N̒xɎgޑOɁA{Ƀlbg[Nx̂ƂƂ
mFKv܂B̏͂ł́A[U[ulbg[Nxvƕ
Ă邳܂܂ȃViIЉ܂B 
8.1_E[h̒x̌slowdownload.pcap 
_E[hx錴ɂāApPbgxŌĂ݂܂傤B
Tvt@CXN[ĂƁAHTTPTCP̃gtBbNƁAt@C_E[hĂlq\Ă̂܂i} 8-1jB6͂Ŋw񂾂ƂAHTTP̒ʐMł́AHTTPgWebT[oɃf[^vATCPgėvf[^_E[h܂B

} 8-1 HTTPTCP̃gtBbNtB^
_E[hxĂُȃgtBbN邽߂ɁAmExpert Infosn
EBhEg܂BCj[́mAnalyzenmExpert InfosnI
Ăi} 8-2jB 

} 8-2mExpertInfosnEBhEɂ́A ErrorAWarningANoteAChat4ނ̒ʐM\ 
ftHgł́AmExpert InfosnEBhEɂ́AErrorAWarningANoteAChat 4ނ̒ʐM\܂B Chat͊֌WȂ̂ŁAmSeverity filtern̉ɂhbv_Ej[mError+Warn+NotenIAftHg̐ݒύX܂傤B̕ύXɂĐ} 8-3̂悤ɂȂ܂B
TCP̃EBhETCYύXpPbgʂɂ邱ƂɒڂĂBf[^̒ʐMx́ATCP̃EBhETCYɈˑĂ܂BNCAgf[^]ĂƂAf[^MxȂxȂ肷̂ɉāAmWindow updateñpPbgMĂ܂ B̃pPbg͓]f[^̃TCY𑝂₷A܂͌炷Kv邱ƂNCAgɒm点Ă܂BNȂ̂߂ɗ␅̃{^ĂĂƂzĂB{^ƁA͂Ȃ̌炱ڂĂ܂܂̂ŁA{^キ悤ɌKv܂Btɂ̐l{^キĂ΁A\ɈނƂł܂B
ɁA肪Nŏ̃pPbg邱Ƃł܂B_E[hn܂ƓɁAmTCP Previous segment lostnƂpPbg\͂߂܂i} 8-4jB 
	Ė󒍁FłWindow updatéAWindows OSi2000AXPA2003 ServerAVistaȂǁj̃pb`Ăsd|̂Ƃł͂ȂAEBhETCY̍XVm点pPbĝƂłBTCP̃EBhETCYƂ̂̓f[^󂯓nۂ̊̃TCYŁAKXύXȂf[^̂Ƃs܂B
8.1_E[h̒x̌ 

} 8-3mExpert InfosnEBhEiChatjɂ́A_E[h̒xɊւT}\Ă

} 8-4mTCPPrevioussegmentlostñpPbg
̃pPbǵAf[^]ĂԂɃpPbgˑRjꂽƂƂӖ܂BNCAg͂̃pPbgɑ΂ Duplicate ACKpPbgT[oɑA󂯎ȂpPbgēxM悤ɋ߂܂BNCAg͗vf[^M܂Duplicate ACKpPbg𑗐M܂Bj ꂽpPbg̍đḾAmExpert InfosnEBhÉmTCP RetransmissionnƂĕ\Ă܂i} 8-5jB

} 8-5pPbgjƑ₩ɍđ
_E[hn܂Ƃɂ́ADuplicate ACKpPbg 1 2܂񂪁A_E[hiނɂꑝĂ܂BTvt@C̎cĂƁAmTCP Previous Segment Lostn Duplicate ACKłςɂȂĂ邱Ƃ܂Bꂪ_E[h̒x̃TCłB
Wiresharkɂ́ATCPXg[Ot֗ȋ@\܂i} 8-6jB
͂Xg[̃pPbgNbNi}ł1023Ԗڂ̃pPbgNb
NĂ܂jACj[́mStatisticsnmTCP Stream GraphnIA
ɁmRound Trip Time GraphnI܂BTCPXg[Ot@
\g΁Af[^̃X[vbgȒPɊmF邱Ƃł܂B
̃Ot͏݂ɂ܂񂪁AʐM RTTiRound Trip TimeFxԁjmF֗ȋ@\łBƂ΂̒ʐM̍ŏ̂قłRTT1bȏ̒lĂ܂Bt@C_E[hƂɂ́A0.1bȉRTTłȂ΂܂BzIȂ̂0.04bi40~bjłB̃OtΉ肪Ă邱Ƃɕł傤B 
8.2[eBO̕sicmp tracert slow.pcap 
lbg[N̒x邽߂ɍŏɂׂƂ́ǍT邱ƂłB̃ViIł́AwvfXNI[EF̓db󂯁AC^[lbg̐ڑɒxƕ邱Ƃn܂܂B 
8.2.1Ă邱
Pȋ̂قɕĂ邱Ƃ͂قƂǂ܂Bǂ WebTCg悤ƂĂAC^[lbg̐ڑxƂƂĂ܂BȂ钲ɂāAI[EFƓlbg[NɐڑĂ邷ׂẴRs[ 
8.2[eBO̕s 

} 8-6̒ʐM RTTiRoundTripTimeFxԁj
^ĂƂƂ܂B 
8.2.2pPbg͊Jn
ŏɕĂ̂̓I[EFȂ̂ŁAނ̃Rs[^ŉ݂͂܂Bނ̃Rs[^WiresharkCXg[ApPbgLv`܂B̃Rs[^œ肪oĂ̂ŁAI[EF̃Rs[^ɂ͖
肪ȂƂƂ͕Ă܂B̂߁AI[EF̃Rs[^C
^[lbgɃANZXƂLv`Ӗ͂܂BɁA
ICMP traceroutegĖ͂Ă܂傤B 
tracerouteICMPx[XiUnixłUDPx[Xj̐ffp[eBeBŁA
鈶ɒB܂łׂ̂Ẵ[^ɃpPbg𑗐M܂B tracerouteg΁A
xɊւȂ炩̏񂪓ł傤i} 8-7jA{glbNɂȂ
Ƃڂm邽߂ɁAWiresharkŃpPbgLv`A 
traceroutegĂ݂܂B
} 8-7 tracerouteiWindows OSł tracertjsʂłBesɂ́A 

} 8-7 traceroutëʓIȌ
܂ł̌oHɑ݂郋[^ɓB܂łɂ鎞Ԃ\Ă܂B 
8.2.3
Tvt@Ciicmp-tracert-slow.pcapjƁAŏɃI[EF̃Rs[^ EchoNGXg𑗐MĂ邱Ƃ܂i} 8-8jB̃pPbgɂ́Aʏ pingƂ̏dvȈႢ܂BpPbgڍׂ

} 8-8 EchoNGXgI[EF̃Rs[^瑗MĂ
yC IP̕ĂB TTLiTime To LiveFpPbg̐ԁjݒ肳Ă܂i}8-9jBTTLƂ́Aɂǂ蒅܂łɃ[^ʂ邱Ƃł񐔂߂l

} 8-9̃pPbgɂ TTLݒ肳Ă
B̒l 1ƁApPbgɒ܂ł̊ԂɃ[^ 1ʂ TTL؂Ă܂AICMP̐Ԓ߁iICMP Time ExceededjpPbgԂ 
8.2[eBO̕s 
܂B traceroute͐Ԓ߃pPbg󂯎ƁAx TTL̒l 2ɂđM܂Bƈ܂ł̊Ԃ 2Ԗڂ̃[^ TTL؂܂BpPbgɂǂ蒅܂ł̏JԂ܂i} 8-10jB
TTL̒mOɃTvt@CƁA traceroute̍ŏ̃pPbg
traceroutȇM[^[^ traceroutȇM

TTL 1 
TTL 2 
TTL 3 
} 8-10܂ł̌oHɂ郋[^ƁA TTL̒l
ƂƂɕ܂B̃pPbg TTL̒l 1Ȃ̂ŁA
ɐԒ߃pPbg󂯎͂Ȃ̂ɁA󂯎Ă܂B
I[EF̃Rs[^͂̕ԓ󂯎Ă炸A3bقǂĂ烊
NGXgđĂ܂i} 8-11 Time̕jB
I[EF̃Rs[^ 2xڂ̃NGXg̕ԓ󂯎Ă܂B3

} 8-11I[EF̃Rs[^͍ŏ̃NGXg̕ԓ͎󂯎Ă炸A 3bɂxNGXg𑗂Ă
bقǑ҂Ă3xڂ̃NGXg𑗂Ă܂sĂ܂i}8-12jBŁA traceroute͍ŏ̃[^ԓ炤Ƃ߁ATTL̒l 2ɂăpPbg𑗐MĂ܂i4Ԗڂ̃pPbgjB̃pPbg 2Ԗڂ

} 8-12ԓAĂȂ̂ŁAxNGXg𑗂Ă
[^ɖBAI[EF̃Rs[^ICMP̃^Cv 11AR[h 0̐Ԓ߃pPbg󂯎Ă܂i} 8-13jB 

} 8-13Ԓ߃pPbg󂯎Ă 
Ƃ́ApPbgɓ͂܂ TTL̒l𑝂₵ȂpPbg𑗐MAԒ߃pPbg󂯎ƂJԂĂ܂B 
traceroutẻ͂ŕ邱Ƃ͂Ȃł傤HԒ߃pPbg󂯎邱ƂłȂ̃[^ɖ肪ƂƂłB[^͔ɕGȃlbg[N@Ȃ̂ŁAł̓[^̉肾ƂƂ͒܂BdvȂ̂́Ả͂ɂĂǂɖ肪̂m邱ƂłƂƂł B 
8.2.4܂Ƃ
WiresharkgƂŖ̌΂₭T邱ƂłAguV[eBO̎Ԃ啝Ɍ炷Ƃł܂BWireshark̓[^̉̂܂ł͋Ă܂񂪁AƂɂ[^̐ݒςȂ΂ȂȂƂƂ͕܂B
܂ÃViIICMP̒mɑA traceroute̋@\m邱
ł܂B tracerouteɂ͂قɂ܂܂ȃIvVg܂BC^[
lbgŌĂ݂ĂB 
8.3dɌ	double vision.pcap 
Ȃ̓WFt̂߂ɐVRs[^ݒ肵܂BʏARs[^Vݒ肵Ƃɂ́Aق̃Rs[^葁ʐMł͂łBȂA΂炭ƃWFt́Albg[Ngpʂ̃s[NɃlbg[NɒxȂAlbg[NT[rXgȂȂĂ܂ƌĂ܂B 
8.3.1Ă邱
WFt̃Rs[^͐V̂łAŒ̋@\ĂȂƂƂ͕Ă܂B܂Albg[N̎gpʂ̃s[NIts[NAق̐l̓lbg[NxƂ񍐂͎󂯂Ă܂BWFt̎d̂قƂǂ̓lbg[NgȂƂłȂ߁AȂ肽lbg[NgĂ܂B܂Albg[NgAvP[V𕡐N邱ƂłB̃AvP[V̓uEU⃁[NCAgƂƂɑ 
	Ė󒍁FpPbg擾A͂邱ƂłׂĂ̎𖾂炩ɂł킯ł͂܂BpPbg͂͂܂Œ̈ꕔŁAȏ̂̂ł͂܂񂵁Aǂ܂łł̂Aǂ炪łȂ̂ɂ߂Č悭A͂sƂ悢ł傤B
8.3dɌ 
ׂlbg[Nɂ܂AȂ̃lbg[N͑ш悪LAɎԂ͂܂B 
8.
3.2pPbg͊Jn

̖̓WFt̃Rs[^ł̂݋NĂ邽߁AWiresharkWFt̃Rs[^ɃCXg[܂傤Blbg[N̎gps[NɒBƂɃpPbgLv`̂Ԃ悳łBWFtɂ͓X̃[`[NȂĂ炢ÅԂɃLv`pPbg邱Ƃɂ܂B 

8.
3.3


Tvt@CJ΁ÃViĨ^Cg̗Rł傤BׂẴpPbg 2񑗐MĂ܂i} 8-14jB͕ʂł͍l܂B

} 8-14 2dɂڂ₯Ă킯ł͂ȂApPbgJԂMĂ

֋XÃTvt@Cɂ 8̃pPbgڂĂ܂BꂾŖ̌\ɕ邩łB{́AWFt̃Rs[^̒ʐMׂ͂ 2dɂȂĂ܂B
ʓIɁApPbg 2dɑM闝R 2܂B[eBO̊ԈႢƃ|[g~[O̐ݒ~XłBjSɔOɁA2̃pPbg{ɓǂmFĂ݂܂傤B
IPwb_ IDł΁A2̃pPbĝ͓łƂ܂BpPbgڍׂ̃yCŁAIP̕L IdentificationĂB1Ԗڂ2ԖڂID 0xc509ɂȂĂ܂i} 8-15jB 

} 8-15ŏ 2̃pPbǵA IDĂ
Ƃ3Ԗڂ4Ԗڂ̃pPbgɂĂ܂B2ID 0xaca7łi}8-16jB

} 8-16 3Ԗڂ 4Ԗڂ̃pPbg IDĂ
pPbg{ 2dɂȂĂƂƂ̂ŁAx͂̌[eBO̊ԈႢȂ̂|[g~[O̐ݒ~XȂ̂𒲂ׂĂ݂܂傤BpPbg TTL̒lĂBlقȂ΁A[eBOłBȂ΁A|[g~[OłB
}8-17̂ƂA1Ԗڂ̃pPbgTTL47A2Ԗڂ̃pPbg TTL 46łBƂƂ́A̓[eBO̖łB2Ԗڂ̃pPbg͂ǂ̃[^ʂĂ߂ĂĂ̂ TTL 1Ă̂łB
pPbg 1F 
pPbg 2F 

} 8-17 TTL̒lقȂ̂Ń[eBO
̖̓WFt̃Rs[^ł̂݋N̂ŁAlbg[Ñ[^łȂނ̃Rs[^𒲍Ȃ΂܂Bɒi߂ƁAނ̃Rs[^̓Tulbg}XN̐ݒɃ~XƂ܂B 
8.3.4܂Ƃ
Tulbg}XNԈĐݒ肳ĂƁA܂܂Ȗ肪܂BRs[^܂ʐMłȂȂĂ܂Ƃ܂B̏ꍇł́AWFt̃Rs[^瑗MꂽpPbgԂĂĂ̂ŁARs[^Ȃ΂ȂȂgtBbN̗ʂ{ɂȂAlbg[Ngpʂ̃s[NɒʐMɒxȂĂ̂łB 
8.4T[oۂĂH 
8.4T[oۂĂHhttp client refuse.pcap 
ʂ̃[U[C^[lbgڑxƕĂ܂BGbNNovellWebTCgɃANZX邱ƂłAKvȃ\tgEFA_E[h邱ƂłȂƌĂ܂B̃TCg悤ƂƁAuEU̓y[W[h悤Ƃ܂N܂B̓lbg[N̖ɈႢȂłˁH 
8.
4.1Ă邱

lbg[NOIɒƁAGbNȊÕRs[^ł͖肪ȂƂ܂BāA̖̓GbÑRs[^L̂̂łBނ̃Rs[^ł WindowsĂAŐṼT[rXpbNpb`KpĂ܂BɒƁA Novell WebTCĝꏊ{Ƃ݂̂ɋNĂ邱Ƃ܂B 

8.
4.2pPbg͊Jn

̓GbÑRs[^ł̂݋NĂ̂ŁAWiresharkނ̃Rs[^ɃCXg[ăpPbgLv`܂B肪N NovellWebTCĝꏊK₵ANĂ̂Ă݂܂傤B 

8.
4.3


http-client-refuse.pcapJƁAHTTP̒ʐM\Ă邱Ƃł傤i} 8-18jB3EFCnhVFCNsĂ܂BۂɁAHTTPNGXg 28Ԗڂ 29Ԗڂ̃pPbgȊO͐łBȂ̂ɌĂ܂傤B

} 8-18 HTTP̒ʏ̒ʐMLv`Ă
ԁi Timej̕ɒڂĂB28Ԗڈȍ~̃pPbgM̂ɂ
Ȃ莞ԂĂ܂B27Ԗڂ 28Ԗڂ̃pPbg̊Ԃɂ 9bԂ
B
lbg[N̐Eł́ÃpPbg󂯎̂ 9bԂJĂ܂ƂƂ́A[U[͂tH[𑗐MĂ悤ȂƂȊOɂ͍l ܂B9bAT[o̓NCAgɂȏf[^𑗂邱ƂłȂȂARSTpPbgԂĒʐMI悤Ƃ܂i} 8-19jB

} 8-1928Ԗڂ̃pPbgɈُ̒󂪂
T[oNCAgƂ̒ʐMI闝R͂Ȃł傤BepPbg1
1ĂƂł܂A͔ɒđދȍƂɂȂł傤B
ɁAƊȒPȕ@s܂B
HTTPł̒ʐMłATCPXg[قeՂɖ̌
͂łBTCPXg[JƁA2̐F̕񂪕\܂BԂ̓N
CAg̒ʐMA̓T[o̒ʐMłB
̃gtBbNŁAʏ HTMLȊÔ̂܂HgtBbN 2Ԗڂ̃ZNVƁANovellT[o Flash̃AvbgNGXgĂ邱Ƃ܂i} 8-20jBꂪ̌łBGbN悤ƂĂWeby[W͖炩FlashNGXgĂ܂A|bvAbvubNvOubNĂ邽߂ɖ肪NĂ̂łB 

} 8-20 Flash̃NGXǧ
8.4.4܂Ƃ
Flash͐VEBhEJƂĂAꂪInternet ExplorerɂăubNĂ܂BuEU͖Ɋւ͓܂łi^CAEg̃bZ[W\̂݁jAWiresharkƃpPbg͂̊TOAď̔EςɂĖ𐳊mɔc邱Ƃł܂ B 
8.5 BitTorrent̑J 
8.5 BitTorrent̑J	torrential slowness.pcap 
Ȃ̃lbg[Ñ[U[wvfXNĂяoAlbg[NɒxȂĂƋĂ܂Bނ̃Rs[^̓C^[lbgɃANZXɂȂAlbg[NgAvP[V삪xȂĂ܂߁AdɎxႪoĂĂ܂BȂ̂ł傤B 
8.5.1Ă邱
ق̃[U[ɂĒʁA̖肪L͈͂ɂ킽Ă邱Ƃ܂BׂẴ[U[AC^[lbgւ̃ANZXxĂقƂǎgȂƕ񍐂Ă܂B܂Albg[N̋E[^ׂ͍ĂAʂ̃gtBbNĂ邱Ƃ܂B 

E[^Ƃ́Albg[NƊOlbg[NiC^[lbgjȂ[^̂ƂłB
8.
5.2pPbg͊Jn

E[^͓lbg[NƃC^[lbgƂłƂ肳gtBbNĂAɍׂĂ邱ƂÃ[^͂̃|CgƂȂ܂B 

8.
5.3


[^WiresharkCXg[邱Ƃ͂łȂ̂ŁA|[g~[Og܂B
torrential-slowness.pcap̃pPbǵAlbg[Nőʂ̃gtBbNĂ邱ƂĂɂ܂i} 8-21jB 

} 8-21ʂ̃gtBbNL^Ă
	Ė󒍁FInternet Explorer 6ȏŁAWindows XPSP2ȏƂł΁AInternet Explorer̋@\ɂĂׂẴ}VŃ|bvAbvubN\܂BAÂ OS܂ɎgĂȂǂł́AInternet Explorer̋@\ł͂ȂeZLeB\tgEFAɂă|bvAbvubNĂꍇ܂BāÃZLeB\tgEFAGbÑ}Vɂ̂ݓĂƂOł΁Â悤ȏ󋵂肦Ƃł傤B
lbg[N̂Rs[^i192.168.0.193jTvt@CɌJԂĊOlbg[N̒ʐM𑽂󂯓Ă܂BsgȂƂɁAPSHtOĂ܂B̃tOĂƁAMobt@XLbvďʃAvP[VɃf[^͂邱ƂɂȂ܂B܂ADIɍsƂƂł B͈łB
ɈƂɁA̒ʐM̂قƂǂ3EFCnhVFCNłɏIāAǂǂf[^NCAgɑMĂ܂BmConversationsn_CAO΁Aǂقǂ̒ʐMsĂ邩ł傤i} 8-22jB

1bԂ 26̒ʐMsĂ܂I
̖ƂȒPȕ@́A192.168.0.193̃Rs[^𒲍
邱ƂłAł̓pPbg͂łڂׂ邱Ƃł邱ƂӖ
ŁAăpPbg͂ɂĂ̖̌TĂ݂܂傤B
܂ŏɂ邱Ƃ́ÃpPbg̑M悪ǂȂ̂AWHOISȂǂ
gĒׂ邱Ƃł傤BȂȀꍇAMIPAhX 1
ł͂ȂEɎU΂Ă܂B
pPbgɏڂ邽߂ɁATCPXg[ɉLvȏ񂪂
ǂmFĂ܂傤B̏ꍇATCPXg[ɂ͈Ӗ̕
Ȃ񂪗񂳂Ă邾ŁA牽𓾂邱Ƃ͂ł܂i} 8-23jBTCPXg[牽ǂݎȂƂȂƁAxׂ͉ł傤H 
Ė󒍁F RFC͂̂Ƃ肾AۂɏʃAvP[VɂɃf[^n邩ǂ͎ˑŁÃtÖӖȂƂB
8.6[T[oɗꍞ POP 

} 8-23 TCPXg[ĂȂ
NĂRs[^𒲍ȊÔƂȒPȕ@́HpPbg1 1ĂƂłBdvȂ̂T܂傤B
Tvt@C̃pPbgĂƁA44Ԗڂ̃pPbgƂƂɋCÂł傤i} 8-24jB̃pPbǵmInfonɂƂA[gBitTorrentT[oɂf𗧂ĂĂ܂BBitTorrentiP2P̃t@C]T[rXǰłB 

} 8-24pPbg 11ĂƁA BitTorrentƐlł邱Ƃ
8.5.4܂Ƃ
̃ViIł́ABitTorrentCXg[Rs[^y_E
[hĂAɒʐMĂƂłBlbg[N
̑шƐ肵Ă̂łB
pPbg͂Ƃɂ͍xȋ@\gKv̂́AƂɂ 1 1
pPbgĂق肪ꍇƂƂÃV
iI番܂B 
8.6[T[oɗꍞ POPemail troubles.pcap 
]ƈ̖ڂ猩ƁAC^[lbggƂdvȖړI̓[łB̃ViIł́A[̑Mɖ肪Ƃ̑Ή̎dwт܂B
Ȃ̃lbg[Ñ[U[A[B܂łɔɒԂƕĂ܂Bق̃hCɃ[𑗂ƂłȂAgD̒Ń[𑗂ƂɂςȎԂĂ܂B̐^T܂傤B 
8.
6.1Ă邱

Ƃׂ̂Ẵ[ 1̃[T[oǗĂ܂BĂ݂ƁA̖͂Ȃ̃lbg[Nɂ邷ׂẴ[NCAgŋNĂ邱Ƃ܂Bʏ͐Ẽ[łΈuœ͂Ƃ낪A10 15قǂĂ܂BO烁[MƂɂ炢̎Ԃ܂B 

8.
6.2pPbg͊Jn

[ĂT[o 1䂵Ȃ̂ŁAWiresharkCXg[܂B̖1NĂ̂ŁALv`鎞Ԃ͂ł悢łB 

8.
6.3


email-troubles.pcapƁA[T[oŃLv`łpPbgi܂A[̃pPbgj\Ă̂܂B̂ʂPOPiPostOffice ProtocoljpPbg[T[oɗꍞł܂i} 8-25jB炭[T[oɂׂ͕肷Ăł傤B

} 8-25Tvt@Cɂ͑ʂ POPpPbgL^Ă
ǂ̂炢̗ʂ POPpPbgMĂ邩𒲂ׂ邽߂ɁAԂ̕\tH[}bgmSeconds Since Beginning of CapturenɕύX܂傤BŌ̃pPbgĂBTvt@CɋL^ĂpPbg 2̊ԂɃLv`ꂽ̂ł邱Ƃ܂i} 8-26jB

} 8-26Ԃ̕\tH[}bgς΍vԓɂǂꂾ̃pPbgM
ł͊eʐMŉȂƂNĂȂĂ݂܂傤B
POPpPbĝƂ́ATCPXg[΁A[̒g邱ƂłƂƂłBƂ΁A1Ԗڂ̃pPbgTCPXg[΁A[ɂ document_9446.pifƂt@CYtĂ邱Ƃ܂i} 8-27jB 
8.7 GnutellaJ 

} 8-27 1Ԗڂ̃pPbg̏ڍ 
قTCPXg[Ă݂ƁA͂PIFt@CYtĂ܂B͉B
PIFƂProgram Information File Aʏ̓[łƂ肳̂ł͂܂BꂾłȂAt@CTCYɑ傫Xɂ܂BTvt@CŜɂ킽Ẵt@CYt[XɍsĂ܂B
́i炭ECX⃏[܂ށjXp[łÂŃ[T[oɍׂă[̑MxȂĂ̂łB 
8.6.4܂Ƃ
[T[oɂ͋ȓYtt@C܂񂾃Xp[̂߂ɁAׂĂ܂B[T[õptH[}XĎĂƁAƂ͂悭N܂BgD傫ȂɂAMXp[̐Ă܂Blbg[Ñ[U[ɒx䖝Ă炤AXptB^𓱓邱Ƃ̃ViỈɂȂł傤B 
8.7 GnutellaJgnutella.pcap 
̃ViIBitTorrent̃ViIƎƂ낪܂BeBi͂Ȃ̃lbg[Ñ[U[łAlbg[NɐڑĂƂłĂȂƂłARs[^قǒxȂĂƌĂ܂B 
8.7.1Ă邱
BitTorrent̃ViIƓ悤ȂƂĂ܂BȂ킿A̖肪 
󒍁F WindowsɂāAMS-DOSvOs邽߂̊e̐ݒ肪Lqꂽt@CłB
ق̃[U[ɂNĂ܂B[U[C^[lbgɐڑlbg[NgAvP[VgƂxxȂ܂BE[^ɂׂ͍ĂAʂ̃f[^sĂ܂B 
8.7.2pPbg͊Jn
̏ꍇABitTorrent̃ViIƓ悤ɂׂẴRs[^ɖ肪܂BAޏ̃Rs[^́Albg[NgAvP[VxłȂARs[^̂̂xȂĂ܂B
ޏ̃Rs[^͂قƈႤǏ󂪂̂ŁǍ͔ޏ̃Rs[^ɂƂOŉ͂Ă܂BȂeBĩRs[^͔ɏxȂĂ̂ŁAWiresharkޏ̃Rs[^ɃCXg[͓̂ł͂܂BpPbg܂Lv`łȂ\܂B̂߁A|[g~[Og܂B 
8.7.3
̃Tvt@Cignutella.pcapj͒łABitTorrent̂ƂƎĂ܂B} 8-28̂ƂAeBĩRs[^ IPAhX 10.1.4.176ŁAOlbg[N̂܂܂ȃRs[^Ƃ̒ʐM݂Ă܂BقƂǂ SYNpPbg𑗂ĂԎȂARSTpPbg󂯎Ă܂B

} 8-28قƂǂ̒ʐMsɏIĂ
̂͂̒ʐM̎sNĂƎv܂Aɒi߂OɁA͈̔͂肷邽߂ɁAׂgtBbNǂ̂炢邩mFĂ܂傤BmConversationsn_CAOJāATCPIP̒ʐMǂ̂炢̂Ăi} 8-29jB
mConversationsn_CAOA81IP̒ʐM243TCP̒ʐMsĂ邱Ƃ܂i} 8-29̏㕔jBꂪT[o̒ʐMł΂قǒ܂񂪁AeBĩRs[^͌lŎgpĂ̂łBZԂɂقǂ̒ʐMŝ͕ʂł͂܂B
TCP̒ʐMĂ݂΁A炪ׂă[gzXgƂ̒ʐMł
邱Ƃ܂BpPbg̐ɏȂƂA̒ʐM̂قƂ
ǂ͎sĂ邱Ƃ\zł܂B
̒ʐMɂĖ{ɕKvȏ𓾂ɂ́AĂʐMKv 
8.7 GnutellaJ 

} 8-29mConversationsn_CAO΁Aǂ̂炢ʐMsĂ̂

܂BmConversationsn_CAÓmTCPn^uIĂi}8-30jBāAmPacketsnNbNĂBeʐMpPbgɃ\[g܂i} 8-31jB
TCP̃^uJʐMʂɃ\[gĂ݂ƁA65.34.1.56͂߂Ƃ鑽̃Rs[^ƒʐMsĂ̂Ă܂B܂͂ƂʐMʂ 65.34.1.56Ƃ̒ʐMڍׂɌĂ݂܂傤B
̒ʐMENbNAmApply as FilternmSelectednIāmA<->BnNbNĂBŁA̒ʐM̃pPbg\邱Ƃł܂i}8-32jB 

} 8-31pPbgɃ\[gĂ݂

} 8-32֘ApPbĝ݂\
} 8-32̃pPbgǍ˂~߂邽߂̏񂪓܂B431
ځA433ԖځA434Ԗڂ̃pPbgGnutellãpPbgłBGnutella̓t@C
L̂߂̃T[rXłBNbNďڍׂĂ݂܂傤i} 8-33jB


} 8-33 GnutellapPbgɋ[񂪓Ă
431Ԗڂ̃pPbg̃pPbgڍׂ̃yCɂ́ALvȏ͊܂܂Ă܂B
P Gnutellalbg[NɃt@C_E[h܂̓Abv[hĂ
݂̂łBoCĩyCɂ́A񂪊܂܂Ă܂i} 
8-34jB 

} 8-34oCĩyCɉ_E[hĂ邩\Ă
8.8l@ 
GnutellapPbgɂ́Ausorority sex kittevƂO܂ރt@C_E[h GETR}h܂܂Ă܂B^킵gtBbNłB
tB^OȂĂAꂪ GnutellagtBbNł邱Ƃ1̏؋܂BʐMĂƁAׂĂ6346ԃ|[gōsĂ邱ƂɋCÂł傤i} 8-35jB 

} 8-35|[gԍ̂AȂ̃gtBbNT悢
http://www.iana.org̃|[gԍ\΁Aǂ̃|[gȂ̃T[rX񋟂Ă̂܂B 
8.7.4܂Ƃ
Gnutella͂܂܂ȃt@C_E[hzz肷̂Ɏg
܂B֗ȃT[rXłAcOȂ|m摜Cł̃\tgEFAAf
AyȂǂLƂĂpĂ܂B
̃ViIł́AeBieBĩRs[^𗘗pĂN GnutellaNCAgCXg[āA|m摜_E[hĂ܂B 
8.8l@
̃ViIǂŁAۂɂ̓lbg[N̏Qł͂Ȃ肪قƂǂƂƂɋCÂł傤Blbg[N̒xɊւĂ͂Ƃ悭܂Blbg[Nx̂ł͂ȂAeRs[^AvP[VɊւȂ̂łB 
9
P[XX^fBiZLeB́j
̏͂ł́Albg[NZLeBɊւViIpӂAWireshark
͂܂BlƋ@̘RAnbJ[Ȃǂ̋ЂpPbgx
͂ł悤΂܂傤B 
9.1 OS̃tBK[vgosfingerprinting.pcap 
OSiOperating Systemj̃tBK[vgƂ́A[g̃Rs[^
ғĂ OSL̏ŁAnbJ[̓tBK[vgWĂǂOS
ғĂ邩m邱ƂŁAʓIɍU悤Ƃ܂BOS̃tBK[
vǵA܂܂ȃR}h^[QbgRs[^ɑ邱Ƃō̎ł
B[g̃Rs[^ԂĂ郁bZ[WƁAғĂ OS
ł܂BāAOSL̐Ǝ㐫U₷Ȃ̂łB
osfingerprinting.pcapJƁA ICMPgtBbN\Ă
Ƃł傤i} 9-1jBgtBbN̂ EchoNGXg EchovCŁAɏdvł͂܂BȂAmTimestamp requestnAmTimestamp replynAmAddress mask requestnAmInformation requestn͒ʏg
邱Ƃ͂܂B 

} 9-1ʏ͂ ICMPgtBbN͗Ȃ
 ICMPgtBbŃAICMPg OS̃tBK[vg̎Wƍl܂BU҂͂̃NGXg̃X|XāAǂ OSғĂ邩\̂łB 

ICMP̃^Cv 13A15A17̃pPbg͒ʏł͍lȂpPbgȂ̂ŁAtB^쐬ẴpPbĝ݂\悤ɂ܂傤B icmp.type==13 || icmp.type==15 || icmp.type==17ƂtB^쐬ĂB
portscan.pcap 
9.2|[gXL
U҂̓|[gXLɂălbg[NɊւdvȏ𓾂悤Ƃ܂B|[gXL̃\tgEFAgă^[Qbg̃|[gɏɐڑĂAڑ\ȃ|[goƂł̂łBڑ\ȃ|[ǵASȏɂ閧̃gl̂悤Ȃ̂łBU҂͂̃gl݂̑mƁAigĐNĂł傤B}9-2portscan.pcap̈ꕔŁA|[gXLĂlqLv`Ă܂B
}9-2ĂB[JRs[^i10.100.25.14jƃ[gRs[^i10.100.18.12jspPbg\Ă܂B̃pPbg悭ƁAȂ̂ł傤B

} 9-2|[gXLɂĂ܂܂ȃ|[gւ̐ڑ݂Ă
Tvt@Cɂ́A[gRs[^烍[JRs[^̂܂܂ȃ|[gi21ԃ|[gA1028ԃ|[gȂǁjɑ΂ăpPbgMĂlqL^Ă܂B
ƏdvȂ̂́A|[gXLTELNETAmicrosoft-dsAFTPASMTPȂǁAU₷|[gɑ΂čs邱ƂƂƂłB[g̃Rs[^̃pPbg̃|[gɑĂƂ́A|[gXLĂ\ł傤B 
9.3v^̔× 
9.3v^̔×printerproblem.pcap 
ǂȂɏƂłAlbg[Nɐڑꂽv^䂩Ă邱Ƃł傤BpACNAeiX̃RXgȂǁAƂȃv^łAg[^RXg͂ɒˏオ܂B́AȂ̃lbg[Nɂv^ANvgAEgĂȂ̂ɂȂ̂n߂ƂViIłB̔MTÂړIłB 
9.
3.1Ă邱

̃v^̓T[oċLĂK͂Ȃ̂łBv^ɐڑ邽߂̓ʂȌ͕KvȂAOƂ@\܂B͍Ă܂Bv^̃L[ĂAɂςɂȂĈn܂܂B 

9.
3.2pPbg͊Jn

̃v^̓T[oƐڑĂ邽߁AT[oӂ̃gtBbN𒲂ׂ̂悢ł傤B炭ʂ̃pPbg邱ƂɂȂ܂AWiresharkT[oɃCXg[̂Ԃ悳łB͂ƑĂ邽߁ApPbgLv`鎞Ԃɐ͂܂B 

9.
3.3


Tvt@C printerproblem.pcaṕAv^̃gtBbNǂ̂m邽߂̂悢łB}9-3̂悤ɁAT[oi10.100.16.15j10.100.17.47̃NCAgʂ SPOOLSpPbgMĂ܂B
Ńv^Ƀf[^𑗐MĂƐl͕܂A܂͉

} 9-3 SPOOLSpPbgv^ɗꍞł
Ă܂BNĂ邩ڂm邽߂ɁATCPXg[Ă݂܂傤BMĂf[^ Microsoft Word̕ŁA[U[csandersł邱Ƃ܂i}9-4jB 

} 9-4 TCPXg[΁Aqg 
9.3.4܂Ƃ
SPOOLSpPbg~߂OɁAWiresharkɂĉv^̋̌
T邱Ƃł܂B炭A10.100.17.47̃Rs[^͂Ȃ炩̕@
Nꂽ̂ł傤 B 
9.4 FTPT[oւ̐N	ftp crack.pcap 
FTP̓f[^ʂɓ]邽߂̂ƂʓIȎiłB̃ViIɏoĂƂ́Albg[N FTPT[oA[XÕ\tgEFAׂẴT[oŊǗĂ܂Bŋ߁ÃT[oǗ/^pĂZp҂AT[oɑ΂ĉԂ̊ԑʂ̃gtBbNĂ邱ƂɋCÂ܂BsKȂƂɂ FTPT[oɂ̓OƂ@\tĂȂ߁ApPbgLv`݂̂ŖȂ΂܂BT[oɑ΂gtBbN˂~߁Ǎr܂傤B 
9.4.1Ă邱
 FTPT[o͔ɌÂAOƂ@\܂BقƂǂ̊J҂ÃT[õAJEgĂAׂẴt@CɃANZX邱Ƃł܂B̃T[o͊ÕANZXĂAJ҂͉ƂŎd邱Ƃł܂ B 
	Ė󒍁Fv^ OSɂ WindowsgĂ邱ƂAƃeiXĂȂƓRpb`܂BāAECXɊ邱ƂIɂ肦邱ƂȂ̂łBł͕ʂ̃Rs[^łƔ܂Av^gN\lKvł傤B
9.4 FTPT[oւ̐N 
9.
4.2pPbg͊Jn

̃T[o͂Ȃ̃lbg[NŉғĂ̂ŁAWiresharkT[oɃCXg[̂悢@̂悤Ɏv܂BȂÃT[oɂ͑ʂ̃gtBbNꍞł邽߁ApPbgLv`ĂLv`łȂ\܂BɃ|[g~[Og܂傤B 

9.
4.3


ftp-crack.pcapt@CJ΂ɁANĂ̂ɗłł傤B6͂Ŋw񂾁AFTP̔F؂ɂĎvoĂB
3EFCnhVFCŇAOC̏sA[U[̓T[oƂƂł悤ɂȂ܂B̃Tvt@Cł́A[U[ƃpX[h̔F؂sA4Ԗڂ̃pPbĝ悤ɂɎsĂ܂i} 9-5jB

} 9-5 4Ԗڂ̃pPbgF؂ɎsĂŏ̃pPbg
ƃ[U[pX[hłԈႦ̂낤Aƍŏ͎vł傤A̃pPbg΂̉͑łӂ܂B} 9-6̂ƂAxxF؂ɎsĂ܂B

} 9-6xF؂ɎsĂ 
F؂ɎsƁAɂ܂F؂݂Ă܂BF؂݂ĂNCAg͂Ȃ̃lbg[ÑRs[^i10.234.125.254jłB̔F؂͊Ǘ҂̃AJEgiadminjōsĂ܂B} 9-7 10Ԗڂ̃pPbg̏ڍ׃yCłB 
	Ė󒍁FÂFTPT[ô܂܎gƎ̊댯Ȃ̂Ŏ~߂ق悢̂łAÂƂłȂAT[õptH[}XAĂނ𓾂O擾łȂꍇɂ́ApPbgLv`邵Ȃ܂BWiresharkŃf[^ׂăLv`ƃf[^ʂȂĂ܂ƂOꍇɂ́A tcpdumpȂǂŃpPbgwb_Ȃǂ̕IȋL^c܂B tcpdump̏ڂgɂẮA}jAi man tcpdumpjWebTCgihttp://www.tcpdump.orgjȂǂQlɂĂB

} 9-7 10Ԗڂ̃pPbg͊Ǘ҃AJEgŃOC݂Ă
FTP̃OĈ݂\邽߂ɁAfBXvCtB^gĂ݂܂傤B 
ftp.request.command == "USER" || ftp.request.command == "PASS"
} 9-8̓tB^쐬ʕ\pPbgłB

} 9-8mDisplayFiltern_CAOɃtB^͂āAF؂̃pPbĝ݂\ 
mInfonƁAU҂At@xbgɃpX[hĂ邱Ƃ܂ B́ApX[hUŒTĂ؋łBUƂ́A[U[A܂̓}V쐬P̎găpX[h𐄑@łB1 1pPbgĂƁAlԂɂ͕s\ȑŃ[U[ƃpX[h͂Ă邱Ƃł傤B炭ANbLOc[g 
	Ė󒍁Flbg[NoRpX[hUɂ́AʂƁuUvƁuu[gtH[XUv̓ނ܂BƂ@BIɉxOCsƂAĂ܂̂ŁAɂΗ̉\Ƃł傤B̏ꍇAu@BIȍUɂăpX[h@ɎNĂvƂӂɎۂߑł΁A̖͂ړI͒Bł͂Ȃ̂ŁAǓȒ`͂܂ł͂܂B
9.5 Blaster[ 
̂łBŁAT[oɕׂĂ闝R܂B 
9.4.4܂Ƃ
ɒƁAȂ̃lbg[ÑRs[^UAUɂ FTPT[o̔F؂˔jNbLOc[CXg[Ă邱Ƃ܂Bd͂܂IĂ܂Bx FTPT[oUĂRs[^̎傪Ӑ}IɍUsĂ̂AƂO̐NɂĒmȂɍUɉSĂ̂𒲂ׂȂ΂܂B 
9.5 Blaster[blaster.pcap 
C^[lbgьECX⃏[́AVXeǗ҂Gh[U[ɂƂđ傫ȋЂłB̃ViIł́AGfB̃Rs[^ECXɊ܂BނRs[^NƁA60bɃVbg_EƂbZ[W\܂B 60bɖ{ɃVbg_E܂B̏Ǐ̓Rs[^N邽тɋNAނ 60bȏRs[^𑀍삷邱Ƃł܂B 
9.
5.1Ă邱

Ȃ̊Ƃ̓ECX΍\tggĂ܂AWǗĂ̂ł͂ȂA[U[lǗĂ܂B 

9.
5.2pPbg͊Jn

ECX⃏[Rs[^ɈĂ\Ƃ́ÃRs[^ɃXjbt@CXg[̂͌ȍlł͂܂BӂvOXjbt@ɂȂ炩̉e^ApPbg𐳂Lv`łȂ\܂B̂߁Ał̓|[g~[OgƂɂ܂BRs[^NuԂ 60bɃVbg_E܂ł̊ԁApPbgLv`܂B 

9.
5.3


Tvt@Cblaster.pcapɂ́ATCPpPbgL^ĂAƎvRs[^ 1793ԃ|[g 4444ԃ|[ggāAق̃Rs[^ɃpPbg𑗐MĂ܂i} 9-9jB̃pPbǵAu60b^C}[vtĂGfB̃Rs[^ȊOł̓Lv`܂BłˁB 

} 9-9GfB̃Rs[^݂̂̃pPbg𑗐MĂ̂͂
ECX⃏[ʂƂ悢@́ApPbg̃oCi邱
łBoCĩyCĂBŏ̃pPbgɂُ͈͂܂i} 
9-10jB

} 9-10ŏ̃pPbgɂ͓Ɉُ͌Ȃ
 2Ԗڂ̃pPbgƁAC: WINNTSystem32ƂfBNg܂i} 9-11jB Windows 2000ł͂ƂdvȃfBNg 1ŁAWindows̃RAƂȂVXet@C܂܂Ă܂B̃fBNgɃANZX悤ƂƂ̂͒ʏl܂B

} 9-11 C:WINNTSystem32̃VXet@CɃANZX悤ƂĂ
3Ԗڂ̃pPbgɂ͂܂񂪁A4Ԗڂ̃pPbgɂ͉܂i} 9-12jB

} 9-12 4Ԗڂ̃pPbgɂ́u msblast.exevƂ܂܂Ă
4Ԗڂ̃pPbg̃oCĩyCƁAumsblast.exevƂt@C܂܂Ă܂B 2003N ITɌgĂ̂ȂAꂪȂȂ̂ɕł傤Bmsblast.exemȂƂl GoogleŒׂĂ݂ĂB̃t@C Blaster[ĝłBꂪ̌̂ł B 
9.6Bꂽ 
9.5.4܂Ƃ
̃ViIł́ARs[^̃ECX΍\tg܂@\ĂȂ̂ŁABlaster[ɊĂ܂܂B
ECX⃏[Ɋ^Ƃ́ȀǏC^[lbgŌ
΁AꂪȂȂ̂łł傤BECX⃏[肵獡x
͂ǂċ쏜΂悢̂ēxĂB 
9.6Bꂽ

̃ViIł́AȂ͋Ƃ̃lbg[ÑZLeBǗ҂łBȂ͏iA2l̏]ƈЂ̎YoƑkĂƂ]ƈƂb܂BȂ͔ނ̃Rs[^ĎAނ̌vTȂ΂܂B 
9.
6.1Ă邱

̃ViI̋^f͂܂ŋ^fłB2l̏]ƈ̓Rs[^ɔɏڂ߁AƂ{ǂmFł܂ł́AɐTdɒKv܂B 

9.
6.2pPbg͊Jn

2l̏]ƈɂȂĂ邱ƂCÂĂ܂̂ŁAWiresharkނ̃Rs[^ɃCXg[킯ɂ͂܂B̂߁A|[g~[Og܂BeRs[^ɑ΂ă|[g~[OKv܂B 

9.
6.3


 2l̏]ƈ́A1ʂđʂ̃pPbg𑗎MĂ܂BقƂǂ̏ꍇ͒ʏ̃pPbgȂ̂ŁA܂͋^킵gtBbN邱Ƃn߂Ȃ΂Ȃ܂BMSRPCiDCERPCjANetBIOSAICMPȂǂ\fBXvCtB^쐬܂傤B͒ʏ̋Ɩł͔Ȃ̂łBfBXvCtB^gtB^Ôcovertinfo.pcapɋL^Ă܂i} 9-13jB 
	Ė󒍁Fblaster.pcapɂBlaster{̂͊܂܂Ă܂񂪁iȊ댯ȂƂ͂ł܂̂Łi΁j
ALv`f[^blaster.exê悤ȉf[^܂܂Ă邩ǂȒPɌɂ́AoCĩyCmFollow TCP StreamnȂǂpĒʐMf[^ڎāAɁuMZPvƂuThis program mustbe run under Win32vƂ񂪑݂邩ǂĂ݂Ƃ悢ł傤BƂWindows OSNTA2000AXPA2003 ServerȂǂœvOi.exejt@C̓łBYʐM.exet@C܂܂Ă邱Ƃ̂ł΁A̒ʐḾuv\Ƃł傤B

} 9-13 ICMPHȂ 2lpinĝĂł傤H
̃pPbg͕ʂ ICMPpPbgɌ܂AMƑM悪 2l̏]ƈ̃Rs[^̃AhXɂȂĂ܂BȂ pinĝƂĂ̂ł傤B
ɁAoCĩyCĂ݂܂傤Bʔ̂邩܂i}9-14jB

} 9-14͕ʂ pingȂ
 ping͕ʂ̂̂Ƃ͒łB́Af[^̕ŋ@Ƃ肵Ă̂łI 
9.6.4܂Ƃ
̃ViIŎgpĂZpALokiƂ܂BƑM
邱ƂłBLoki ICMPpPbgɃf[^𖄂ߍނƂӖ܂B́A
2l̏]ƈ ICMP@^ԎiƂėpĂ܂B
BꂽʐMԂgƂ̂͐VZpł͂܂񂪁A͐₦WĂ܂BTCPwb_ ARPpPbgɂsȃf[^BĂ邱Ƃ܂BɃoCĩyCɒӂĂĂBꂪpPbgɊ܂܂閧̃f[^邽߂̗B̕@ɂȂ邩܂B 
9.7nbJ[̎_hackersview.pcap 
{́Albg[NǗ҂̎_珑Ă܂BApPbg͂̒mĂnbJ[lbg[NɐN悤ƂH̃ViIł́AȂɂ͎̉Ђ̃lbg[Nŋ@ɃANZX悤ƂnbJ[ɂȂĂ炢܂B 
9.7nbJ[̎_ 
9.
7.1Ă邱

Ȃ͂̉Ђ̏]ƈłAlbg[N\[Xւ̃ANZX͐Ă܂Blbg[N͂ӂꂽC[TlbgŁA̃XCb`ƃ[^܂Blbg[NɐڑĂRs[^ł́A܂܂ȃo[W WindowsғĂA[U[ƂɌݒ肳Ă܂B 

9.
7.2pPbg͊Jn


nbJ[́Albg[NɊǗҌŃANZX邽߂ɁAlbg[NǗ҂̃pX[hm肽܂B܂́APɃlbg[NQNƂ܂B́A[^ɐNĉ[ȃ_[W^邱Ƃɂ܂傤Blbg[NǗ҂͂lbg[N񂵂Ă̂ŁAlbg[NǗ҂ƃ[^̃gtBbNĎ邾ŃpX[h𓐂ނƂłłB
^悢ƂɁAlbg[NǗ҂̃Rs[^ƃ[^͂ȂƓTulbg[NɐڑĂ܂BCain & Abel ARPLbV|C]jOsA2͂Ŋw񂾂悤Ƀlbg[NǗ҂̃Rs[^ 10.100.18.5ƃ[^
10.100.16.1̊ԂɊ荞݂܂B 
9.7.3
΂炭āAȂ̓lbg[NǗ҂ TELNETgă[^ƒʐMĂƂ߂炦܂B} 9-15́ÃViIɊ֘A TELNET̃gtBbN݂̂L^Ă܂B

} 9-15TĂ̂
6͂ŁATELNET̓f[^𕽕ł肵ĂƂƂwт܂B
TELNET͂ł́AXCb`T[oA[^[g瑀삷邽߂Ɏg
Ă܂B̃lbg[N@SSHgĈSɒʐMł悤
ȂĂ܂ÃVXeǗ҂͉҂̂悤łBŒʐMĂ
ŁAɃOC𔭌邱Ƃł܂B
TELNETׂ͂Ă̂ƂA̒ʐM̒ŏԒʂɋNV[PV
vgRłBāAOCvZXԂ悢@́ATELNET
̃pPbg 1 1ĂƂłB8Ԗڂ̃pPbgĂBF؂ 
n܂Ă܂i} 9-16jB

} 9-16F؂Jn邽߂Ƀ[U[vĂ
pPbgڍׂ̃yC Telnet̕΁AT[o[U[v
邱Ƃ܂B̃pPbgł̓NCAgT[oɃ[U[Ԃ
낤Ǝvł傤AƂ͂GłB
}9-17̂ƂA10Ԗڂ̃pPbgɂ́uavƂ܂܂Ă܂B̓[U[ł͂܂B

} 9-17̃pPbgɂ̓pY̍ŏ̃s[Xu av܂܂Ă
13Ԗڂ̃pPbgł́ANCAgT[oɁudvƂnĂ܂
i}9-18jBǗ҂̕ԓ 1ɂ 1AuadminvƂ𑗂I܂ŌJԂ܂Bӂꂽ[U[łˁHƃftHĝ܂܂Ȃ̂ł傤B

} 9-18pPbgƂ 1ĂBł́u dv
24Ԗڂ̃pPbgł̓pX[hvĂ܂i} 9-19jB 

} 9-19T[opX[hvĂ
9.7nbJ[̎_ 
łA1pX[hMĂ܂i} 9-20jB

} 9-20pX[h̍ŏ́̕u bv
pX[hibarrymanilowjׂĔ܂ŃXjbtBO܂BȂ̓[^̃pX[hɂłȂAlbg[NǗ҂̂΂炵y̎܂ŕĂ܂̂łI 
9.7.4܂Ƃ
łȂ͂̃lbg[Njł邱Ƃł܂B[^Őݒ肳ĂTulbg폜Awp[AhXςA낢Ȃălbg[NǗ҂ɓɂN邱Ƃł܂B
̃ViĨ|CǵAlbg[NǗ҂ǂē{点邩ł͂ȂApPbg͂̒ml͂ǂ̂悤ɍUł邩ƂƂłBWiresharkCain & AbelgƂŁÃlbg[N̋@\ׂĂ~߂Ă܂ƂłƂƂ܂B 
10
 LAÑXjbtBO

 LAN̐ÉA`IȗL LANƂ͂܂Ⴄ̂łB LAN̐Eł́AgAKiAƓ̃ZLeBlKv܂BtIȎ邽߁AXjbtBO̕@܂̂ɂȂ܂B
̏͂ł́AWindowsVXe UnixVXe̖ LANł̃XjbtB
OɂďqׂĂ܂Bۂ̃TvALANł̃XjbtB
OǂēȂ̂wт܂B 
10.1 1̃`lXjbtBO
 LANł̃XjbtBOł܂Ȃ΂Ȃ̂́A 1̃`lXjbtBOłȂƂƂłBAJO̖LAŃA11̃`l̂1̃`lgĂ܂BāApPbgLv`ɂ͂܂ǂ̃`lgĂ邩𒲂ׂKv܂
i} 10-1jB 


11 
gсi11`lj 
} 10-1 1̃`lXjbtBOłȂ̂ŁAދɂȂ邩Ȃ
`l 1؂ւāAǂ̃`lgpĂ邩mF܂傤Bf[^Lv`ł܂ŁA`l؂ւpPbgLv`JnƂƂJԂ܂傤B`l̐؂ւ͋ZpIȉł͂܂񂪁AʓIłB 
10.2 LAÑC^[tF[X
cOȂA LANł͂łMpłʐMsĂ킯ł͂
܂Bf[^͋Cʂđ邽߁A̐MW邱Ƃ܂܂
܂B LANɂ͊𐧌䂷@\Ă܂Aꂪ܂
ȂƂ܂BĖLANŃpPbgLv`Ƃɂ́A
dg𔽎˂́Adđ傫Ȃ́AdqWA2.4GHžgѓdbAǁA
x̂̂Ȃǂ߂ɂȂƂmF܂傤B
܂Ał邾͂Rs[^̋߂ɂ悤ɂĂBpPb
gLv`Rs[^ꏊ̏̊Kł́A܂Lv`
邱Ƃ͂łȂł傤B 
10.3 LANJ[h̃[h
LAÑpPbgLv`OɁALANJ[h̃[hɂĊwł܂傤B LANJ[ĥقƂǂ̓AhzbN[hɂȂĂ܂A}X^[[hƃj^[[hƂ̂܂Be[h̓} 10-2Ɏ܂B
CtXgN`[hi}l[Wh[hj
CtXgN`[hł́ANCAg̓ANZX|CgiWAPFWireless Access Pointjɒڐڑ܂B̃[hł́ANCAg̓ANZX|CgɒʐM̐C܂ B
AhzbN[h
AhzbN[h́ANCAgmږĒʐMƂɎg܂B̃[hł͒ʐMs 2̃NCAgAANZX|Cg̑ɒʐM𐧌䂵܂B
}X^[[h
nCGhȖ LANJ[h́A}X^[[hT|[gĂ܂B̃[hł́ANCAgANZX|Cĝ悤ȖSƂł܂B 
󒍁FLinuxŖLANݒ肷R}h iwconfigł́ACtXgN`[h́uManaged modevƕ\L܂B iwconfigɊւĂ͌qB
10.3 LANJ[h̃[h 


} 10-2 LANJ[h̃[h
j^[[hꂪƂdvȃ[hłBj^[[h̖ LANJ[h́Af[^̑M͍s킸AьpPbgĎ܂BWiresharkŖ LAÑpPbgLv`ꍇ́ALv`Rs[^̖ LANJ[hj^[[hT|[gĂKv܂BpPbgLv`邽߂ɖ LANJ[h𔃂Ƃ́Aj^[[hiRFMON[hƂĂ΂܂jT|[gĂ邱ƂmFĂ B 
	Ė󒍁FAWiresharkł͐ݒIvV́mCapture packets in promiscuous modenItɂ΁ALANɐڑƂ̒ʐM̓Lv`ł܂iLANL̃pPbgiWEPL[̂Ȃǁj̓Lv`ł܂jB
10.4 Windowsł̖ LAÑXjbtBO
j^[[hT|[gĂ閳 LANJ[hgĂĂAWindowsł͂̃[hgƂł܂Bق̃hCoKvłB 
10.4.1 A Pca̐ݒ
AirPcapiCACE TechnologiesF http ://www.cacetech.comj́AWindowsŖ
LAÑpPbg͂s߂ɐ݌vꂽ̂łBAirPcap͖LANł
pPbgLv`̂߂ɐ݌vꂽ USBtbVhCułi} 10-3jB
AirPcap3͂ŐWinPcaphCogĂAp̐ݒʂ
B

} 10-3 A Pca̓m[g PCƈꏏɊȒPɎ^ׂ邭炢RpNg
AirPcap̐ݒ̓IvVȂ̂ŔɊȒPłBmAirPcap Control Panelnȉ̃IvVݒ\łi} 10-4jB 

} 10-4 A Pca̐ݒpvO
10.4 WinE wł̖ LAÑXjbtBO 
mInterfacen
Lv`ɎgfoCXIł܂B͂ƂɁA AirPcap
gĕ̃`l𓯎ɃXjbtBOꍇ܂B
mBlink Ledn
AirPcap LED_ł܂B AirPcapgĂƂɁAǂ
gĂ邩߂̂̂łB
mChanneln
ł́AAirPcapgăLv``lI܂B
mInclude 802.11 FCS in FramesnOSɂẮAftHgŖ LAÑpPbg̃`FbNT̍Ō 4rbg菜Ă܂Ƃ܂B̃`FbNT FCSiFrameCheck SequencejƌĂ΂ĂA]ĂԂɃf[^jĂȂƂۏ؂邽߂ɎgĂ܂BɗRȂ΁A`FbN{bNXIɂ FCS`FbNT폜Ȃ悤ɂ܂傤B
mCapture Typen
m802.11 OnlynƁm802.11+RadionƂ2̃IvV܂Bm802.11 OnlynƂIvV́AWI802.11̃pPbg̃wb_Lv`ƂƂłBm802.11+RadiońA[gAgAMxmCYx܂ރWI^bvwb_Lv`܂B\ȂׂĂ̏悤ɂ邽߁Am802.11+RadionI܂傤B
mFCS FilternmInclude 802.11 FCS in Framesñ`FbN{bNXIɂĂȂĂÃIvVLɂĂ FCS̃`FbNɂf[^jĂƔfꂽpPbg̓tB^܂BmValid FramesnIvVIɂ΁AFCS̃`FbNɂf[^MꂽƔfꂽ̂\܂B
mWEP Configurationn
ł́AXjbtBOlbg[N WEPL[͂AWEP
ĈÍꂽf[^߂ł悤ɂ܂B 
10.4.2 A PcagpPbgLv`
AirPcapCXg[Đݒ肵Aȉ̎菇ŃpPbgLv`Ă݂܂傤B 
1.
Wireshark̃Cj[́mCapturenmOptionsnI܂B 

2.
mInterfacenAirPcapI܂i} 10-5jB 



} 10-5Lv`C^[tF[XƂāA A PcãfoCXI
mWireless SettingsnƂ{^ȊO͌ꂽʂƎv܂BmWirelessSettingsn{^NbNAirPcapƓIvV\܂i} 10-6jBWiresharkAirPcapƊSɈ̉Ă邽߁AAirPcapŐݒł邱ƂWiresharkłݒł܂B 

} 10-6mAdY dW Sn_CAOł Wa A Pca̐ݒ肪c
3.	ݒ肪ׂďIAmStartn{^ăpPbgLv`JnĂB 
10.5 Linuxł̖ LAÑXjbtBO 
10.5 Linuxł̖ LAÑXjbtBO
Linuxł̃XjbtBOɕKvȂ̂́A LANJ[hj^[[hɂ邱ƂłBcOȂ烂j^[[hɕύX菇͖ LANJ[hƂɈقȂ邽߁Ał̂肩邱Ƃ͂ł܂B̖LANJ[hɂāAWebŒׂĂ݂ĂB
LinuxŖ LANJ[hj^[[hɕύXƂʓIȕ@́ALinuxɃrgCĂ@\gƂłB iwconfigR}hg΁A LANJ[hݒł܂BR\[ iwconfigsƁAȉ̂悤ȌʂɂȂ܂B 
$ iwconfig 
Eth0 no wireless extensions 
Lo0 no wireless extensions 
Eth1 IEEE 802.11g ESSID:"Tesla Wireless Network" 
Mode:Managed Frequency:2.462 GHz Access Point: 00:02:2D:8B:70:2E 
Bit Rate: 54 Mb/s Tx-Power=20 dBm Sensitivity=8/0 
Retry Limit:7 RTS thr:off Fragment thr:off 
Power Management:off 
Link Quality=75/100 Signal level=-71 dBm Noise level=-86 
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 
Tx excessive retries:0 Invalid misc:0 Missed beacon:2 
iwconfigR}ȟʂA802.11gƂLAÑvgRɂĂ̏񂪕\Ă Eth1 LAÑC^[tF[Xł邱Ƃ܂BEth0 Lo0ł́A LAN͎g܂B
Eth1ƕ\Ăs̉̍sĂB iwconfigR}hsē閳LANJ[h̃[hgȂǂ̏ƂƂɁA[h Managedłƕ\Ă܂BύXKv܂B
Eth1j^[[hɕύXɂ rootKvȂ̂ŁA suR}hŃ[U[ύX܂B 
$ su 
Password:qroot̃pX[h́r

rootɂȂ΁A LANJ[h̃IvVݒ肷R}hs邱Ƃł܂BEth1j^[[hɂɂ́Aȉ̃R}hsĂB 
# iwconfig eth1 mode monitor
j^[[hɕύXA iwconfigxsĕύXLɂ܂Bȉ̃R}hsĂB 
# iwconfig eth1 up 
iwconfigR}hŃ`l؂ւ邱Ƃł܂BEth1̃`l 3ɐ؂ւɂ́Aȉ̃R}hsĂB 
# iwconfig eth1 channel 3

pPbgLv`ĂԂɂ`l؂ւ邱Ƃł̂ŁAȂύXĂBXNvgĂ܂΂ȒPɎs邱Ƃł܂B
ݒ肪I WiresharkNApPbgLv`JnĂB 
10.6 802.11̃pPbg	80211traffic.pcap 
LANƗL LAÑpPbg̈Ⴂ́A802.11wb_邩ȂłB̃wb_ɂ̓f[^̓]Ɏg}̂̏񂪊܂܂Ă܂i} 10-7jB

} 10-7 802.11wb_ɂ͖ LANɂĂ̏񂪊܂܂Ă
80211traffic.pcapJApPbgڂĂ݂܂傤B[ڂ܂B 
Type/Subtype
802.11pPbg̃^CvTu^Cvw肵Ă܂B^Cvɂ ManagementA DataAControl܂Be^Cvɂ̓Tu^Cv܂BƂ Management^Cvɂ Beacon frameA Authentication requestADisassociation noticeƂTu^Cv܂B 
Destination 	addressASource addressABSS Idɂ͑MёM̃AhX BSSID܂܂܂B Fragment numberASequence number̔ԍ͖ LAÑpPbg𐳂gݗĂ悤ɂ邽߂ 
10.6 802.11̃pPbg 
ÛłB 
10.6.1 802.11̃tO
802.11̃pPbgɂ́A LANL̏܂ރtO܂i} 10-8jBtOɂ͈ȉ̍ڂ܂B 

} 10-8tOɂ͖ LANL̏񂪑܂܂Ă
DS status
pPbgǂǂɓ]邩 DSiDistribution StatusjɂČ܂܂B From DS1 To DS 0ȂApPbg̓ANZX|CgNCAgɌē]܂Bl΂ȂApPbg̓NCAgANZX|Cgɓ]܂B̒l 0̏ꍇ́Aʏ̓ANZX|Cg̃u[hLXgłB 
More Fragments
ꂽpPbgقɑ݂邩ǂ܂B 
Retry RetryIvV́AMpPbgIWî́i0jȂ̂đꂽ́i1jȂ̂܂B 
PWR MGT
NCAgȓd̓[hɂȂĂ邩ǂ܂B 
More Data
̌㑗M̂҂ĂpPbg邩ǂANZX|CgNCAgɋ邽߂̃tOłB 
Protected flag
pPbg̃f[^ÍĂ邩ǂ܂B 
Order flag
pPbg̏ԂǂɂȂĂKv邩ǂNCAgɓ`܂BNCAg͂̃tOɂāAX[vbgグ邽߂ɏɏԂςĂ悢ǂ𔻒f܂B 
10.6.2r[Rt[
r[Rt[͖ LANł̒ʐMɂĂƂLvȃpPbg 1łBr[Rt[̓ANZX|Cgu[hLXgɑMpPbgŁÃANZX|Cgɐڑ\ȃNCAgɑ΂āAڑɕKvȃp[^邽߂ɑM܂B܂ÃpPbgɂ͂낢ƕ֗ȏ񂪋l܂Ă킯łi} 10-9jB

} 10-9r[Rt[ɂ̓ANZX|CgɂĒm肽Ƃׂċl܂Ă
r[Rt[Ɋ܂܂̂Ő܂B 
SSID parameter set
ANZX|Cgu[hLXgĂ閳LANZOgSSIDłB 
Supported Rates
ANZX|CgT|[gĂf[^̃X[vbg̃[gƁAvgR 802.11bȂ̂802.11gȂ̂Ă܂B 
DS Parameter set
ANZX|Cgu[hLXgĂ`l̏łB 
Extended Supported Rates
ANZX|CgT|[gĂX[vbg̃[g̈ꗗłB 
Vendor-specific
ANZX|Cg̃x_L̏łB`bvZbg̐A^O̔ԍA^O̒܂܂܂i`bvZbg̐ƃANZX|Cg͈̐قȂꍇ܂jB 
10.7 LANL̏ 
10.7 LANL̏
Wireshark̃pPbgꗗ̃yCɂ͒ʏ 6̃J܂ALAÑpPbg\ƁA2̔ɕ֗ȃJ\܂B RSSI TX RatełB RSSIiReceived Signal Strength IndicationFMMxjJRFiRadio FrequencyFgjM̋A TX RateJ̓Lv`pPbg̃[g\܂i} 10-10jB͖̏ LANł̃guV[eBOɂđ傫ȏɂȂł傤BۂɁA LAÑNCAgMƂƂĂƂÃJ΂ꂪ{Ȃ̂ǂm߂邱Ƃł܂B

} 10-10 2̃J邩Ȃŉ͂̂₷傫ς
̃JpPbgꗗ̃yCɕ\ɂ́Aȉ̎菇ɏ]ĂB 
1.
Cj[́mEditnmPreferencesnNbN܂B 

2.
mColumnsnIāmNewn{^NbN܂B

3.
mTitleñeLXg{bNX RSSIƓ͂AmFormatnhbv_E{bNXŁmIEEE 802.11 RSSInI܂B 

4. TX RateɂĂ菇JԂAmFormatnhbv_E{bNX 



} 10-11 LANL̏\JpPbgꗗ̃yCɒǉ
mIEEE 802.11 TX RatenI܂B} 10-11͈ȏ̎菇ĨEBhEłB 
5.
mApplynNbNƁAVJǉ܂B 

6.
mOKnNbNĕύXۑ܂B 


10.8 LANL̃tB^
tB^̗LpɂĂ 4͂ŋc_܂BL LANł͊efoCXƂɃP[u݂邽߁ALv`pPbĝ݂Lv`tB^͊ȒPɍ邱Ƃł܂BȂA LANł͊eNCAgɂĔ邷ׂẴgtBbN`lɋĂA1̃`lLv`Ƃ܂܂ȃNCAg̃gtBbN݂̂L^܂Bł́A߂pPbĝ݂Lv`ł悤ȃtB^̍wт܂B 
10.8.1 BSSIDŃtB^O
eANZX|Cgɂ́ABSSIDiBasic Service Set IdentifierjƌĂ΂郆j[NȖOUĂ܂BANZX|CgMA LAN̊ǗppPbgƃf[^t[̒ɂ́A̖O܂܂Ă܂iu10.6802.11̃pPbgvQƁjB
Ȃ͂悤ƂĂ閳 LANBSSID΁AƂ͓̃ANZX|Cg瑗MpPbg邾łBWiresharkł́ApPbgꗗ̃yĆmInfonŃpPbg]ĂANZX|Cg\Ă܂̂ŁAړĨpPbgô͊ȒPł傤B
͂ LAÑANZX|Cg瑗MpPbgA
802.11wb_ BSSIDo܂傤i} 10-9jB
pPbgڍׂ̃yCɕ\ BSSID MACAhXA wlan.bssid eq 00:11:22:33:44:55ƂtB^쐬܂BŁÃANZX|CgđMpPbĝ݂Lv`悤ɂȂ܂B 
10.8.2 
LAÑ^CvŃtB^O

̏͂̍ŏŁA LAÑpPbgɂ͂̃^CvƂƂqׂ܂B܁Ã^CvTu^CvɂăpPbgtB^OKv܂B\ 10-1̓^Cvʂ̃tB^ꗗłB 

10.
8.3̃f[^^CvŃtB^O


 LAN ManagementpPbg͂^Cv̉͂ł͔ɏdvłAP 
10.8 LANL̃tB^ 
\ 10-1 LAÑ^Cv /Tu^CvʃtB^ꗗ
^Cv/Tu^CvtB^\
}l[Wgt[wlan.fc.type eq 0
Rg[t[wlan.fc.type eq 1
f[^t[wlan.fc.type eq 2
A\VG[VNGXgwlan.fc.type_subtype eq 0
iAssociation requestj
A\VG[VX|Xwlan.fc.type_subtype eq 1
iAssociation responsej
A\VG[VNGXgwlan.fc.type_subtype eq 2
iReassociation requestj
A\VG[VX|Xwlan.fc.type_subtype eq 3
iReassociation responsej
v[uNGXgwlan.fc.type_subtype eq 4
iProbe requestj
v[uX|XiProbe responsej wlan.fc.type_subtype eq 5
r[Rwlan.fc.type_subtype eq 8
fBXA\VG[giDisassociatej wlan.fc.type_subtype eq 10
I[ZeBP[ViAuthenticationj wlan.fc.type_subtype eq 11
fI[ZeBP[Vwlan.fc.type_subtype eq 12
iDeauthenticationj
ANVt[iAction framesj wlan.fc.type_subtype eq 13
ubNACK NGXgwlan.fc.type_subtype eq 24
iBlock ACK requestsj
ubNACKiBlock ACKj wlan.fc.type_subtype eq 25
PS-PolliPower save pollj wlan.fc.type_subtype eq 26
RTSiRequest to sendj wlan.fc.type_subtype eq 27
CTSiClear to sendj wlan.fc.type_subtype eq 28
ACK wlan.fc.type_subtype eq 29
CF-EndiContention free period endj wlan.fc.type_subtype eq 30
NULL f[^iNULL dataj wlan.fc.type_subtype eq 36
QoS f[^iQoS dataj wlan.fc.type_subtype eq 40
Null QoS f[^iNull QoS dataj wlan.fc.type_subtype eq 44

ɋCьf[^KvȂƂƂ܂BƂΕsɖLANɃANZXĂNCAgoAJȂ񂪗Ă܂ĂȂm߂肵ꍇȂǂłBƂɂ́Af[^pPbgtB^Kv܂B
Lv`t@C̃f[^pPbĝ݂\ɂ́A wlan.fc.type eq 2ƂtB^p܂i\ 10-1ł̓^Cv 2̓f[^t[Ɋ֌W邷ׂẴf[^̂Ƃw܂jB
̃tB^gp邱ƂŃfbgƂ΁ANULLf[^pPbg\ƂƂłBNULLf[^pPbǵAANZX|CgƃNCAg`l؂ւ悤ƂĂ邱Ƃlbg[NɌx邽߂Ɏgp̂łBNULLf[^pPbgKvȂ΁AɍtB^ɂHvNULLpPbg̃Tu^CvtB^O܂傤BtB^͈ȉ̂悤ɂȂ܂B 
(wlan.fc.type eq 2) and !(wlan.fc.type_subtype eq 36)
Íꂽf[^ƈÍĂȂf[^ʂ̂́AsȃANZX|Cg̓@񂪕őMĂȂ̊mF̂߂̂悢@łBu10.6.1802.11̃tOvɌfڂĂ Protected flaǵApPbgÍĂ邩ǂtOłB̃tOgătB^܂傤B 
Protected flag0̏ꍇ͂̃pPbg͈ÍĂ炸A1̏ꍇWEPA
WPAATKIPȂǂgĈÍĂ܂BāAȉ̂悤ȃtB^
g΁AÍĂȂpPbĝ݂\邱Ƃł܂B 
wlan.fc.protected eq 0
悤ɁAȉ̂悤ȃtB^g΁AÍꂽpPbĝ݂\邱Ƃł܂B 
wlan.fc.protected eq 1
 LAN̂߂̃tB^쐬@͉SƂ܂BLv`tB^̃Tv http ://wiki.wireshark.org Wireshark WikiQƂB 
10.9 LANɐڑłȂ

ł́A LANł̃pPbg͂̎ۂ̃ViIĂ݂܂傤BWXeB̓ItBXŖLANɃANZX邽߂ɁAm[gPCݒ肵Ă܂BcOȂ琳@\Ă܂B 
10.
9.1Ă邱

WXeBڑ悤ƂĂ閳 LAŃA`l 1łWEPɂF؂KvłB LANNCAĝ悤ɐݒ肷΂悢ŁA۔ނ͂ݒ肵܂Aڑł܂B 

10.
9.2pPbg͊Jn

̏ꍇAL LANł̃pPbgLv`Ɠ悤ɍlKv܂BWXeB͖ LAN̐ڑɎsĂ̂ŁAڑ悤ƂƂɃpPbgLv`܂BAirPcap`l 1ɐݒ肵܂傤B 

10.
9.3


LAÑpPbgƂȂƁALANŔF؂ꍇڑ̗Ȃǂǂ̂悤ɂȂĂ邩܂BTvt@CāALANɐڑƂɗwт܂傤BSuccessfulWepAuth.pcapJĂ 
10.9 LANɐڑłȂ 
BF؂ɐ܂ł̗ꂪL^Ă܂B
WXeBڑ悤ƂĂ閳 LANł́AWEPL[ɂÍȂĂ܂BWEPiWired Equivalent PrivacyjL[Ƃ́A16i܂͉p̃R[hŁAANZX|CgƃNCAgԂ̒ʐMÍpX[ĥ悤Ȃ̂łBANZX|Cgɐڑɂ́ANCAg̓ANZX|CgƂ܂`WX|X WEPL[ǂmFȂ΂܂B̃`WX|X̓Tvt@C 4Ԗڂ̃pPbgn܂Ă܂i} 10-12jB

} 10-12ANZX|CgNCAgɃ`WMĂ
ANZX|Cg̓`W𑗂Aڑ݂̎ɉ܂B̃`W
ÍꂽeLXgŁAWEPL[găNCAgɂĕAAN
ZX|CgɕԂ܂B
6Ԗڂ̃pPbgł́ANCAg`WԂĂ܂i}10-13jB8Ԗڂ̃pPbgł́AANZX|Cg͔F؂ƂNCAg

} 10-13NCAg͕`WANZX|CgɕԂ
`Ă܂i} 10-14jBF؂ƁANCAgڑv𑗐MAmFMāA

} 10-14ANZX|CgNCAgɔF؂Ƃ`Ă
ɖ LANɐڑ܂i} 10-15jBŃANZX|CgƂ̐ڑǂӂɍs邩̂ŁAT 

} 10-15F؂̏̓VvȐڑvƐڑɂčs
vt@CiFailedWepAuth.pcapj̃WXeBڑ݂Ă镔Ă݂܂傤B3Ԗڂ̃pPbgŁAANZX|Cg`WWXeB̃Rs[^ɑMĂ܂i} 10-16jBƂƂŁAƂ肠ANZX|CgƃNCAg̓pPbg𑗐MƂ͂łƂƂ܂B5Ԗڂ̃pPbgŃNCAgANZX|Cgɕ`WԂ

} 10-16ANZX|CgWXeB̃Rs[^Ƀ`W𑗂Ă
Ă܂i} 10-17jB{͂ŁAANZX|CgF؂ƂԎ炤͂ł

} 10-17WXeB̃Rs[^ANZX|CgɃ`WԂĂ
ÂɔF؂sƂԎԂĂĂ܂i} 10-18jBANZX|Cg瑗Ă郁bZ[Wɂ͉NĂ̂΂菑

} 10-18ǂF؂Ɏs炵
Ă܂BV[PXԍ̂łB́AWXeB̃Rs[^Ă`WԈĂƂƂłBĕɎgꂽ WEPL[ԈĂƂƂɂȂ܂B 
10.10l@ 
10.9.4܂Ƃ
 LAÑguV[eBO̔߂Ƃ́ANCAg\tgEFA͖Ɋւ郁bZ[W܂oȂƂƂłBNCAg͂ڑ邩s邾łB LANł̃pPbg͂̋Zp΁AguV[eBOIɍsƂł܂B 
10.10l@
LAN͊Ƃ̏dvȃCtɂȂ܂BLANւ̈ڍsƂƂɁAL LANƓl̃guV[eBOł悤ɂȂȂ΂܂B̏͂Ŋw񂾋ZpƊTÓA LANł̃pPbg͂ɂguV[eBO̍ו𗝉鏕ɂȂł傤B 
11
E

pPbg͂ WiresharkŎꍇłÃc[ WebTCgɗ܂B 
Cain & AbelCain & Abelihttp://www.oxid.itj́A2͂ŐARPLbV|C]jOs邽߂̃c[łBARPLbV|C]jOłȂACain & Abelɂ̓pX[hXjbt@pX[h̕AVoIP̓Albg[N̂܂܂ȏ̒DȂǁAقɂ̋@\܂B 
PingPlotter̃vO ICMP ping̊g@\񋟂܂Blbg[N̐ڑ󋵂eՂɉ͂ł悤ɁApinǧʂeLXgOtŏo͂܂BԂ̉͂sƂɂ̋@\ɗł傤BPingPlotter http://www.pingplotter.com/download.html_E[h\łB 
Superscan 4Superscan4͊ȒPȃlbg[NXLiłBMׂȂ̂̓XL̑łB}Ƀlbg[N̏񂪗~ꍇ́ASuperscanĝIłBzXglbg[N̏W߂ƂɁÃc[܂܂Ȍ`Ŗɗł傤B Superscan http://www.foundstone.com/resources/proddesc/superscan.htm_E[h\łB 
RUMINTRUMINTi[~gj̓Lv`pPbg̃f[^rWAc[ŁAt[ŔzzĂ܂BڍׂȃOtƃrWÃIvVɂāALv`pPbg藝₷܂Bڂ http://www.rumint.orgQƂB 
Engage Packet BuilderEngage Security񋟂Engage Packet Builderihttp ://www.engagesecurity.com/products/engagepacketbuilderjg΁ApPbgJX^}CYđ 
M邱Ƃł܂i} 11-1jBt@CAEH[NmVXẽeXgAFloodUɉe₷foCX̌mA܂͒PȂ鋳ړIŃJX^}CYꂽpPbgKvɂȂƂɂ͂̃c[g΂悢ł傤BEngage Packet Builderg΁A܂܂ȃIvVݒ肵pPbg𐶐邱Ƃł܂ B܂ApPbgXNvggp邱Ɖ\łB 

} 11-1 E Y S cE Y Pac B d 
IANAIANAiInternet Assigned Number Authorityj IPAhXƃvgRԍǗĂgDłBIANA WebTCgihttp ://www.iana.orgjɂ́A|[gԍ̌gbvxhCɊւARFČ{łTCg̈ꗗȂǁAMdȏ񂪌fڂĂ܂B
Wireshark Wikiƃ[OXgWiresharkihttp ://www.wireshark.orgj̓R~jeBx[X̃vWFNgȂ̂ŁAȃT|[g Wireshark Wikiƃ[OXgɂčsĂ 
Ė󒍁Flȃc[hping3ihttp ://wiki.hping.orgj܂B
11́@E 
܂B 
Wireshark UniversityWireshark Universityihttp://www.wiresharktraining.comj WiresharkpPbg͂̃R~jeB̎vȎQ҂ɂ2007N3ɐݗ܂Bݗ҂ɂGerald CombsiWireshark̍ҁjALaura ChappelliPacket AnalysisInstitute̗DGȃvgR͎ҁjAJohn BrunoiCACE technologies̋nҁjALoris DegioanniiWinPcap̍ҁj܂BWireshark University͏߂ĂWireshark̃g[jOTCgłB̃y[Xłłg[jOprfIɉAWireshark̔F؃vO񋟂Ă܂B 
Ƃ

Ȃ{ɏĂ邱ƂׂďKł܂悤ɁB
pPbg͖͂ɎĂ܂BȊwƌ|p˔Ă̂łBlbg[N͊҂łAȂ͈҂Ȃ̂łB҂l̉Uw𐶂ݏoȊwɊւm悤ɁAlbg[NǗ҂lbg[NA[LeN`lbg[N𐶂ݏovgRɊւm̂łBāA̗_ǂقǗĂ悤ƂAۂɌoȂ΍ŗǂ̌ʂ𐶂ݏoƂ͂ł܂BGȕaCɂƂɌoLȈ҂ɎÂ肢Ȃ̂ƓłB
{̎ȖړÍAlbg[NǗ̂߂ɏKKvc[ƊTOЉ邱ƂłBpPbg͂΂قǁAۂ̌oς߂ΐςނقǁAGȃlbg[N̖łIɉ邱Ƃł悤ɂȂ܂B܂܂ȃlbg[NŁi񋖉𓾂ājAWiresharkgăpPbgxŒʐM͂Ă݂ĂBꂪAlbg[N𒲂ׂ邱ƂƂ͂ǂƂwсAlbg[NŉNĂ邩𐳊mɌ߂̗B̎iłBꂱuHpPbǵvłB
t^
Winny{bg̃pPbg

{̌ł͈ĂȂdvȕiłAlbg[NǗ҂ɂƂ
΂CɂȂgsbNjɁAWinny{bg֘ÃguV[eBO
܂B{{ŃIWî̕t^ł́A Winny{bg̃pPbg
͂ɂĉ܂B{̌㔼̏͂ł̓TṽLv`t@C
ȂĂ܂A̕t^ł́ATṽpPbgLv`t@C
pӂĂ܂BƂ̂AWinnyʐM̏ꍇ͒ʐM肪lłA
{bgʐM̏ꍇ̓{bg{bg_E[hĂW[{̂܂܂
Ă܂߂łBȂA{bg̒ʐMɊւẮAĖ҂ł鉀c[_[
𖱂߂A{lbg[NZLeBiJNSAj̃nj[|bg[LOO
[v̋͂ō̎悵܂B͂o[̊FɊӂ܂B 
A.1 1F WinnypPbgǂ
ǂȊƂgDɂĂAWinnyɑ\P2Pɂt@CLlbg[Ńuv͓̒ɂƂłBP2PiPeer To PeerFsAc[sAjƂʐM`Ԃ͓̃T[oƂ̒ʐMł͂ȂAlbg[NɂȂeRs[^ꂼʐMs߁At@CAEH[ȂǂɂʐMsÂ炢Ƃ܂BʐMsÂ炢ƂƂ́A̎̒ʐMuov邱ƂȒPł͂ȂƂƂł܂B
ł͎ۂ WinnysʐMނƂāA̓ɂʐM̌A͕@ȂǂĂ܂傤B
lbg[NьʐM͑ɂ킽܂B[eBÔ߂ɕKvȒʐMAẽu[hLXgi݂m炵߂邽߂̒ʐMjȂǁAۂɃlbg[Nj^[Ă݂ƁAzȏɑ̒ʐMsĂ邱ƂɋƂł傤B
pPbgLv`𕐊ɂ̒̒ʐMԂoɂ́A܂͂̒ʐM̓mKv܂B 
A.1.1 P2PʐM W
Winny̒ʐM̓ƂĂ͂܂AP2PƂʐM`ԂȂ̂ŁuʐM鑊肪Ɓv܂BLANɂȂƁARs[^₽Ƒ̑ƒʐMsĂƂłAWinny͑ P2PʐMsĂ\͍Ƃł傤B܂AWinny͎gpʐM|[gԍRɐݒł邽߁A肪s葽ŁAʐM|[gԍł͂ȂƂƁA\͂ɍȂ킯łB
lbg[N̍\ƒʐMvł́A̋^mMɕς邱Ƃł܂BƂ΁ALANočsʐMׂ͂ DMZi񕐑nсjoRɂȂ悤ȃlbg[Nł́AڃC^[lbgɏočsʐM邱ƂŉƂ܂Blbg[NǗ闧ł΁AڊOɏoʐMȂǂ̕smȗvfȂ΂قǁAُo₷킯łB
Winnyɂ́At@CAEH[̓ɂꍇ̒ʐMz肵Port0i[jƂ@\܂B͏XłBƂ̂A̋@\͒ʐM̑肾ɍi荞ތXȂ̂łi}A-1jB
Winnẙem[hiWinnyRs[^A Winnŷ̂̂ƂĂт܂j́ANCAgłT[oł킯łAT[ő@

} A-1 	WP0ʐMBt@CAEH[ɂĊO̒ʐMRɎMłȂm[h A P0@\gď㗬̃m[h Bɂ܂ڑAm[h B㗝T[oɂăT[oƂĂ̖ʂ
\ʂƂƁAڊO LANɃANZXȂt@CAEH[݂̑זɂȂ킯łB
ŁA܂̑ LAN OƂ`ŒʐMsāȂoRăT[o̖ʂ@\ꂽ̂łB Port0@\́AT[oƂĂ̖ʂłȂAʂƂē̑Ƃ̂ݒʐMsƂ`ŁAs葽ƒʐMsƂ߂邱ƂɂȂĂ܂܂B 
A.1 1F WinnypPbgǂ 
APort0@\͂WinnyuT[ovƂē삷Ƃ̂̂łAς_E[hpŎgpĂ̂Ȃ΁Aς炸s葽ƒʐM͂łB
us葽vƂ̒ʐM܂肦Ȃ悤ȃlbg[Nł́Aꂾł\ނɑޗłA P2P\tgEFAiƂ SkypeȂǁj̒ʐMĂ肷ƁAł͓łȂȂĂ܂܂BȂƂ͂ApPbgLv`ȂǂłɁu[@vKvł傤BĂȂƂĂApPbgLv`łɏ؋ł߂ĂƂłB 
A.1.2 WʐM̉
Winny̒ʐM͎ۂɂ͂ǂł傤B}A-2 Winny̒ʐMłB
܂TCP̒ʐMZbVmi3EFCnhVFCNFSYNASYN/ACKAACKjǍPSH ACKŃf[^̂JnĂ܂BPSH ACK

} A-2 WpPbg̃Lv`f[^Bf[^̒ 11oCgł邱Ƃ
pPbg̒g WinnyvgRł̂łBWinny̏ꍇA̍ŏ̃pPbg̒ɓ܂BpPbgꗗʂ̉E[Ƀf[^̒\i Len=11jĂ܂AWinnyʐMJnƂɓpPbǵA͕K 11oCgłBWinny͂܂A 11oCg̃pPbg݂ɂ肵ĒʐMJn킯łAʐM̒g͈ÍĂ܂̂ŁÂ܂܂ł͓ǂ߂܂BɁuFollow TCP Streamv@\gĂ\Ă݂ĂA肵Ă̂ς蕪܂i}A-3jB
AWinny͂̈ÍʐM̎dg݂ƎȂ̂ŁAʐM̒g˂~߂邱 

} A-3uF TCPS avASCII[hB WʐM̏ꍇ́u F TCPS av@\ ASCII[hŗpĂg悭Ȃ 
͔rIȒPɂł܂BWinnyʐM̈Í́ARC4ƂXg[Í`ōsĂ܂BÍʐM̏ꍇA܂ғmňÍɎguv̂sKv킯łAWinny͂̍ŏ̃pPbgŌ̂Ă܂B܂Aŏ̃pPbgLv`iߑjł΁Ǎ̒ʐM̈ÍĂ܂̂łB݌v҂ɂ΂͒ʐM̃ptH[}Xd߂ƂƂłAm Winny͒ʐMZbV𑽐mȂʐMŝŁA̓sxSŕGȌ̌sĂptH[}XɉeoĂĂ܂łBtɂ΁AptH[}X̂߂ɒʐḾuSv]ɂ̂ Winny̒ʐMȂ̂łB
11oCg̓łAŏ2oCgɂ̓_~[̗Aɗ 4oCgɂ͈ÍʐMp̌Ac5oCgɂ͏Ɩ߁iR}hji[Ă܂i}A-4jB
قȂ邽߁A 1pPbǵuځv͂Č܂BxuFollow TCP Streamv@\păf[^\Ă݂܂傤Bx́mHEXDumpnIāA16i\Ă݂܂B
ŏ2ɒڂĂBƂf[^11oCgłAg͂܂ʕłBf[^ÍĂ邽߈قȂĂ̂łAƂƂ̏͂܂̂łB̓Iɂ͂̒ǵu 01 00 00 00 61vƂȂA Winnỹo[W݂ɊmF邽߂̏łBāApPbg̒gɊ܂܂錮pĂ5oCg𕜍Ǎʂu 01 00 00 00 61vɂȂ΂̒ʐM Winnŷ̂łƒfł܂ B
Ȃ݂ɂ̃f[^̂ 01̓R}h̒1oCgł邱ƂA16i 61 10ił 97ŁAꂪR}hɂȂ܂B
Af[^𕜍܂łȂAƂLAN̂ǂɂRs[^ 11oCg̃f[^ȂʐM|[gɔMȂ肩 11oCg̃f[^߂ĂƂA̒ʐM WinnyłƌĊԈႢ͂ 
AR܂oCgA܂ẽf[^肳\̓[ł͂܂BÅm͂ȂႢƂ܂B
A.1 1F WinnypPbgǂ 

} A-4 W 1pPbg̍\BuF TCPS av@\m H DnŎg
f[^₷ȂBÍ͂Ȃǂ ASCII EBCDICȂǂŕϊ
f[^邱ƂdvɂȂ
ł傤B܂ōޗ΁AƂ͂̒ʐMsp\R˂~߂āA WinnyĂ邩ǂmF΂悢ƂƂɂȂ킯łB 
A.1.3܂Ƃ
1 1̒ʐMLv`ĉ͂邱ƁA̍lwԂƂ̖{̖ړIłAۂ̒͂ɂẮAȂ炩̒AqgAޗAɁAlbg[N𗬂ʂ̒ʐM̒Ȃ̂𒊏oȂ΂Ȃ܂BƂȂƁȀɂāAi荞݂sƂdvɂȂĂ܂B
R Winny[U[ǂAt@CAEH[ȂǂŒʐMv𐮗AƂ΂ LANC^[lbgɒڒʐM邱ƂȂ悤ɂĂ΁Ai荞݂͂ƗeՂɂȂ킯łi}A-5jB
i荞݂K؂ɍsAƂ͎ۂƂɌK؂ɔc邾łB̂߂ɃpPbgLv`f[^͔ɖ𗧂ł傤B 

} A-5Winny͂ǂ̂悤ȐݒłĂK̃m[hƁuڒʐMvBt@CAEH[̓Oւ̒ڒʐMĂȂA邢͋L^Ă΁At@CAEH[̂ƂŌoł 
A.2 2FECXA[A{bg̒ǐ 
A.2.1ECXA[̕ώ
ECX΍͈ȑO薜SƂ͂ȂȂ܂B܂ł̓ECX΍\tgEFAt@CAEH[Ȃǂ΁A܂ECXɊ邱Ƃ͂Ȃ̂łAvłECX΍\tgEFÃ`FbN蔲悤Ȃ̂on߂Ă܂BECX鑤̑rWlXuƂȂAʂƂăECX̊Jc[AT|[gȂǂ[ĂĂ܂̂ŁAʂȒmȂĂ\̍ECX邱Ƃł悤ɂȂĂĂ邩łB
ɁAׂړIƂ{bgECX́AȑÔ悤ɎȌĐԂ𑛂ĊԂƂAނ뒷Âɐsď𓐂ݏoA҂̎艺ƂȂĖf[𑗐M肷킯łBRs[^̐\サAĕ悤ȕωidȂƂA点ĂȂȂ̂CPUpオ@̂MȂƂjNɂȂĂƂAECXo邱Ƃ͔ɓƂƂȂ܂B
ĂłAʐMߑĂ̂𒲍ƂƂdvɂȂĂ̂łB 
A.2 2FECXA[A{bg̒ǐ 
A.2.2{bgiݑj̓
{bgƂ̂́Albg[Nɑgݍ܂Ĉ҂̎艺ƂȂvOłB̂Ƃ̓NCAgT[o^̒ʐMsƂ낪悤łAWinnŷ悤 P2PƂ`ԂŒʐMŝoĂĂ܂B
ȖړI̓Rs[^p邱ƂłÂ߂ɂ͖߂MKv܂Af[l𑗐MKv킯ł BȂWinnyƓlɁAlbg[Nv𐮗AڊOɒʐMsׂuُvłƂ邱ƂŁAo₷AʐM̓cĕߑ@ȂǂgłB
{bgƂ IRCiInternet Relay ChatjpŁul̑㗝ŌꂽƂv݂ȈӖ肵܂B̂Ƃ悤ɁA{bg͏ IRCvgRx[XɂʐMsĂ܂BPȃ{bgłIRCʐM邩ǂAIRC̃|[gԍ6667ڎwʐMĂ邩ǂ΂悢̂łAgp|[gԍς邱Ƃ͂قǓƂł͂܂BāAoAۂɃ|[gԍ𗊂ɂƂ̂͏XSȂƂł傤B
{bg̒ʐM̓͂ 1܂B́AݑƂȂ{bg̏ꍇAf[MȂǂ̊m̃vgRɂʐMsƂƂłBڊOɒʐMsƂɉāAʂSMTPʐM𔭐M悤ƂĂƂ΁Aɒg͂ȂĂuvƂtO𗧂Ăă}[N邱Ƃłł傤B
[ȊÔ̎̃\tgEFAɂʐMɂ́AUIȃANZX܂B[ɂ{bgɂAȕsĊg債悤ƂX킯łB[{bg̓}CN\tglbg[Ñt@CLAlbg[NUɂĊg_܂B
̍ۂɂ 1XƂČ̂́AȑÔ悤ɑUŝ΂ł͂ȂƂƂłBƂ SQLX}[ƂLȃ[́AÑlbg[N_Eقǂ̑呛N܂BIɍUpPbg܂U炵 SQLT[oNĂȃRs[^_܂߁At@CAEH[̃pPbg΂ꂸɃ_EĂ܂肵̂łBꎞIɂ͑傫ȔQɂȂ܂Aɘ_ 1xd؂邾ɂ܂łB
݂̈҂̖ړI͊SɃrWlXɃVtgĂĂ܂B܂AÂɈpċׂɗpƂ킯łBāÃrWlXւ̃VtgƂA[{bǵuxvグĂĂ̂łBȑÔ悤ɐƎ㐫؂̂߂̃RZvgR[ĥ܂ܗpȂǂ́u\ȁv͉e 
tɌ΁AʐMsȂECXƂ̂́AقǑ傫Ȋ댯͂ȂƂł傤B
߁A悭ÂɈp悤ɂȂĂƂƂłB
͂܂AgUÂɍsXƂƂł܂B
UIȒʐMōUɂĂA̃pPbg΂΂Ɠđ̑fTčUɂȂ悤Ƃ܂At@CL`ĊƂAʂ̃}CN\tglbg[Ñu[hLXg𑕂ĊT肵܂B
Ɍ΁Albg[NgĊ̂ł͂ȂA]҂ɎCXg[ƂU@iĂĂ܂BʂƂ͂pPbg𓊂ălbg[NǗ҂ȂǂɌ郊XNƂAmɌ邱ƂȂ邱ƂłłB
܂AŌ̂́A悤ƂƂ̒ʐMߑă[{bg𑨂悤Ƃ͍̂܂܂ɂȂł낤ƂƂłBقǌZLeBݒ肵ĂȂRs[^閳ׂ̃pPbgь悤ȃlbg[Nł́iۂɃpPbgLv`sĂ݂΁A炭݂Ȃ̑z͂邩ɑ̃pPbg邱Ƃłł傤jAʂ̃pPbgɔ邱Ƃ킯łB
񂠂߂Kv͂܂񂪁AgfBViȁulbg[NUv̒ʐMߑ邾łȂATCgŜƂĂ肦ȂʐMƂ̂ɍi荞ޕKvƂƂɂȂ킯łB 
A.2.3uʐMv̉
lbg[NU₠肦ȂʐMߑłAx͂͂܂B
܂͂̓̂̒mȂʐM̑fc邱Ƃl܂B̒ʐMḿuUvɊY邩ǂASnortihttp ://www.snort.gr.jpjƂt[IDSiIntrusion Detection SystemFNmVXejpΊȒPɑfm邱Ƃł܂B
WiresharkŃLv`f[^ۑƂAlȂ pcap`ŕۑ܂Bpcap`̓pPbgLv`f[^`̃ft@NgX^_[hƂ`ł̂ŁAǂ OS\tgEFAł܂ǂ߂ȂƂ͂܂B̌`ŕۑf[^̂܂ Snortɓǂݍ܂΁Ãf[^lbg[NUɊY邩ǂ܂ BSnort -rIvVp΁At@Cǂݍ܂邱Ƃł܂B
قɂ́AECX΍\tgEFÃXLpđfmF@ 
	Snort̃CXg[@ɂẮASnort̊J҂̕j悭ς̂łł͐G܂B̓sxAC^[lbg̕ȂǂQlɂĂB{Iɂ rpm`ł\[Xt@C̃CXg[łAǂł\łAWindows OSɃCXg[邱Ƃ\łB[t@CJTCgŃ[U[o^Ύg郋[A[U[R~jeBグBleeding Edge[Zbgihttp://www.bleedingthreats.netjg܂B
A.2 2FECXA[A{bg̒ǐ 
܂BLv`f[^t@Ĉ܂܃ECX΍\tgEFAɃ`FbNƁAʐM̒ɃECX⃏[A{bgȂǂ܂܂Ă甽ꍇł傤BIC`FbNȂǂ𕹗p΁Aʂȃx_̑΍\tgEFAgă`FbN邱Ƃł܂B
Lv`f[^̒Ɋ܂܂t@CAʂɃt@CƂĕۑ邱Ƃł܂B
f[^̃t@C͈ȉ̎菇ōs܂B 
1.	܂At@Cf[^܂ޒʐM肵܂BuFollow TCP Streamv@\pΊȒPłi}A-6jB 

} A-6mSY Anp Ra`Ńt@CɕۑƁAMĂf[^̒ĝ݂ۑ邱Ƃł
2.	
ɃXg[f[^ Raw`ŕۑimSave Asnj܂Bł͉ccc.exeƂt@CŕۑĂ܂B 

3.	
̃t@CoCiGfB^ŊJ܂Bł Stirlingihttp ://www.vector.co.jp/soft/win95/util/se079072.htmljƂoCiGfB^p܂BWindows OSœ삷\tgEFÁA̒gʓIɁuMZvA邢́uMZPvƂŎn܂܂B 

4.	
ۑXg[f[^̒gɂMZTA̒O܂ł̃f[^폜܂i}A-7jB폜ʖŕۑA͏㏑ۑ܂B 

5.	
Ńt@CłƂɂȂ܂BɒgpedumpƂ\t 


gEFAŌĂ݂ƁAsł`̃t@Cł邱Ƃ܂i} A-8jBt@C΁AECX΍\tgEFAƐx`FbNĂł傤BUƂ͈قȂʐM͂ꍇAݑƂȂĖf[o܂Ă 

} A-7oCiGfB^ŕۑt@C𒼐ڊJA MZ MZPÕf[^폜BŃt@C𕜌邱Ƃł

} A-8 dƂc[p΁At@C̒gm߂邱ƂłBfobKȂǂp邱Ƃł邪AċNȂ悤TdɎ舵Kv
A.2 2FECXA[A{bg̒ǐ 
ꍇȂǂ͂ނȒPłB̏ꍇSMTPvgR̂̂pĂ̂ŁALv`f[^ΉĂ邩͂܂i}A-9jB

} A-9f[𑽐MĂBwb_炵UĂ邱Ƃ
̂قɉ\̂́AݑƂȂ\tgEFA߂MʐMłB̒ʐM͍ŋ߈ÍĂ邱ƂAg邱Ƃ͓܂BLv`ʐMẽTvȉɎ܂i}A-10jB 
USER qwtemi qwtemi qwtemi :cajomaqonncvizrk NICK yJxGcfaF :hub.61171.com 001 yJxGcfaF :education, yJxGcfaF!qwtemi@221.186.11.201 :hub.61171.com 005 yJxGcfaF MAP KNOCK SAFELIST HCN MAXCHANNELS=80 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=15 AWAYLEN=307 :are supported by this server :hub.61171.com 005 yJxGcfaF WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)?&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=education CASEMAPPING=ascii EXTBAN=?,cqr :are supported by this server :yJxGcfaF MODE yJxGcfaF :+iRp MODE yJxGcfaF +xi JOIN #kok2 :yJxGcfaF!qwtemi@221.186.11.201 JOIN :#kok2 

} A-10 IRCƂ悭R}ȟnpāA߂𑗂荞łĂ
:hub.61171.com 332 yJxGcfaF #kok2 :=g6k2YvupQhmuiBzj96h3Sv0EiUOAdAq319YVtR6Yb+gQ22cPu5wCW3tIcZr3qRu5D+4CHy/rGzAg VdOiG5kqfffb3y3jKcaU+1fbnyw2t5tIufofp0mD :hub.61171.com 333 yJxGcfaF #kok2 ift 1193051781 :hub.61171.com 353 yJxGcfaF @ #kok2 :yJxGcfaF :hub.61171.com 366 yJxGcfaF #kok2 :End of /NAMES list. MODE #kok2 +smntu :hub.61171.com 482 yJxGcfaF #kok2 :You're not channel operator JOIN #rs r.. JOIN #proxx r.. JOIN #63 r.. :hub.61171.com 474 yJxGcfaF #rs :Cannot join channel (+b) :yJxGcfaF!qwtemi@221.186.11.201 JOIN :#proxx :hub.61171.com 332 yJxGcfaF #proxx :=/LGFKEHLG5i6a8nifpUj5z/V4flkxP16V/BsuK2jyGND6I7ipLw0HfOGDZDhenz/dkdRDKh :hub.61171.com 333 yJxGcfaF #proxx ift 1193052077 :hub.61171.com 353 yJxGcfaF @ #proxx :yJxGcfaF :hub.61171.com 366 yJxGcfaF #proxx :End of /NAMES list. :yJxGcfaF!qwtemi@221.186.11.201 JOIN :#63 :hub.61171.com 332 yJxGcfaF #63 :=pXy848G/P7i+vQlSbo1zV2l3521k5OWy93AMuFWjmK8dWJrNnpDN5H2SxbCt1jTP9uGXHOh :hub.61171.com 333 yJxGcfaF #63 seller 1191623349 :hub.61171.com 353 yJxGcfaF @ #63 :yJxGcfaF :hub.61171.com 366 yJxGcfaF #63 :End of /NAMES list. MODE #proxx +smntu 
A.2 2FECXA[A{bg̒ǐ 
:hub.61171.com 482 yJxGcfaF #proxx :You're not channel operator 
MODE #63 +smntu 
:hub.61171.com 482 yJxGcfaF #63 :You're not channel operator 
PING :hub.61171.com 
PONG :hub.61171.com 
PING :hub.61171.com 
PONG :hub.61171.com 
PRIVMSG #kok2 :-.04.dcom2....04.c..-1. Raw transfer to 221.186.132.45 
complete. 
:hub.61171.com 404 yJxGcfaF #kok2 :You need voice (+v) (#kok2) 
:EH!Y@hoo.net PRIVMSG #kok2 :* ipscan s.s.s.s dcom2 -s 
PRIVMSG #kok2 :-.04.dcom2....04.c..-2. Raw transfer to 74.205.233.170 
complete. 
:hub.61171.com 404 yJxGcfaF #kok2 :You need voice (+v) (#kok2) 
PING :hub.61171.com 
PONG :hub.61171.com 
PING :hub.61171.com 
PONG :hub.61171.com 
PING :hub.61171.com 
PONG :hub.61171.com 
PRIVMSG #kok2 :-.04.dcom2....04.c..-3. Raw transfer to 221.187.30.120 
complete. 
:hub.61171.com 404 yJxGcfaF #kok2 :You need voice (+v) (#kok2) 
PING :hub.61171.com 
PONG :hub.61171.com 
PING :hub.61171.com 
PONG :hub.61171.com 
PING :hub.61171.com 
PONG :hub.61171.com 
PING :hub.61171.com 
PONG :hub.61171.com 
:EH!Y@hoo.net PRIVMSG #kok2 :* ipscan s.s.s.s dcom2 -s 
PING :hub.61171.com 
PONG :hub.61171.com 
PRIVMSG #kok2 :-.04.dcom2....04.c..-4. Raw transfer to 221.187.250.118 
complete. 
:hub.61171.com 404 yJxGcfaF #kok2 :You need voice (+v) (#kok2)
AɒgǂނƂłf͂قڔł傤AÍĂ悤ŒgȂƂĂAʐMOƒڍsĂA͎݂Ă鎞_Łu_vłƂłB 
L
!=iȂj                                                      50<iȂj                                                             50<=iȉj                                                              50 ==ij                                                           50>iȂj                                                             50>=iȏj                                                              503EFCnhVFCN                                  66, 161 
802.11                                                                   141`̃pPbg                                                 144`̃tO                                                    145 
A
ACKpPbg                                                 67, 161 AirPcap                                                                140andi_ρj                                                          50 AppleTalk                                                               7ARPiAddress Resolution Protocolj           7, 23, 63ARPLbV|C]jO                         23, 133ARPXv[tBO                                              23ARPpPbg                                                         95 ASCII                                                                      7 
B BitTorrent                                                            113Blaster[                                                       129Bleeding Edge[Zbg                                166BSSIDiBasic Service Set Identifierj                  148
`ŃtB^O                                      148 
C 
CACE Technologies                                            140 


Cain & Abel                                                 133, 155`̎gp                                                          24CALpPbg                                                         75CAMe[u                                                        11mCapturenZNV                                            36mColoring Rulesn_CAO                                 38mConversationsn_CAO              59, 98, 114, 118
CWDR}h                                                        72 
D
Destination unreachablei擞Bs\ʒmj    81DHCPiDynamic Host Configuration Protocolj    64DHCPACKpPbg                                              65DHCPDISCOVERpPbg                                    64DHCPOFFERpPbg                                          65DHCPREQUESTpPbg                                     65mDisplay Filtern_CAO                           51, 128DNSiDomain Name Systemj                               70
DoSUiDenial of Service attackF
T[rXs\Uj                                   23Duplicate ACKpPbg                                      103 
E 
Engage Packet Builder                                       155 Ethereal                                                                 29 Ethernet                                                                  7mExpert InfosnEBhE                                   102 
F 
FDDI                                                                       7mFilter Expressionn_CAO                             48FINpPbg                                                          68FIN/ACKpPbg                                                68
@ 
mFollow TCP Streamn Forbidden FTPiFile Transfer ProtFTPT[o `Ƃ̒ʐM `ւ̐N  ocolj  57, 93 927, 717189126  
Gnutella Gratuitous ARP  G  117 95  
HHTTPiHypertext Transfer Protocol`̒ʐM HTTP 403  j  7, 6568, 86, 93 92  
I 

IANAiInternet Assigned Number Authorityj 
156ICMPiInternet Control Message Protocolj 7, 76ICMP Time ExceedediԒ߁jpPbg 
107ICMPR[h 81IDSiIntrusion Detection SystemFNm
VXej 166IMiInstant MessagerFCX^gbZW[j 56 Internet Explorer 87, 113
mIO GraphsnEBhE 61
IPiInternet Protocolj 7, 66
IPAhX 23
`̖O 54IPtOe[V 82 IPX 7iwconfigR}h 143 
J 
JPEG 7 
M
MACAhX 23
`̖O 53 MIDI 7 MPEG 7MSGpPbg 76 MSN Messenger 56MSNMSiMSNbZW[T[rXj 57, 74 
N 
mName ResolutionnZNV  37  
NetBIOS  7, 55 
`̃gtBbN  86 
NICiNetwork Interface CardFlbg[N 
C^[tF[XJ[hj  18 
notiےj  50  
NWLink  7  
O 
ori_aj  50 
OS̃tBK[vg  123 
OSIQƃf  5  
Oxid.it  24  
P 
P2PiPeer To PeerFsAc[sAj  159 
P2PʐMWinny  160 
PDUiProtocol Data UnitFvgRf[^ 
jbgj  8 
PIFiProgram Information Filej  117  
ping  132 
pingR}h  77 
pingpPbg  81  
PingPlotter  155 
POPiPost Office Protocolj  116 
mPrintingnZNV  37 
mProtocol Hierarchy StatisticsnEBhE  58 
mProtocolsnZNV  37  
R 
RETRR}h  72 
RFCiRequest For Commentsj  63  
RFC 791  66  
RFC 792  76  
RFC 793  66  
RFC 854  73  
RFC 959  71  
RFC 1034  70  
RFC 2131  65  
RFC 2616  65  
RIP  7 
RJ-45|[g  9 
RTTiRound Trip TimeFxԁj  104  
RUMINT  155 

@
S 
SAP 7 SDP 7SIZER}h 72 SMTP 7 Snort 166SPOOLSpPbg 125 SPX 7 Superscan 4 155SYNpPbg 66, 161SYN/ACKpPbg 67, 161 
T
TCPiTransmission Control Protocolj 7, 66`̒ʐMQ 79mTCP Stream Graphn 104TCPXg[̕\ 56 TCP/IP 66 tcpdump 2, 127 TELNET 7, 73, 133 Token Ring 7 traceroute 105 Transaction ID 65TTLiTime To LiveFpPbg̐ԁj 106 
U 
UDP 7mUser InterfacenZNV 36 
W 
Winny 159`̃pPbg 159WinnyʐM̉ 161WinnypPbg 159WinPcappPbghCo 31 Wireshark 29`ł̃pPbgLv` 41`̃CXg[ 30`̊{ 33`̐ݒ 36`̖Oc[ 53`̗j 29T|[gĂvgR 29pPbg̐F 37 Wireshark University 157Wireshark Wikiƃ[OXg 156 
X
xorirI_aj 50
s
k 4擞Bs\ʒmiDestination unreachablej 81AhzbN[h 138AvP[VwiC7j 5, 6uʐMv̉ 166茟o 4Í 4ȉi<=j 50ȏi>=j 50 125pPbǵ` 45CX^gbZW[iInstant MessagerFIMj 56CtXgN`[h 138ECX̒ǐ 164G[ 4Gh|Cg 58mF 4xԁiRound Trip TimeFRTTj 104
s
 3WinnyʐḾ` 161uʐMv́` 166Q́` 85lbg[Ń` 34Bꂽ 131JvZ 8Lv`f[^̃GNX|[g 43Lv`t@C 36`̃GNX|[g 43`̕ۑ 43`̃}[W 44Lv`tB^ 47NbLOc[ 128Ot 61, 104 41
s
T[rXs\UiDenial of Service attackFDoSUj 23ŏ̃pPbgLv` 34Tulbg}XN 110 
@ 
VFA[hnu 9Ԃ̕\tH[}bg 45U 128W 3Ȃi<j 50NmVXeiIntrusion Detection SystemFIDSj 166XCb` 10`ō\ꂽlbg[Nł̃XjbtBO 20XCb`Onu 10Xjbt@ 1`zu 17XjbtBO 3XCb`ō\ꂽlbg[Nł́` 20nuō\ꂽlbg[Nł́` 18LAŃ` 137[^ō\ꂽlbg[Nł́` 27XpCEFA 94Ԓ߁iICMP Time ExceededjpPbg 107ZbVwiC5j 5, 6ZbV 64`̊m 66, 161`̏I 68ڑs\ 85Sd[h 10, 22Ύԕ\ 46
s
Ȃi>j 50\IȃvgR 7_E[h̒x 101ʐMQ 79fBXvCtB^ 47, 128f[^
`̈k 4
`̈Í 4
`̃JvZ 8f[^M̊Jn 67f[^NwiC2j 5, 7͂ȂICMPR[h 81͂ȂpPbg 81gtBbN̕ 14gX|[gwiC4j 5, 6
ȍs
O 53lbg[NC^[tF[XJ[h
iNetwork Interface CardFNICj 18lbg[N} 28lbg[NZOg 12lbg[NwiC3j 5, 7lbg[Nn[hEFA 9lbg[NvgR 4
͍s
rI_aixorj 50pPbg 9`̐F 37`̈ 45`̉mF 4`̌ 41`̃}[LO 42
802.11́` 144͂Ȃ` 81pPbg̐ԁiTime To LiveFTTLj 106pPbg 1, 33, 79Winný` 159{bǵ` 159pPbgLv` 34`̃eNjbN 41pPbgXjbt@̕] 2nbJ[̎_ 132nu 9`ō\ꂽlbg[Nł̃XjbtBO 18d[h 10, 22sAc[sAiPeer To PeerFP2Pj 159r[Rt[ 146rZq 50ےinotj 50i==j 50Ȃi !=j 50tB^ 47, 128`̃Tv 51`̕ۑ 51` 49LANĹ` 148tB^O 49, 98BSSIDŁ` 148tBK[vg 123wiC1j 5, 7
@
tO 66, 83, 114, 145v^ 125u[gtH[XU 128v[e[VwiC6j 5, 6t[ 4u[hLXg 14u[hLXghC 14vgR 7`̑ݍp 7`̕ 55`tB^O 49
vgRX^bN 4vgRf[^jbgiProtocol Data UnitFPDUj 8v~XLX[h 3
`̎gp 18 4x[XCjO 85ϊ 3|[gXL 124|[gBs\ 82|[g~[O 20, 110{bgiݑj 165`̒ǐ 164`̃pPbg 159
܍s
}[LO 42}[W 44}X^[[h 138}l[Wh[h 138}l[WgXCb` 10}`LXg 14LAN 137`ɐڑłȂ 150`̃C^[tF[X 138`̃XjbtBO 137
LANJ[h̃[h 138
LANL
`̏ 147
`̃tB^ 148CEBhE 35[T[o 115j^[[h 139
s
jLXg 14
s
s[^nu 9[^ 11`ō\ꂽlbg[Nł̃XjbtBO 27[eBO 12
`̕s 104[eBOvgR 12C1iwj 5, 7C2if[^Nwj 5, 7
`̃AhXiMACAhXj 65C3ilbg[Nwj 5, 7
`̃AhXiIPAhXj 12, 23, 65C3XCb` 13C4igX|[gwj 5, 6
`̃vgR 66C5iZbVwj 5, 6C6iv[e[Vwj 5, 6C7iAvP[Vwj 5, 6
`̃vgR 8, 71_Zq 50_ρiandj 50_aiorj 50
s
[̒ǐ 164 
ҏЉ@@ 
Chris SandersiNXET_[Xj
P^bL[BGraves County School̃lbg[NǗҁi1,800ȏ̃[NXe[V20̃T[oō\wlbg[N̗pҐ͖5,000ljBނWebTCg
ihttp ://chrissanders.orgjɂ̓`[gAKC_XAuPacket School 101vȂǂ̋ZpJĂBނ͂܂AWindowsNetworking.comWindowsDevCenter.com̃C^[łBނ͂قږAWiresharkgăpPbg͂ĂB
ĖҏЉ
cvî݂j
TCo[wITwyANPO{lbg[NZLeBAƗs@l񏈗i@\iIPAjΌAЃZLAXJCEeNmW[ЊOBZLeB֘A̋𒆐SɊBɖwANZXTIHARAxV[YiZp]_ЁjAwWinny͂Ȃjꂽ̂xiVЁjAĖɁwnj[lbgvWFNgxiR~jP[VYjAɁwpSSH2ŁxiIC[EWpjAwÍZpSx
i\tgoNNGCeBujȂǑB
ҏЉ
ꐣîj
ʎВc@lJPCERTR[fBl[VZ^[ɂďZLeBɏ]BɁwECX̌Ƒ΍ \C^[lbgZLeBxi\tgoNNGCeBujAɁwZLAvO~OxiIC[EWpjAwSolarisZLeBxiĉjЁjȂǂB
HpPbǵ\ WiresharkgguV[eBO 
2008N 122@ő 1s 2010N 927@ő 6s
@@@ Chris SandersiNXET_[Xj 
ā@@ cvî݂j 
@@@ ꐣîj 
@s@l eBEIC[ 
@@@ LЂ͂ɂ 
E{ Е͍HƎ 
@s@ ЃIC[EWp 
160-0002 sVh⒬ 26Ԓn 27 CeWFgvUr 1F  
TEL i03j3356-5227  
FAXi03j3356-5263 
dq[@ japan@oreilly.co.jp 
@@ ЃI[ 
101-8460 sc_cђ 3-1  
TEL i03j3233-0641i\j  
FAXi03j3233-3440  

Printed in JapaniISBN978-4-87311-351-7jA̍ۂ͂ւ܂B
{͒쌠̕ی󂯂Ă܂B{̈ꕔ邢͑SɂāAЃIC[EWp當ɂ鋖𓾂ɁAȂ@ɂĂfŕʁA邱Ƃ͋ւĂ܂B




