A detailed explanation of the use of Tshark (Wireshark) grasping package tools in Linux

Source: Internet
Author: User
Tags mysql query

Under Linux, when we need to crawl network packet analysis, it is usually to use tcpdump Crawl network raw data packets to a file, and then download to the local use of Wireshark interface network analysis tools for network packet analysis.
Recently discovered that the original Wireshark also provides a Linux command-line tool-tshark. Tshark not only has the function of grasping the package, but also with the ability to resolve various protocols. Here are two examples to introduce the Tshark tool.

1. Installation method

The code is as follows Copy Code
Centos:yum install-y Wireshark
Ubuntu:apt-get install-y Tshark

2, real-time printing of the current HTTP request URL (including domain name)

The code is as follows Copy Code

Tshark-s 512-i eth0-n-F ' TCP DST Port ' R ' http.host and Http.request.uri '-t fields-e http.host-e Ri-l | Tr-d ' t '

The following describes the meaning of the parameter:

-S 512: Crawl only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: Prohibit network object name resolution
-F ' TCP DST port 80 ': Only capture protocol for TCP, destination port is 80 packets
-R ' Http.host and Http.request.uri ': Filtering out Http.host and Http.request.uri
-T fields-e http.host-e Http.request.uri: printing http.host and Http.request.uri
-L: Output to standard output
3, real-time print the current MySQL query statement
Tshark-s 512-i eth0-n-F ' TCP DST Port 3306 '-R ' mysql.query '-t fields-e mysql.query
The following describes the meaning of the parameter:
-S 512: Crawl only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: Prohibit network object name resolution
-F ' TCP DST Port 3306 ': Only capture protocol for TCP, destination port is 3306 packets
-R ' mysql.query ': Filtered out Mysql.query
-T fields-e mysql.query: print MySQL query statement
Tshark uses-F to specify the capture packet filtering rules, which, like tcpdump, can be traced through the command man Pcap-filter.
Tshark uses-R to filter the captured packets consistent with the upper-left corner of the interface board Wireshark.

Example

The code is as follows Copy Code

std::string decodehex (const std::string& strhex)
{
    int nlen = Strhex.length ()/2;
& nbsp;   std::string strret (nlen, 0);
    for (int i = 0; I!= nlen; ++i)
    {
      & nbsp Strret[i] = ((strhex[2*i]>= ' a ')? (strhex[2*i]-' A ' +10): (strhex[2*i]-' 0 ')) * 16;
        Strret[i] + = (strhex[2*i+1]>= ' a ')? (strhex[2*i+1]-' A ' +10): (strhex[2*i+1]-' 0 ');
   }
    return strret;
}

void Cswuyg_test_tshark ()
{
    std::wstring strparam =  L "\" C:\\Program Files\\wireshark\\tshark.exe\ "-I 1-p-l-t pdml-f\" DST Port 80\ "-r\" ip.addr==172.17.195.56\ "";
    file* stream = NULL;
    errno_t err = _wfreopen_s (&stream, L "C:\\temp\\cswuyt_test.xml", L "w", stdout);
    if (err!= 0)
    {
        std::cout << "error" << Std::endl;
   }

    HANDLE hstd =:: GetStdHandle (Std_output_handle);
   //bool bset =:: Sethandleinformation (HSTD, Handle_flag_inherit, Handle_flag_inherit);
    startupinfo Ststartinfo;
    ZeroMemory (&ststartinfo, sizeof (STARTUPINFO));
    STSTARTINFO.CB = sizeof (STARTUPINFO);
    ststartinfo.hstderror = hstd;
    ststartinfo.hstdoutput = hstd;
    process_information Stprocinfo;
    ZeroMemory (&stprocinfo, sizeof (process_information));
    BOOL bsuccess =:: CreateProcess (NULL, const_cast<wchar_t*> (STRPARAM.C_STR ()), NULL, NULL , TRUE, 0, NULL, NULL, &ststartinfo, &stprocinfo);
   :: CloseHandle (stprocinfo.hprocess);
   :: CloseHandle (Stprocinfo.hthread);
   :: fclose (Stream);
}

The demo above is for a machine that crawls with an IP address of 172.17.195.56, a port (HTTP default port), and Tshark provides XML data after the packet parsing, which the program stores to the file. Note that part of the data needs to be converted from a hex string to a real string, and there may be a need for gzip decompression.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.