A detailed explanation of the use of Tshark (Wireshark) grasping package tools in Linux

Under Linux, when we need to crawl network packet analysis, it is usually to use tcpdump Crawl network raw data packets to a file, and then download to the local use of Wireshark interface network analysis tools for network packet analysis.
Recently discovered that the original Wireshark also provides a Linux command-line tool-tshark. Tshark not only has the function of grasping the package, but also with the ability to resolve various protocols. Here are two examples to introduce the Tshark tool.

1. Installation method

The code is as follows	Copy Code
Centos:yum install-y Wireshark Ubuntu:apt-get install-y Tshark

2, real-time printing of the current HTTP request URL (including domain name)

The code is as follows	Copy Code
Tshark-s 512-i eth0-n-F ' TCP DST Port ' R ' http.host and Http.request.uri '-t fields-e http.host-e Ri-l | Tr-d ' t '

The following describes the meaning of the parameter:

-S 512: Crawl only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: Prohibit network object name resolution
-F ' TCP DST port 80 ': Only capture protocol for TCP, destination port is 80 packets
-R ' Http.host and Http.request.uri ': Filtering out Http.host and Http.request.uri
-T fields-e http.host-e Http.request.uri: printing http.host and Http.request.uri
-L: Output to standard output
3, real-time print the current MySQL query statement
Tshark-s 512-i eth0-n-F ' TCP DST Port 3306 '-R ' mysql.query '-t fields-e mysql.query
The following describes the meaning of the parameter:
-S 512: Crawl only the first 512 bytes of data
-I eth0: capture eth0 network card
-N: Prohibit network object name resolution
-F ' TCP DST Port 3306 ': Only capture protocol for TCP, destination port is 3306 packets
-R ' mysql.query ': Filtered out Mysql.query
-T fields-e mysql.query: print MySQL query statement
Tshark uses-F to specify the capture packet filtering rules, which, like tcpdump, can be traced through the command man Pcap-filter.
Tshark uses-R to filter the captured packets consistent with the upper-left corner of the interface board Wireshark.

Example

The code is as follows

Copy Code

std::string decodehex (const std::string& strhex) {     int nlen = Strhex.length ()/2; & nbsp;   std::string strret (nlen, 0);     for (int i = 0; I!= nlen; ++i)     {       & nbsp Strret[i] = ((strhex[2*i]>= ' a ')? (strhex[2*i]-' A ' +10): (strhex[2*i]-' 0 ')) * 16;         Strret[i] + = (strhex[2*i+1]>= ' a ')? (strhex[2*i+1]-' A ' +10): (strhex[2*i+1]-' 0 ');    }     return strret; } void Cswuyg_test_tshark () {     std::wstring strparam =  L "\" C:\\Program Files\\wireshark\\tshark.exe\ "-I 1-p-l-t pdml-f\" DST Port 80\ "-r\" ip.addr==172.17.195.56\ "";     file* stream = NULL;     errno_t err = _wfreopen_s (&stream, L "C:\\temp\\cswuyt_test.xml", L "w", stdout);     if (err!= 0)     {         std::cout << "error" << Std::endl;    }     HANDLE hstd =:: GetStdHandle (Std_output_handle);    //bool bset =:: Sethandleinformation (HSTD, Handle_flag_inherit, Handle_flag_inherit);     startupinfo Ststartinfo;     ZeroMemory (&ststartinfo, sizeof (STARTUPINFO));     STSTARTINFO.CB = sizeof (STARTUPINFO);     ststartinfo.hstderror = hstd;     ststartinfo.hstdoutput = hstd;     process_information Stprocinfo;     ZeroMemory (&stprocinfo, sizeof (process_information));     BOOL bsuccess =:: CreateProcess (NULL, const_cast<wchar_t*> (STRPARAM.C_STR ()), NULL, NULL , TRUE, 0, NULL, NULL, &ststartinfo, &stprocinfo);    :: CloseHandle (stprocinfo.hprocess);    :: CloseHandle (Stprocinfo.hthread);    :: fclose (Stream); }

The demo above is for a machine that crawls with an IP address of 172.17.195.56, a port (HTTP default port), and Tshark provides XML data after the packet parsing, which the program stores to the file. Note that part of the data needs to be converted from a hex string to a real string, and there may be a need for gzip decompression.