CentOS command line packet capture and package parsing tool tshar

In centos, when we need to capture network packet analysis, we usually use tcpdump to capture the network raw packet and save it to a file, and then download it to the local machine to use the wireshark interface network analysis tool for network packet analysis. Recently, wireshark also provided the Linux command line tool tshark. Tshark not only supports packet capture, but also supports parsing various protocols. The following describes the tshark tool using two instances. 1. Installation

In centos, when we need to capture network packet analysis, we usually use tcpdump to capture the network raw packet and save it to a file, and then download it to the local machine to use the wireshark interface network analysis tool for network packet analysis.
Recently, wireshark also provided the Linux command line tool tshark. Tshark not only supports packet capture, but also supports parsing various protocols. The following describes the tshark tool using two instances.

1. installation method

1. CentOS: yum install-y wireshark
2.  

2. print the url of the current http request in real time (including the domain name)

1. Tshark-s 512-I eth0-n-f 'tcp dst port 80'-R' http. host and http. request. uri '-T fields-e http. host-e http. request. uri-l | tr-d' \ t'

The following describes the parameter meanings:

• -S 512: only capture the first 512 bytes of data
• -I eth0: capture eth0 Nic
• -N: disable Network Object name resolution
• -F 'tcp dst port 80': only capture packets whose protocol is tcp and the destination port is 80.
• -R 'http. host and http. request. url': filters http. host and http. request. uri.
• -T fields-e http. host-e http. request. uri: print http. host and http. request. uri
• -L: output to standard output

3. print the current mysql Query statement in real time

1. Tshark-s 512-I eth0-n-f 'tcp dst port 3306 '-r'mysql. query'-T fields-e mysql. query

The following describes the parameter meanings:

• -S 512: only capture the first 512 bytes of data
• -I eth0: capture eth0 Nic
• -N: disable Network Object name resolution
• -F'tcp dst port 3306 ': only packets with the tcp protocol and the target port 3306 are captured.
• -R 'MySQL. query': filter out mysql. query.
• -T fields-e mysql. query: print the mysql query statement.

Tshark uses-f to specify the capture packet filtering rule. like tcpdump, the rule can be queried by running man pcap-filter.
Tshark uses-R to Filter captured packets, which is consistent with the Filter in the upper left corner of wireshark on the interface board.

 

For more information, see https://www.centos.bz/2014/07/linux-commandline-capture-packets-tshark-wireshark/.