Installing wireshark in centos is quite simple. Two commands are enough. Here, we mainly record the installation of writing usage: 1. yuminstallwireshark. Note that wireshark commands and graphical interfaces cannot be used. However, it provides basic packet capture functions. 2. yuminstallwireshark-gnome. This makes it easy to use. If you can log on to the graphic interface terminal, there is no difference between it and windows. Installing wireshark in centos is quite simple. The two commands are enough. Here, we mainly record the usage items.
Installation:
1. yum install wireshark. Note that wireshark commands and graphical interfaces cannot be used. However, it provides basic packet capture functions.
2. yum install wireshark-gnome. This makes it easy to use.
If you can log on to the graphic interface terminal, there is no difference between it and windows, but our servers are all abroad. To manage it, you can only use command lines for SSH login. The wireshark command line tool tshark will be installed by default during installation. It is easy to use. To capture the package: tshark -wpacket.txt-I etho-q, the caught network package will be stored in the packet.txt file, to view details, tshark -rpacket.txt-x-V | more.
The following describes the functions of all parameters:
-
Set a standard to specify when Wireshark stops capturing files. The standard format is test: value, and the value of test is one of the following.
Duration: value
When the capture continuous description exceeds the Value, stop writing to the capture file.
Filesize: value
When the size of the captured file reaches the Value kilobytes (kilobytes indicates 1000 bytes instead of 1024 bytes), stop writing the captured file. If this option and-B option are used at the same time, Wireshark will stop writing to the current captured file when it reaches the specified file size and switch to the next file.
Files: value
Stop writing captured files when the number of files reaches the Value
-B
If the maximum size of the captured file is specified, the number of files is specified because Wireshark runs in the "ring buffer" mode. In the "ring buffer" mode, Wireshark writes to multiple captured files. Their names are determined by the number of files, creation date, and time.
When the first captured file is fully written, Wireshark redirects to the next file and writes it until the last file is fully written. At this time, Wireshark discards the data of the first file (unless the files are set to 0, if it is set to 0, there is no limit on the number of files), write data to the file.
If the duration option is specified, Wireshark switches to the next file when the capture duration reaches the specified value in seconds, even if the file is not fully written.
Duration: value
When the capture continuous description exceeds the Value, even if the file is not fully written, it will switch to the next file to continue writing.
Filesize: value
When the file size reaches the value kilobytes (kelobyte indicates 1000 bytes instead of 1024 bytes), switch to the next file.
Files: value
When the number of files reaches the value, the first file is written again.
-B
Applicable only to Win32: Set the file buffer size (unit: MB, default: 1 MB). The captured driver is used to buffer package data and write data to the disk until the buffer size reaches. If packet loss occurs during capturing, you can try to increase its size.
-C
Specifies the maximum number of captured packets in real-time capturing. It is usually used in the connector-k option.
-D
Print the list of interfaces that can be captured by Wireshark. Each interface has a number and name (which may be followed by the interface description ?) It will be printed. The interface name or interface number can be provided to the-I parameter to specify the capture interface (print here is to say printing on the screen ).
This command is useful on platforms that do not have commands to display the list (such as Windows, or UNIX platforms that do not have the ifconfig-a command; the Interface Name of the interface number in Windows 2000 and subsequent platforms is usually a complex string, so it is more convenient to use the interface number.
Note: "Wireshark can be used for capturing" means that Wireshark can enable that device for real-time capturing; if you need to use an account with special permissions for network capturing on your platform (for example, root, Administrator group in Windows ), adding-D to an account without these permissions does not display any interfaces. Parameters
-F
Set the built-in filter expression for capturing
-G After you use the-r parameter to read the captured file, use this parameter to jump to the package of the specified number.
-H
-H option: Request Wireshark to print the command usage method of this version (as shown earlier), and then exit.
-I
Set the interface or MPs queue for capturing.
The Network Interface Name must match one of Wireshark-D. You can also use the number displayed by Wireshark-D. If you use UNIX, the Interface Name obtained by netstat-I or ifconfig-a can also be used. Not all UNIX platforms support the-a and ifconfig parameters.
If no parameter is specified, Wireshark searches for the interface list and selects the first non-loopback interface for capture. If no non-loopback interface exists, it selects the first loopback interface. If no interface exists, wireshark reports an error and does not perform the capture operation.
The pipe name can be FIFO (Named Pipe) or "-" to read standard input. The data read from the MPs queue must be in the standard libpcap format.
-K
The-k option specifies that Wireshark starts capturing immediately. This option needs to be used with the-I parameter to specify the interface to capture.
-L
Turn on the automatic scrolling option. When new data is captured, the "Packet list" panel is automatically flipped (same as the-S parameter ).
-M
Set the font for display (the editor thinks the font example should be added)
-N
Display network object name resolution (such as TCP, UDP port name, host name ).
-N
Enable name resolution for specific types of addresses and port numbers. This parameter is a string. You can use m to enable MAC address resolution, n to enable Network Address Resolution, and t to enable port number resolution at the transport layer. These strings have a higher priority than-n when both-N and-n parameters exist. Letter C enables simultaneous (asynchronous) DNS query.
-O Set Preference or current value to overwrite the default value or other parameters and files read from Preference/recent file. The value of this parameter is a string in the form of prefname: value. prefnmae is the name of the preference option (name displayed on preference/recent file ). Value is the value corresponding to the preference parameter. Multiple-o It can be used in a single hit.
Example of setting a separate preference:
Wireshark-o mgcp. display_dissect_tree: TRUE
Example of setting multiple preference parameters:
Wireshark-o mgcp. display_dissect_tree: TRUE-o mgcp. udp. callagent_port: 2627-p
Do not set the interface to the miscellaneous mode. Note that the multiplexing mode may still be used for some reason. In this way,-p cannot determine whether the interface only captures packets sent or received by itself, as well as the broadcast packets to this address, multicast packets.
-Q
Disable Wireshark to exit when the capture is complete. It can be used with the-c option. They must appear in the-I-w connector.
-R
Specifies the name of the file to be read. The captured file must be in the format supported by Wireshark.
-R
Filter the application after the file is read. The filter syntax displays the filter syntax. Unmatched packages are not displayed.
-S
Set the snapshot length when capturing a package. Wireshark captures only each packet at that time Bytes of data.
-S
Wireshark immediately displays the data after capturing the data. By capturing data in one process, Wireshark displays data in another process. This is the same as the "Update list of packets in real time/real-time data display" function in the capture option dialog box.
-T
Set the display timestamp format. Available formats:
Set the timestamp of all packages to the time relative to the first package.
A absolute, set all packages to show as absolute time.
Set all packages to absolute date.
D delta sets the time stamp as relative to the time of the previous package
E epoch: The timestamp is displayed as a wonderful number starting from epoch (00:00:00, January 1, January 1, 1970)
-V
Request Wireshark to print the publishing information and then exit
-W
When saving the file, use the characters entered in savefile as the file name.
-Y
If the-k parameter is included in the capture,-y specifies the data link type in the capture package. The values reported by-L are the values that can be used.
-X
Sets an option to be transferred to the TShark module. The eXtension option uses the extension_key: Value format. extension_key: can be:
Lua_script: lua_script_filename, which tells Wireshark to load the specified script. The default script is Lua scripts.
-Z
Various types of Wireshark statistics are obtained, and the results are displayed in the real-time update window.
Use LogParser to analyze WireShark packages
Reprinted note (LINUXQQ)