Wireshark command-line tool Tshark

Source: Internet
Author: User
Tags mysql query switches

Wireshark command line tools TSHARK1, purpose

The purpose of this blog is to facilitate access, the use of Wireshark can analyze the packet, you can edit the filter expression to achieve the analysis of the data, but my need is, how to export the data part, because the subsequent work is mainly for a packet of the database part, Parsing is primarily done on locally stored. pcap files. This time will be used to the Tshark command-line tool, you can use the command to extract the data you want, you can redirect to the file, you can also combine the upper language such as Java, to invoke the command line, to achieve the processing of data!

I will summarize the results from the relevant examples, options, and some instances of the operation.

2, first of all, let's look at some examples on the Internet, I have organized these examples, and give a description.
// Print http protocol stream related information
tshark -s 512 -i eth0 -n -f 'tcp dst port 80' -R 'http.host and http.request.uri' -T fields -e http.host -e http.request.uri -l | tr- d '\ t'
-S: only grab the first 512 bytes;
-I: capture eth0 network card;
-N: Disable network object name resolution;
-F: only capture protocol is tcp, destination port is 80;
-R: filter out http.host and http.request.uri;
-T, -e: refers to printing these two fields;
-I: output to the command line interface;
// Print the current mysql query statement in real time
tshark -s 512 -i eth0 -n -f ‘tcp dst port 3306’ -R ‘mysql.query’ -T fields -e mysql.query
-R: filter out mysql query;
// Example of exporting the header and value of the smpp protocol
tshark -r test.cap -R ‘(smpp.command_id == 0x80000004) and (smpp.command_status == 0x0)’ -e smpp.message_id -e frame.time -T fields -E header = y> test.txt
-R: read the local file, you can capture the packet and save it for analysis;
-R: smpp ... can be found in the filtering expression of wireshark, which will be described in detail later;
-E: When the -T field is specified, set the output options. Header = y means the header is to be printed;
-E: When the -T field is specified, set which fields are output;
>: Redirect;
// Statistic http status
tshark -n -q -z http, stat, -z http, tree
-Q: output data only at the end of capture, useful for statistics commands;
-Z: various statistics options, specific reference documents, which will be described later, you can use the tshark -z help command to view all supported fields;
Http, stat: Calculate HTTP statistics. The displayed values are HTTP status code and HTTP request method.
Http, tree: Calculate HTTP packet distribution. The displayed values are HTTP request mode and HTTP status code.
// Crawl 500 URLs to print and visit
tshark -s 0 -i eth0 -n -f ‘tcp dst port 80’ -R ‘http.host and http.request.uri’ -T fields -e http.host -e http.request.uri -l -c 500
-F: filter before capturing;
-R: Filter after capturing;
-L: clear the cache before printing the results;
-C: ends after grabbing 500 packets;
// Show ssl data
tshark -n -t a -R ssl -T fields -e "ip.src" -e "ssl.app_data"

// Read the specified message and filter the display content according to ssl
tshark -r temp.cap -R "ssl" -V -T text
-T text: Format output, default is text;
-V: increase the output of the packet; //-q filter tcp stream 13 to get the data content
tshark -r temp.cap -z "follow, tcp, ascii, 13"

// Display according to the specified format -e
tshark -r temp.cap -R ssl -Tfields -e "ip.src" -e tcp.srcport -e ip.dst -e tcp.dstport

//Output Data
tshark -r vmx.cap -q -n -t ad -z follow, tcp, ascii, 56087, 446 | more
-T ad: output formatted timestamp;
// Filter packet time and rtp.seq
tshark -i eth0 -f "udp port 5004" -T fields -e frame.time_epoch -e rtp.seq -o rtp.heuristic_rtp: true 1> test.txt
-O: override some values set in the properties file;

// Extract the data part of each protocol
tshark -r H: /httpsession.pcap -q -n -t ad -z follow, tcp, ascii, 27017, 59381 | more

The above example already covers most of the options, and I'll explain each of these options briefly, and give the values that are commonly used for this option;

3. Introduction of options

You can use Tshark-help to get a simple introduction to the options at the command line, and you need to check the official documentation https://www.wireshark.org/docs/man-pages/tshark.html

Capture Interface: -I:-I <interface> specifies the capture interface, which defaults to the first non-local loop interface;  -F:-F <capture filter> Set the capture filter expression, follow the Libpcap filter syntax, this is really the process of packet capture filtering, if the analysis of local files is not used. -S:-s <snaplen> sets the length of the snapshot to read the complete packet, because the transmission in the network has a limit of 65535, the value 0 represents the snapshot length 65535, the default is this value;
-P: Works in a non-mixed mode, which is concerned only with the traffic associated with this machine.
-B:-B <buffer size> sets the size of the buffer, only for Windows, the default is 2M;
-Y:-y<link type> Sets the data Link layer protocol for the capture packet, and does not set the default to-L Find the first protocol, LAN is generallyEN10MB, etc.;
-D: Print the list of interfaces and exit;
    -L lists the natively supported data link layer protocols forThe-y parameter is used. capture Stop option: -C:-C <packet count>Captures n packets and ends with an infinite number of default captures;
-A:-a <autostop cond.> duration:num, stop capturing after NUM seconds;
Filesize:num, stop capturing after NUMKB;
Files:num, stop capture after capturing NUM files;Capture Output Options:  -B <ringbuffer opt.> ...The file name of the ring buffer is determined byThe-w parameter determines thatThe-b parameter usesTest:value in the form of writing;
Duration:num-Switches to the next file after NUM seconds;
Filesize:num-Switches to the next file after NUM kb;
Files:num-a ring buffer is formed after the NUM file is reached; Rpcap options:  Remote packet capture protocol, long-haul packet capture protocol;
-A:-A <user>:<password>, using the Rpcap password for authentication;input File:   -R:-R <infile> Set read local file Processing options:   -2: Perform two analysis
-R:-R <read Filter> The packet's read filter, which can be viewed on the filter syntax of the Wireshark, and in the view of the Wireshark filter, click on the expression in this column to list the support for all protocols. - y:-y <display Filter> Using the read filter syntax, you can replace the-r option in a single analysis;
    -N: Prohibit all Address name resolution (default to allow all)
-N: Enables address name resolution for a layer."M" stands forMAC layer,"N" represents the network layer,"T" represents the transport layer,"C" represents the current asynchronousDNS lookups. If-N andThe-n parameter exists at the same time-N will be ignored. If-N andIf the-n parameter is not written, all address name resolution is turned on by default. -D: Unpack the specified data according to the relevant protocol, ifThe traffic on the TCP 8888 port isHTTP unpacking, should be written as"-D tcp.port==8888,http"; tshark-d. You can list all supported valid selectors.    Output Options:   -W:-W <outfile|-> settingsThe output file for raw data. This parameter is not set,The Tshark will output the decoding results toStdOut"-W-" means toRaw Output toStdOut If you want to output the decoding results to a file, use the redirect">" And not-W parameter.     -F:-F <output file Type>, set the format of the output, default is. Pcapng, use TSHARK-F to list all supported output file types.
-V: Increase the detail output;
-O:-o <protocols> only the details of the protocol specified by this option are displayed.
-P: Even if the decoding results are written to the file, the package profile is also printed;
-S:-S <separator> Line separator
-X: Set in the decoded output, eachPacket back withHEX dump shows the specific data in the way.
-T:-t PDML|PS|TEXT|FIELDS|PSML, setting the format of the decoded result output, includingTEXT,PS,PSML andPDML, the default isText
-E: If the-t field option is specified,-e is used to specify which fields to output;
-E:-E <fieldsoption>=<value> if the-t fields option is specified, use-e to set some properties, such as
-T:-T A|ad|d|dd|e|r|u|ud sets the time format for decoding results."Ad" represents an absolute time with a date,"A" means an absolute time without a date,"R" means the relative time from the first package to the present,"D" represents the increment time between two adjacent packages (Delta). -u:s|hms formatted output seconds;
-L: Flush standard output after each package is output
-Q: Use with the-Z option for statistical analysis;
-X: <key>:<value> extensions,Lua_script,Read_format, see man pages for details;   -Z: Statistical options, specific reference documents; Tshark-z Help, you can list the statistical methods supported by the-Z option.
    Other options:   -H: Displays command-line help; -V: Displays the version information of the Tshark;< Span lang= "en-US" > < Span lang= "en-US" > < Span lang= "en-US" >      /span>                 
4. Partial Command test

In the third section I briefly introduce the Tshark related commands, in this section we mainly test the output of several options to deepen the understanding of the command. For the third section of the command options, the more important has been marked with blue, easy to access.

Using Tshark to analyze the packet, the main is to learn the filter, according to their own needs to write a response to the filter, to get the corresponding data.

For my needs, first grab the packet in the analysis, but also want to integrate the command line into the Java language, and then for object-oriented analysis, then you need some special commands to get some data:

//1. Example 1, analyzing protocol for Packet Encapsulation C:\users\sdut>tshark-r H:\httpsession.pcap-T fields-e frame.number-e frame.protocols-e header=y
Frame.number Frame.protocols
1 eth:ethertype:ip:tcp
2 eth:ethertype:ip:tcp
3 eth:ethertype:ip:tcp
4 eth:ethertype:ip:tcp:http
5 eth:ethertype:ip:tcp
6 Eth:ethertype:ip:tcp:http:data-text-lines
7 eth:ethertype:ip:tcp
8 eth:ethertype:ip:tcp
9 eth:ethertype:ip:tcp
-E Frame.number: Display frame number
-E Frame.time: Display time, time format Sep 21, 2016 17:20:02.233249000 China Standard Time
-E Frame.protocols: Shows the protocol used by this packet
-E IP.SRC: Displays the source IP, but cannot be used with frame
-E IP.DST: Displays the destination IP address;
-E Tcp.port: Displays the port number.
...... There are many, for the needs, on the one hand can be Wireshark software display of the head field to guess, on the other hand can consult the document, https://www.wireshark.org/docs/dfref/, which lists all the supported e-field notation, Can search in the IP, frame above we use the few will be searched.  2. Example 2 C:\users\sdut>tshark-2-R H:\httpsession.pcap-R "Http.request.line | | Http.file_data | | Http.response.line "-t fields-e http.request.line-e http.file_data-e http.response.line-e header=y
Output: This example outputs the HTTP protocol's request header, response header, and response data;
Http.request.line Http.file_data Http.response.line
......          ......      ......
Specific to this-R filter notation, you can view the document according to your own needs. Https://wiki.wireshark.org/DisplayFilters ...
5. Reference documents

Tshark Official Document: https://www.wireshark.org/docs/man-pages/tshark.html

Wireshark wiki:https://wiki.wireshark.org/

Capture Filter Https://wiki.wireshark.org/CaptureFilters

Display filter, the fields used for display filtering can be queried by https://wiki.wireshark.org/DisplayFilters. If you do not filter the field data specified by-e will be output, after-r filtering, only satisfy the rules will be output, so-r and-T,-e will usually be used together.

Statistics: Https://wiki.wireshark.org/Statistics

Wireshark command-line tool Tshark

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.