How to use Tshark (Wireshark) Capture tool in Linux

Under Linux, when we need to crawl network packet analysis, we usually use the Tcpdump crawl Network raw packet to a file, and then download it locally using the Wireshark Interface Network analysis tool for network packet analysis.
Only recently found that the original Wireshark also provided with the Linux command line tool-tshark. Tshark not only has the function of grasping the package, but also has the ability to parse various protocols. Here we introduce the Tshark tool in two instances.

1. Installation method

The code is as follows	Copy Code
Centos:yum install-y Wireshark Ubuntu:apt-get install-y Tshark

2. Print the URL of the current HTTP request (including the domain name) in real time

The code is as follows	Copy Code
Tshark-s 512-i eth0-n-F ' TCP DST Port + '-R ' http.host and Http.request.uri '-t fields-e http.host-e http.request.u Ri-l | Tr-d ' \ t '

The following describes the meaning of the parameters:

-S 512: FETCH only the first 512 bytes of data
-I eth0: Capture eth0 Nic
-N: Prohibit network object name resolution
-F ' TCP DST port 80 ': only catch packets with protocol TCP, destination port 80
-R ' Http.host and Http.request.uri ': Filter out Http.host and Http.request.uri
-T fields-e http.host-e Http.request.uri: printing http.host and Http.request.uri
-L: Output to standard output
3. Print the current MySQL query statement in real time
Tshark-s 512-i eth0-n-F ' TCP DST Port 3306 '-R ' mysql.query '-t fields-e mysql.query
The following describes the meaning of the parameters:
-S 512: FETCH only the first 512 bytes of data
-I eth0: Capture eth0 Nic
-N: Prohibit network object name resolution
-F ' TCP DST Port 3306 ': only catch packets with protocol TCP, destination port 3306
-R ' Mysql.query ': Filter out Mysql.query
-T fields-e mysql.query: print MySQL query statement
Tshark uses-f to specify a catch packet filter rule, as with tcpdump, which can be checked by command man Pcap-filter.
The Tshark uses-R to filter the captured package, which is consistent with the upper-left corner of the interface board Wireshark.

Example

The code is as follows

Copy Code

std::string decodehex (const std::string& strhex) {     int nlen = Strhex.length ()/2;     std::string strret (nlen, 0);     for (int i = 0; I! = Nlen; ++i)     {       & nbsp Strret[i] = ((strhex[2*i]>= ' a ')? (strhex[2*i]-' A ' +10): (strhex[2*i]-' 0 ')) * 16;         Strret[i] + = (strhex[2*i+1]>= ' a ')? (strhex[2*i+1]-' A ' +10): (strhex[2*i+1]-' 0 ');    }     return strret; } void Cswuyg_test_tshark () {     std::wstring strparam =  L "\" C:\\Program Files\\wireshark\\tshark.exe\ "-I 1-p-l-t pdml-f\" DST Port 80\ "-r\" ip.addr==172.17.195.56\ "";     file* stream = NULL;     errno_t err = _wfreopen_s (&stream, L "C:\\temp\\cswuyt_test.xml", L "w", stdout);     if (err! = 0)     {         std::cout << "error" << Std::endl;    }     HANDLE hstd =:: GetStdHandle (Std_output_handle);    //bool bSet =:: Sethandleinformation (HSTD, Handle_flag_inherit, Handle_flag_inherit);     startupinfo Ststartinfo;     ZeroMemory (&ststartinfo, sizeof (STARTUPINFO));     STSTARTINFO.CB = sizeof (startupinfo);       ststartinfo.hstderror = HSTD;     ststartinfo.hstdoutput = hstd;     process_information stprocinfo;      ZeroMemory (&stprocinfo, sizeof (process_information));     BOOL bsuccess =:: CreateProcess (NULL, const_cast<wchar_t*> (STRPARAM.C_STR ()), NULL, NULL , TRUE, 0, NULL, NULL, &ststartinfo, &stprocinfo);      :: CloseHandle ( stprocinfo.hprocess);    :: CloseHandle (Stprocinfo.hthread);    :: fclose (Stream); }

On the top of the demo for the crawl with the IP address of 172.17.195.56, the port is a (HTTP default port) of the machine communication, Tshark will provide the package after parsing the XML data, the program stores it to a file. Note that some data needs to be converted from a hex string to a real string, and there may be a need for gzip decompression.

How to use Tshark (Wireshark) Capture tool in Linux