How to use Tshark (Wireshark) Capture tool in Linux

Source: Internet
Author: User
Tags mysql query

Under Linux, when we need to crawl network packet analysis, we usually use the Tcpdump crawl Network raw packet to a file, and then download it locally using the Wireshark Interface Network analysis tool for network packet analysis.
Only recently found that the original Wireshark also provided with the Linux command line tool-tshark. Tshark not only has the function of grasping the package, but also has the ability to parse various protocols. Here we introduce the Tshark tool in two instances.

1. Installation method

The code is as follows Copy Code
Centos:yum install-y Wireshark
Ubuntu:apt-get install-y Tshark

2. Print the URL of the current HTTP request (including the domain name) in real time

The code is as follows Copy Code

Tshark-s 512-i eth0-n-F ' TCP DST Port + '-R ' http.host and Http.request.uri '-t fields-e http.host-e http.request.u Ri-l | Tr-d ' \ t '

The following describes the meaning of the parameters:

-S 512: FETCH only the first 512 bytes of data
-I eth0: Capture eth0 Nic
-N: Prohibit network object name resolution
-F ' TCP DST port 80 ': only catch packets with protocol TCP, destination port 80
-R ' Http.host and Http.request.uri ': Filter out Http.host and Http.request.uri
-T fields-e http.host-e Http.request.uri: printing http.host and Http.request.uri
-L: Output to standard output
3. Print the current MySQL query statement in real time
Tshark-s 512-i eth0-n-F ' TCP DST Port 3306 '-R ' mysql.query '-t fields-e mysql.query
The following describes the meaning of the parameters:
-S 512: FETCH only the first 512 bytes of data
-I eth0: Capture eth0 Nic
-N: Prohibit network object name resolution
-F ' TCP DST Port 3306 ': only catch packets with protocol TCP, destination port 3306
-R ' Mysql.query ': Filter out Mysql.query
-T fields-e mysql.query: print MySQL query statement
Tshark uses-f to specify a catch packet filter rule, as with tcpdump, which can be checked by command man Pcap-filter.
The Tshark uses-R to filter the captured package, which is consistent with the upper-left corner of the interface board Wireshark.

Example

The code is as follows Copy Code

std::string decodehex (const std::string& strhex)
{
    int nlen = Strhex.length ()/2;
    std::string strret (nlen, 0);
    for (int i = 0; I! = Nlen; ++i)
    {
      & nbsp Strret[i] = ((strhex[2*i]>= ' a ')? (strhex[2*i]-' A ' +10): (strhex[2*i]-' 0 ')) * 16;
        Strret[i] + = (strhex[2*i+1]>= ' a ')? (strhex[2*i+1]-' A ' +10): (strhex[2*i+1]-' 0 ');
   }
    return strret;
}

void Cswuyg_test_tshark ()
{
    std::wstring strparam =  L "\" C:\\Program Files\\wireshark\\tshark.exe\ "-I 1-p-l-t pdml-f\" DST Port 80\ "-r\" ip.addr==172.17.195.56\ "";
    file* stream = NULL;
    errno_t err = _wfreopen_s (&stream, L "C:\\temp\\cswuyt_test.xml", L "w", stdout);
    if (err! = 0)
    {
        std::cout << "error" << Std::endl;
   }

    HANDLE hstd =:: GetStdHandle (Std_output_handle);
   //bool bSet =:: Sethandleinformation (HSTD, Handle_flag_inherit, Handle_flag_inherit);
    startupinfo Ststartinfo;
    ZeroMemory (&ststartinfo, sizeof (STARTUPINFO));
    STSTARTINFO.CB = sizeof (startupinfo);  
    ststartinfo.hstderror = HSTD;
    ststartinfo.hstdoutput = hstd;
    process_information stprocinfo; 
    ZeroMemory (&stprocinfo, sizeof (process_information));
    BOOL bsuccess =:: CreateProcess (NULL, const_cast<wchar_t*> (STRPARAM.C_STR ()), NULL, NULL , TRUE, 0, NULL, NULL, &ststartinfo, &stprocinfo);  
   :: CloseHandle ( stprocinfo.hprocess);
   :: CloseHandle (Stprocinfo.hthread);
   :: fclose (Stream);
}

On the top of the demo for the crawl with the IP address of 172.17.195.56, the port is a (HTTP default port) of the machine communication, Tshark will provide the package after parsing the XML data, the program stores it to a file. Note that some data needs to be converted from a hex string to a real string, and there may be a need for gzip decompression.

How to use Tshark (Wireshark) Capture tool in Linux

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.