Use of Tshark

Wireshark

Wireshark all commands under Linux Wireshark contain multiple commands for processing messages.

Editcap

Editcap, you can filter the contents of the Pcap file through rules and save the filtered results to a new file.

Syntax: editcap [options] ... <infile> <outfile> [<packet#>[-<packet#>] ...]

Reference official website: Editcap-edit and/or translate the format of capture files

Common command-line arguments

-C <packets per file> split the packet output to different files based on uniform packet counts

-I <seconds per File> split the message file at a time interval.

-A <start time> Select the start time of the output message (format: YYYY-MM-DD HH:MM:SS)

-B <stop time> Select the end time of the output message (format: YYYY-MM-DD HH:MM:SS)

-R Reverse Selection operation

Split file

The #将pcap file is split into multiple files with the same number of packets,< output-prefix >-nnnn form the name of the output file.

Editcap-c <packets-per-file><input-pcap-file><output-prefix>

#按照秒数分割报文文件, <output-prefix>_ nnnnn form name output file.

Editcap-i <seconds-per-file><input-pcap-file><output-prefix>

Editcap i.pcap o.pcap #提取i. Pcap in the 10th message to O.PACP.

Editcap–r I.pcap o.pcap All messages except the 10th message in Pcap to O.PACP.

Editcap i.pcap o.pcap 401-500 #提取i. Pcap all messages except 401 to 500 are in O.PACP.

Editcap-r i.pcap o.pcap 401-500 #提取i. Pcap No. 401 to No. 500 a total of 100 messages to O.pcap.

Use of Tshark

The Linux version of the Wireshark command is Tshark, which can be used to grab messages or parse messages, just like the Windows version of Wireshark. Only the command Tshark is used in Linux.

Tshark using syntax: Tshark [Options] ...

Parsing message Examples

To grab a message using the tcpdump command:

Tcpdump tcp-i eth1-t-S 0-c and SRC port 80-w target.pcap #注意一定要使用-W parameter

The generated Target.pcap message file can be parsed using the Tshark command:

Tshark–r target.pcap-a filesize:10 #简单解析10K内容, show source/destination, Ip,seq,len, message type.

Tshark–r target.pcap-a filesize:10–v #解析10K内容, as detailed as possible, does not display 16 binary content,

Tshark–r target.pcap-a filesize:10–x–v #详细解析10K内容, displaying 16 binary and Asii code content.

Tshark commonly used parameters

Tshark Command Parameters Tshark Official website filter Syntax Displayfilters capturefilters

Display Filter Reference

-R <infile> file to be parsed, cannot be a pipe and console input, must be a standard format file.

-S <snaplen> Specifies the maximum length of the packet to fetch (that is, the pre-Snaplen byte). Default Maximum 65535

-I <interface> specify the network interface. such as-I. eth0

-N/-NN prohibit network object name resolution

-F <capture filter> the filter condition of the clutch. such as-f ' TCP DST Port 3306 ' only fetches TCP packets for destination port 3306

-R <read filter> Parse (display) filter condition. The conditions that follow it should be placed in single quotes.

-X is displayed in 16 binary and Asii codes when parsing.

-W writes the captured data to the file filename.

-Q Quiet, the most useful when remote, otherwise you will catch your own SSH messages.

-T indicates the format of the output at parse time, usually text, which is also the default format. It can also be fields, indicating that a field is displayed.

-e indicates that a domain is displayed. For example:-t fields-e frame.time #-T fields must have

-C <packet count> Specifies the number of packets fetched, which is unlimited by default.

-A <autostop cond> set the stop condition. duration:num-duration of seconds; filesize:num-message File Max KB, reached this value stop grabbing the packet or switch to the next file; files:num-If you switch files, the maximum number of files to toggle.

-B <ringbuffer opt> sets the conditions for switching files. duration:num-continuous NUM seconds switch to the next file; The Filesize:num file reaches num KB to switch to the next file; files:num-Switch NUM times and then start from the first (overwrite).

-Z <statistics> Statistics

-L refreshes the output instantly when processing each package

-t specifies which time to display. Ad-indicates the absolute time with the date; A-Indicates an absolute time without a date; R indicates the relative time from the first package to the present; D-Represents the incremental fetch time (delta) between two adjacent packets. Dd-represents the incremental display time (delta_displayed) between two adjacent packages. e-Timestamp (number of seconds since Jan 1, 1970 00:00:00). The default display relative time (-R). such as-t ad output: 2016-08-06 00:00:02.752400.

-e <field print option> output control. You must use-t fields. It has several options below.

Header=y|n whether to print header (the field name specified by-e) default n

separator=/t|/s|<character> Specifies the delimiter. /t--tab characters (default); /s--space; or a custom delimiter.

Quote=d|s|n indicates whether to use quotation marks (D-double quotes; s-single quotes; n-no quotation marks (default))

Common commands:

Tshark-r xxx.pcap-t ad-n-T text-a filesize:10240

Tshark-r xxx.pcap-t fields-e frame.time–n #仅显示到达时间,-t fields must have,-e indicates domain

Displays the specified field/-t fields-e field

The specified fields can be displayed, and the-T and-e parameters are required at this time.

Tshark-r xxx.pcap-t fields-e separator= '; '-t ad-nn-e ip.src-e tcp.srcport-e IP.DST #输出:

112.80.248.74;80;120.83.85.149 # split with semicolons

-R <read filter>/filter conditions

The arguments after-R are placed in single quotation marks (if the argument is simpler to omit single quotes), if a space appears in the argument, it needs to be placed in double quotation marks. For example:

Tshark–r xxxx.pcap-nn-r ' (Tcp.flags.syn = = 1 and Tcp.flags.ack = = 0) ' #输出:

712626 2016-08-06 06:45:56.311444 71.6.216.57-221.4.179.202 TCP 80 ...

Protocol filtering

Tshark-r 221.4.179.202_20160806000002.pcap-nn-r ' TCP ' # shows TCP messages

Tshark-r 221.4.179.202_20160806000002.pcap-nn-r ' http ' #显示http报文

Tshark-r 221.4.179.202_20160806000002.pcap-nn-r ' tcp.port eq ' #端口为80的tcp报文.

Tshark-r 221.4.179.202_20160806000002.pcap-nn-r ' ip.src_host = = "221.4.179.202" '-t ad #ip

In the case of IP, there are mainly the following fields:

Ip.host/ip.src_host/ip.dst_host # String, such as-r ' ip.src_host = = "221.4.179.202" '

Ip.addr/ip.src/ip.dst #不是字符串, but an IP address integer (unconfirmed)

-R <read filter>/time filter

Tshark can use the frame field when parsing a message, refer to Protocol field name:frame, such as:

Frame.cap_len,frame.protocols,frame.ref_time,frame.time,fame.time_delta, etc.

Several times (command: tshark-r xxx.pcap-n–v output)

Arrival Time:aug 4, 00:00:03.026699000 # Frame.time

[Time Delta from previous captured frame:0.063950000 seconds]# Frame.time_delta

# frame.time_delta_displayed

[Time delta from previous displayed frame:0.063950000 seconds]

[Time since reference or first frame:0.170489000 seconds] # Frame.ref_time

Fame.time_delta is the fetch offset time relative to the first message in the (file), using the command:

Tshark-r xxx.pcap-r frame.time_delta== ' 0.021231 '-t ad-n-t Text–v #输出的内容有:

[Time Delta from previous captured frame:0.021231000 seconds] #抓取偏移时间

Parameter-R frame.time_delta== ' 0.021231 ' can find corresponding message based on offset time

Fame.time_delta_displayed is relative to the display offset time of the first message in the (file), using the command:

Tshark-r xxx.pcap-r frame.time_delta_displayed== ' 0.021231 '-t ad-n-t Text–v #输出有:

[Time delta from previous displayed frame:0.063950000 seconds] #显示偏移时间

The parameter-R frame.time_delta_displayed== ' 0.063950000 ' can find the corresponding message according to the offset time.

Frame.time is the arrival time (absolute time) of the message, using the command:

Tshark–r xxx.pcap-r ' frame.time = = "04,2016 00:00:02.856210000" '-n-t text–v

Arrival Time:aug 4, 00:00:02.856210000 #输出的内容可以找到这一行

Note that the value on the right side of the-r = = is a time, with a space in the middle, and double quotation marks are required. The arguments after-R require a user single quote, and of course, parameters can be multiple, such as:

Tshark-r xxx.pcap-r ' (frame.time = = "04,2016 00:00:02.856210000") | | (Frame.time = = "4, 2016 00:00:02.909820000") '-n-t Text #-R is followed by 2 parameters, with parentheses available for each parameter

This article is from the "01 Small Build" blog, please make sure to keep this source http://jetyi.blog.51cto.com/1460128/1837248

Use of Tshark