XTY Blog | Linux Ops Docs | SRE

18.1.0: 网络抓包 - wireshark

29 Dec 2014

1.0 wireshark

wireshark是一个很强大的抓包分析图形工具，同时也可以用来分析tcpdump抓包的结果。至于图形工具如何使用，这里不做过多介绍，使用很简单，很直观。

1.1 命令：tshark(wireshark)-非重点

作用：也是一个抓包工具

安装：yum install -y wireshark

参数：

-c 次数 - 采集次数，不代表采集到的包个数
-i interface - 指定网卡
-w outfile - 把结果输出到文件
-r infile - 读取已采集到的文件
-n - 禁用网络对象名称的解析，例如(hostname,tcp and udp port),-N会覆盖此参数
-N 解析标识符
- m - 启用MAC地址解析
- n - 启用网络地址解析
- t - 启用transport-layer端口号解析
- C - 启用DNS解析
-t 抓包时间标识符”
- ad - 包被抓到的绝对时间+日期
- a - 包被抓到的绝对时间
- r - (默认)与抓到的第一个包的相对时间
- d - 与前一个包的相对时间
- dd - 与前一个displayed包的相对时间
- e - 从新纪元epoch(Jan 1, 1970 00:00:00)到包被抓到时的秒数间隔
-T pdml|psml|ps|text|fields
- pdml - packet details markup language, xml based format for the details of a decoded packet
- psml - packet summary markup language, xml based format for the summary information of a decoded packet
- ps - postscript for a human-readable one-line summary of each of the packets
- text - text of a human-readable one-line summary of each of the packets
- fields - 用-e来指定显示的字段内容，-E来指定字段格式
-R <read (display) filter>

用法示例：

# -c参数指定的是read的行数，而不是capture的包数
tshark -c 10 -n -t a -R http.request -T fields -E separator=, -E quote=d -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
"May 18, 2016 09:18:25.633553619","10.10.180.5","239.255.255.250:1900","M-SEARCH","*"
1 packet captured

# 采集100个raw包信息到文件中
tshark -c 100 -w somepackages.cap
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
100

# 用固定的格式来从上面的文件中读取10个包
tshark -c 10 -n -t a -T fields -E separator=, -E quote=d -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri" -r somepackages.cap
Running as user "root" and group "root". This could be dangerous.
"May 18, 2016 09:45:58.079852738","10.10.180.24",,,
"May 18, 2016 09:45:58.104581732","10.10.180.13",,,
"May 18, 2016 09:45:58.129686402","10.10.180.13",,,
"May 18, 2016 09:45:58.130439508","10.10.190.15",,,
"May 18, 2016 09:45:58.579824205","10.10.180.24",,,
"May 18, 2016 09:45:58.580003235","10.10.180.17",,,
"May 18, 2016 09:45:58.630626790","10.10.180.13",,,
"May 18, 2016 09:45:58.745632745","10.10.180.13",,,
"May 18, 2016 09:45:58.756622638","61.14.162.1",,,
"May 18, 2016 09:45:58.766094659","10.10.180.13",,,

# 不指定格式读取
tshark -c 10 -n -t a -r someP.cap
Running as user "root" and group "root". This could be dangerous.
  1 09:51:00.205546368  10.10.180.1 -> 224.0.0.5    OSPF 90 Hello Packet
  2 09:51:00.246736322 10.10.190.15 -> 10.10.180.13 TCP 60 60034 > 57345 [ACK] Seq=1 Ack=1 Win=16217 Len=1
  3 09:51:00.246753472 10.10.180.13 -> 10.10.190.15 TCP 66 57345 > 60034 [ACK] Seq=1 Ack=2 Win=251 Len=0 SLE=1 SRE=2
  4 09:51:00.267028716 10.10.180.24 -> 228.0.0.5    UDP 119 Source port: 45565  Destination port: 45565
  5 09:51:00.313430399 10.10.250.13 -> 10.10.180.13 TCP 60 55919 > 54573 [ACK] Seq=1 Ack=1 Win=256 Len=1
  6 09:51:00.313437636 10.10.180.13 -> 10.10.250.13 TCP 66 54573 > 55919 [ACK] Seq=1 Ack=2 Win=255 Len=0 SLE=1 SRE=2
  7 09:51:00.764243574 10.10.180.13 -> 61.14.162.1  ICMP 74 Echo (ping) request  id=0x0003, seq=59440/12520, ttl=64
  8 09:51:00.765282788 10.10.180.17 -> 10.10.180.13 SSH 118 Encrypted response packet len=64
  9 09:51:00.767178227 10.10.180.24 -> 228.0.0.5    UDP 119 Source port: 45565  Destination port: 45565
 10 09:51:00.773431609  61.14.162.1 -> 10.10.180.13 ICMP 74 Echo (ping) reply    id=0x0003, seq=59440/12520, ttl=247


# 发现读取到的很多字段是空，若我们按读取的格式来写入文件，然后在读取
# 试验后发现结果跟上面是一样的，以后研究，非重点

只讲了这一个用法：
tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
可抓出时间，来源ip，做了哪些请求（head、get和post）

最新文章

文章分类

18.1.0: 网络抓包 - wireshark

1.0 wireshark

1.1 命令：tshark(wireshark)-非重点