码迷,mamicode.com
首页 > 其他好文 > 详细

tshark

时间:2020-09-17 17:51:00      阅读:31      评论:0      收藏:0      [点我收藏+]

标签:add   com   extern   chain   linux   within   field   rip   guid   

https://tshark.dev/

https://github.com/pocc/tshark.dev

How Is This Different from Wireshark Docs?

Most Wireshark documentation focuses on the GUI. In its many forms, it spans two Wireshark guides, multiple forums, a wiki, man pages, developer email chains, etc. That is not to say the existing documentation is not good. You will find what you are looking for eventually.

Being outside of the Wireshark project allows this website to cover topics that are external to it. Depending on the article, this can vary from scripting with bash or example usage of other programs. Tshark.dev and Wireshark docs are related but differ in their scopes.

 

 

Wireshark Display Filter for Unique Source/Destination IP and Protocol

When I‘ve done that sort of thing before, I typically use tshark to extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data. So with that approach in mind, you could use this:

tshark -r mysample.pcapng.gz -2 -Tfields -eip.src -eip.dst -eframe.protocols

With that command line, you‘ll get exactly those fields, but be aware that some lines, such as those with ARP packets, won‘t have IP addresses (because they‘re not IP packets), and that IPv6 packets won‘t show IP addresses because those field names (ip.src and ip.dst) are only for IPv4. Here‘s sample output from a capture file I happened to have handy:

10.68.40.152    224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.119    255.255.255.255 eth:ethertype:ip:udp:db-lsp-disc
10.68.40.119    10.68.41.255    eth:ethertype:ip:udp:db-lsp-disc
        eth:ethertype:arp
10.68.40.152    224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.65 10.68.41.255    eth:ethertype:ip:udp:nbns
        eth:ethertype:ipv6:ipv6.nxt:udp:dns
        eth:ethertype:ipv6:ipv6.nxt:udp:dns

If you‘d prefer to eliminate the non-IPv4 packets, just add a filter:

tshark -r mysample.pcapng.gz -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols

Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. For example, if you append this to that command line:

|sort -n |uniq -c |sort -n 

You‘ll get list, in ascending order of frequency, of each unique src, dst and proto combination present within your sample file.

 

 

Wireshark Display Filter for Unique Source/Destination IP and Protocol

I think you‘ll have to use tshark for this. One potential solution might be:

`tshark -r file.pcap -Y ip -T fields -e ip.src -e ip.dst -e _ws.col.Protocol | sort | uniq`

Note: If you want protocol numbers instead of protocol names, substitute -e ip.proto for _ws.col.Protocol, or use both if you prefer that.

 

tshark

标签:add   com   extern   chain   linux   within   field   rip   guid   

原文地址:https://www.cnblogs.com/chucklu/p/13629420.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!