标签:add com extern chain linux within field rip guid
https://github.com/pocc/tshark.dev
Most Wireshark documentation focuses on the GUI. In its many forms, it spans two Wireshark guides, multiple forums, a wiki, man pages, developer email chains, etc. That is not to say the existing documentation is not good. You will find what you are looking for eventually.
Being outside of the Wireshark project allows this website to cover topics that are external to it. Depending on the article, this can vary from scripting with bash or example usage of other programs. Tshark.dev and Wireshark docs are related but differ in their scopes.
When I‘ve done that sort of thing before, I typically use tshark to extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data. So with that approach in mind, you could use this:
tshark -r mysample.pcapng.gz -2 -Tfields -eip.src -eip.dst -eframe.protocols
With that command line, you‘ll get exactly those fields, but be aware that some lines, such as those with ARP packets, won‘t have IP addresses (because they‘re not IP packets), and that IPv6 packets won‘t show IP addresses because those field names (ip.src and ip.dst) are only for IPv4. Here‘s sample output from a capture file I happened to have handy:
10.68.40.152 224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.119 255.255.255.255 eth:ethertype:ip:udp:db-lsp-disc
10.68.40.119 10.68.41.255 eth:ethertype:ip:udp:db-lsp-disc
eth:ethertype:arp
10.68.40.152 224.0.0.252 eth:ethertype:ip:udp:dns
10.68.40.65 10.68.41.255 eth:ethertype:ip:udp:nbns
eth:ethertype:ipv6:ipv6.nxt:udp:dns
eth:ethertype:ipv6:ipv6.nxt:udp:dns
If you‘d prefer to eliminate the non-IPv4 packets, just add a filter:
tshark -r mysample.pcapng.gz -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols
Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. For example, if you append this to that command line:
|sort -n |uniq -c |sort -n
You‘ll get list, in ascending order of frequency, of each unique src, dst and proto combination present within your sample file.
I think you‘ll have to use tshark for this. One potential solution might be:
`tshark -r file.pcap -Y ip -T fields -e ip.src -e ip.dst -e _ws.col.Protocol | sort | uniq`
Note: If you want protocol numbers instead of protocol names, substitute -e ip.proto for _ws.col.Protocol, or use both if you prefer that.
标签:add com extern chain linux within field rip guid
原文地址:https://www.cnblogs.com/chucklu/p/13629420.html
