Wireshark_tshark的学习
Wireshark 简介
Wireshark是一款开源的网络协议分析工具,
它能够在网络上捕获、分析和可视化数据包。
Wireshark支持多种操作系统,包括Windows、macOS和Linux,
并提供直观的用户界面以及强大的功能。
它可以通过抓取网络流量来检查和解析各种协议,
如TCP/IP、HTTP、DNS等,以帮助网络管理员、
安全专家和开发人员快速定位和解决网络问题。
Wireshark是一个广泛使用的工具,对于诊断和研究网络流量非常有价值。
tshark简介
Tshark是一款基于命令行的网络协议分析工具,属于Wireshark软件包的一部分。
它可以在命令行中捕获和分析网络数据包,支持多种协议解析和过滤,
提供详细的网络流量信息。
Tshark能够帮助网络管理员、安全研究人员和开发人员进行网络故障排查、
协议分析和安全监控等任务。
它是一个功能强大且灵活的网络工具,适用于各种网络分析场景。
说明
很多环境可能没有GUI界面,分析起来比较繁琐。
所以还是想学习一下命令行的分析工具。
主要是分析一下tshark的工具。希望能够帮助到自己
tshark命令简介
tshark -i <interface>:在指定网络接口上捕获数据包。
tshark -r <file>:从指定的文件中读取数据包进行分析。
tshark -Y <filter>:使用指定的过滤器对数据包进行筛选和过滤。
tshark -w <file>:将捕获的数据包保存到指定的文件中。
tshark -z <statistics>:生成和打印各种统计信息,如流量、协议分层等。
tshark -V:详细打印解析后的数据包内容。
tshark -T <format>:指定输出格式,如文本、JSON、PDML
(Packet Details Markup Language)等。
tshark -h:查看Tshark的帮助文档,获取更多命令选项和使用指南。
tshark 的安装
Windows可以直接下载wireshark的软件进行安装,命令工具一般在类似的目录下面:
c:\WiresharkPortable64\App\Wireshark
Linux上面安装比较简单:
yum install wireshark -y
就可以安装
建议 根据帮助 linux最好再执行一下命令:
echo 1 > /proc/sys/net/core/bpf_jit_enable
命令帮助
[root@k8sipv6 ~]# tshark -h
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 2.6.2 (v2.6.2)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: appropriate maximum)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
interval:NUM - create time intervals of NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (- to read from stdin)
Processing:
-2 perform a two-pass analysis
-M <packet count> perform session auto reset
-R <read filter> packet Read filter in Wireshark display filter syntax
(requires -2)
-Y <display filter> packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
-H <hosts file> read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcap-format file named "outfile"
(or to the standard output for "-")
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is pcapng
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-P print packet summary even when writing to a file
-S <separator> the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
format of text output (def: text)
-j <protocolfilter> protocols layers filter if -T ek|pdml|json selected
(e.g. "ip ip.flags text", filter does not expand child
nodes, unless child is specified also in the filter)
-J <protocolfilter> top level protocol filter if -T ek|pdml|json selected
(e.g. "http tcp", filter which expands all child nodes)
-e <field> field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X <key>:<value> eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z <statistics> various statistics, see the man page for details
--capture-comment <comment>
add a capture comment to the newly created
output file (only for pcapng)
--export-objects <protocol>,<destdir> save exported objects for a protocol to
a directory named "destdir"
--color color output text similarly to the Wireshark GUI,
requires a terminal with 24-bit color support
Also supplies color attributes to pdml and psml formats
(Note that attributes are nonstandard)
--no-duplicate-keys If -T json is specified, merge duplicate keys in an object
into a single key with as value a json array containing all
values
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G help" for more help
Dumpcap can benefit from an enabled BPF JIT compiler if available.
You might want to enable it by executing:
"echo 1 > /proc/sys/net/core/bpf_jit_enable"
Note that this can make your system less secure!
简单例子
tshark -Y mysql
监控MySQL的协议
高级一点的例子:
http
tshark -f 'tcp' -nn -i any -Y "http.request or http.response" -T fields -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri" -e http.response.code
mysql
tshark -f "port 3306" -n -d tcp.port==3306,mysql -T fields -e ip.src -e ip.dst -e mysql.query -e mysql.error_code -e mysql.error.message|tee sql-error.txt
协议分析
tshark -c 100000 -z endpoints,ip -q
结果信息
Filter:<No Filter>
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
172.24.110.179 108 20394 54 14990 54 5404
100.100.2.136 76 6782 38 4106 38 2676
100.100.30.26 18 12110 10 608 8 11502
100.100.18.120 12 1352 5 630 7 722
120.192.10.181 1 60 1 60 0 0
10.143.0.45 1 90 0 0 1 90
简单总结
假期期间的学习比较慢,希望还有时间继续学习一下。