Wireshark-tshark

wireshark 指令模式 => tshark

Windows 及Linux 可至安裝目錄執行>tshark

tshark.exe -i 7(利用-D找要的介面代號)

輸出json版本需要2.2以上,Centos需要原碼安裝

ubuntu===============================================================

sudo apt-add-repository ppa:wireshark-dev/stable
sudo apt-get update
sudo apt-get install wireshark

sudo dpkg-reconfigure wireshark-common

Centos7===============================================================

SUDO YUM INSTALL BISON FLEX GTK3-DEVEL QT-DEVEL GCC-C++ LIBPCAP-DEVEL C-ARES-DEVEL LIBSMI-DEVEL GNUTLS-DEVEL LIBGCRYPT-DEVEL KRB5-DEVEL GEOIP-DEVEL ORTP-DEVEL PORTAUDIO-DEVEL AUTOMAKE AUTOCONF LIBTOOL
TAR XF WIRESHARK*
CD /WIRESHARK*
./AUTOGEN.SH
./CONFIGURE –ENABLE-SETCAP-INSTALL
MAKE
SUDO MAKE INSTALL

===============================================================

tshark command

TShark (Wireshark) 2.2.4 (v2.2.4-0-gcc3dc1b)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] …

Capture interface:
-i name or idx of interface (def: first non-loopback) #擷取介面 ex. -i ens160
-f packet filter in libpcap filter syntax #wireshark的capture 相同,可直接參考string指令


-s packet snapshot length (def: 65535)
-p don’t capture in promiscuous mode
-I capture in monitor mode, if available
-B size of kernel buffer (def: 2MB)
-y link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite) #ex.-c 10 抓十個包
-a … duration:NUM – stop after NUM seconds
filesize:NUM – stop this file after NUM KB
files:NUM – stop after NUM files
Capture output:
-b … duration:NUM – switch to next file after NUM secs
filesize:NUM – switch to next file after NUM KB
files:NUM – ringbuffer: replace after NUM files
RPCAP options:
-A : use RPCAP password authentication
Input file:
-r set the filename to read from (- to read from stdin) #讀pcap檔

Processing:
-2 perform a two-pass analysis #參考下面例子
-R packet Read filter in Wireshark display filter syntax#與wireshark Filter功能相同,與其他分析結合需要加-2

EX:查RTO的封包: ./tshark -r /tmp/packets.pcap -2 -R “tcp.analysis.retransmission"

-Y packet displaY filter in Wireshark display filter
syntax #與-R相同功能更強大?
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): “mnNtCd"
-d ==, …
“Decode As", see the man page for details
Example: tcp.port==8888,http
-H read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
–disable-protocol disable dissection of proto_name
–enable-heuristic
enable dissection of heuristic protocol
–disable-heuristic
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcap-format file named “outfile" #存檔成pcap,相關-T
(or to the standard output for “-“)
-C start with specified configuration profile
-F set the output file type, default is pcapng
an empty “-F" option will list the file types
-V add output of packet tree (Packet Details) #顯示封包樹狀詳細內容
-O Only show packet details of these protocols, comma
separated
-P print packet summary even when writing to a file
-S the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|ek|text|fields #存檔成其他格式,相關-w
format of text output (def: text)
-j protocols layers filter if -T ek|pdml|json selected,
(e.g. “http tcp ip",
-e field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E= set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s| select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s| select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first) #轉時間格式 EX: ad是  2017-09-05 14:28:08
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics) #配合-z 可只顯示分析結果
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X : eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z various statistics, see the man page for details #使用內建的統計分析

EX統計IP:  -z conv,ip

EX2統計tcp  Conversations status:  -z conv,tcp


–capture-comment
add a capture comment to the newly created
output file (only for pcapng)

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o : … override preference setting
-K keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use “-G ?" for more help

Reference:

https://sharkfest.wireshark.org/sf17

http://network.51cto.com/art/201509/490498.htm

新版本wireshark tshark使用的更多相关文章

  1. wireshark自动化之tshark命令行

    tshark是wireshark安装目录下命令行工具 使用tshark可以通过自动化方式调用wireshark tshark -a duration:30 抓包30秒-w cap.cap 保存为cap ...

  2. centos Linux系统日常管理2 tcpdump,tshark,selinux,strings命令, iptables ,crontab,TCP,UDP,ICMP,FTP网络知识 第十五节课

    centos  Linux系统日常管理2  tcpdump,tshark,selinux,strings命令, iptables ,crontab,TCP,UDP,ICMP,FTP网络知识 第十五节课 ...

  3. Debian 7 安装 wireshark

    安装过程很简单: $ sudo apt-get install wireshark 其中会弹出一个对话框: ┌─────────────────────┤ Configuring wireshark- ...

  4. 抓包工具tshark使用备忘

         抓包命令行工具tshark可以用于自定制,相比GUI工具可以实现一些自动化,譬如把某些关注的数据抓起下来存放到文本中,然后再分析输出.      demo: std::string deco ...

  5. tcpdump VS tshark用法(转)

    Tcpdump是网络协议分析的基本工具.tshark是大名鼎鼎的开源网络协议分析工具wireshark (原名叫ethereal)的命令行版本,wireshark可对多达千余种网络协议进行解码分析.W ...

  6. Lua语言在Wireshark中使用(转)

    1.       检查Wireshark的版本是否支持Lua 打开Wireshark,点击“HelpàAbout Wireshark”菜单,查看弹出的对话框,如果有“with Lua 5.1”表示支持 ...

  7. wireshark filter manualpage

    NAME wireshark-filter - Wireshark filter syntax and reference SYNOPSIS wireshark [other options] [ - ...

  8. python3+pyshark读取wireshark数据包并追踪telnet数据流

    一.程序说明 本程序有两个要点,第一个要点是读取wireshark数据包(当然也可以从网卡直接捕获改个函数就行),这个使用pyshark实现.pyshark是tshark的一个python封装,至于t ...

  9. 最有用的Linux命令行使用技巧集锦

    最近在Quora上看到一个问答题目,关于在高效率Linux用户节省时间Tips.将该题目的回答进行学习总结,加上自己的一些经验,记录如下,方便自己和大家参考. 下面介绍的都是一些命令行工具,这些工具在 ...

随机推荐

  1. 利用STM32CubeMX来生成USB_HID_Mouse工程【添加ADC】(2)【非dma和中断方式】

    上回讲到怎么采集一路的adc的数据,这次我们来采集两路的数据. 现在直接修改原先的代码 /* Private variables ----------------------------------- ...

  2. 一个基于typelist的typemap

    前面的typelist的e一个小扩展,http://www.cnblogs.com/flytrace/p/3551414.html. 可以插入pair<key_type, value_type& ...

  3. 学习vue容易忽视的细节

    1.对于自定义标签名(组件名称),Vue.js 不强制要求遵循 W3C 规则 (小写,并且包含一个短杠),尽管遵循这个规则比较好.HTML 特性是不区分大小写的.所以,当使用的不是字符串模板,came ...

  4. mysql 将行拼接成字符串的方法

    见代码: ;//保证可以拼接足够长的字符串,没它 数据量大时会截断结果1 group by videoType 效果如下:

  5. java的String的乱码浅析

    Java又乱码了,怎么办:乱码了说明编码与解码不一致导致.所以使用统一的编码方式即可. 本文并不是一定能解决乱码,本文主要用来了解jvm默认编码,以及string编码与解码一致性问题. jvm的默认编 ...

  6. 杂谈c.cpp

    Endl确保程序运行前刷新输出(将其立即显示在屏幕上),而’\n’却不能保证 在c++中,是以分号分割的,所以可以把几条代码放在一行,也可以把一条代码放在几行 编译器负责分配和标记内存的细节 C++可 ...

  7. win10 linux 子系统 所在 目录

    C:\Users\用户名\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\r ...

  8. ORA-20011 问题处理

    今天巡检发现alert中报如下错: ORA-20011: Approximate NDV failed: ORA-29913: error in executing ODCIEXTTABLEOPEN ...

  9. Mac 日常使用tips

    20180725: windows标准的键盘连接了mac如何映射键盘?最大的好处是可以向后删除,还可以一键PageUP, PageDown ref: https://support.apple.com ...

  10. c# JSON格式转对象

    using Newtonsoft.Json; List<string> ChapterIdList = JsonConvert.DeserializeObject<List<s ...