最後更新: 2019-11-05
介紹
Dump and Analyze network traffic (tcpdump 只有 Dump)
Install
yum install tshark
apt-get install tshark
Opts
-i <interface> # This option can occur multiple times.
-f <capture filter> # packet filter in libpcap filter syntax
-s <snaplen> # packet snapshot length (def: 65535)
-l # Flush the standard output after the information for each packet is printed.
-t ad|a|r|d|dd|e # Set the format of the packet timestamp printed in summary lines.
ad # absolute with date: 2016-08-26 11:40:49.214707 a # no date displayed e # epoch: 1472182898.632624
-n Disable network object name resolution (such as hostname, TCP and UDP port names)
-R <Read filter>
syntax of read/display filters, rather than that of capture filters
applied during the first pass of analysis
Packets not matching the filter are not considered for future passes
-Y <displaY filter>
syntax of read/display filters, rather than that of capture filters
applied before printing a decoded form of packets or writing packets to a file.
(Packets matching the filter are printed or written to file)
-x # Cause TShark to print a hex and ASCII dump of the packet data after printing the summary and/or details
0000 90 f6 52 bc 49 d3 f8 d1 11 b5 20 ea 08 00 45 00 ..R.I..... ...E. 0010 00 3c d2 a8 40 00 40 06 00 58 c0 a8 58 96 ac d9 .<..@[email protected]... 0020 a1 a3 d2 9a 00 50 c7 bd 78 83 00 00 00 00 a0 02 .....P..x....... 0030 72 10 67 ea 00 00 02 04 05 b4 04 02 08 0a 5f 70 r.g..........._p 0040 ff d9 00 00 00 00 01 03 03 07 .......... 0000 f8 d1 11 b5 20 ea 90 f6 52 bc 49 d3 08 00 45 00 .... ...R.I...E. 0010 00 3c 04 85 00 00 7a 06 d4 7b ac d9 a1 a3 c0 a8 .<....z..{...... 0020 58 96 00 50 d2 9a 51 1e 7b 63 c7 bd 78 84 a0 12 X..P..Q.{c..x... 0030 eb 20 8f 06 00 00 02 04 05 64 04 02 08 0a 02 ed . .......d...... 0040 24 76 5f 70 ff d9 01 03 03 08 $v_p...... ...........
Example
[1] Dump http host
# -Y read/display filters (applied before printing a decoded form of packets or writing packets to a file.)
# -T pdml|psml|ps|text|fields # Set the format of the output when viewing decoded packet data.
# -e options we identify which fields we want to extract.
specify that we want to extract fields
- pdml = Packet Details Markup Language
- psml = Packet Summary Markup Language
- fields = The values of fields specified with the -e option
tshark -n -i vmbr0 -f 'tcp port 80' -T fields -e http.host -e http.user_agent
Output
www.google.com.hk curl/7.64.0
Remark
FTP: -T fields -e ftp.request.command -e ftp.request.arg
[2] Dump https host
tshark -n -i vmbr0 -f 'tcp port 443' \
-T fields -e ssl.handshake.extensions_server_name \
-Y 'ssl.handshake.extension.type == "server_name"'
# 如果不加 "-Y" 那會出現許多空行
Save packet to file
# Write
tshark -n -i vmbr0 -f 'tcp port 443' -w 443.pcap
file 443.pcap
443.pcap: pcap-ng capture file - version 1.0
# Read
tshark -nr 443.pcap