wireshark 命令行_命令行中的Wireshark 入门 (Getting started) 导出有趣的数据包 (Exporting interesting packets) 使用数据包过滤器 (Using packet filters) 结论 (Conclusion)

95 阅读 0 评论 63 点赞

我是靠谱客的博主昏睡猎豹，最近开发中收集的这篇文章主要介绍wireshark 命令行_命令行中的Wireshark 入门 (Getting started) 导出有趣的数据包 (Exporting interesting packets) 使用数据包过滤器 (Using packet filters) 结论 (Conclusion)，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

wireshark 命令行

Wireshark is the world’s most widely used network protocol analyzer. It lets you dive into captured traffic and analyze what is going on within a network. Today, let’s talk about how you can use Wireshark’s command-line interface, Tshark, to accomplish similar results.

Wireshark是世界上使用最广泛的网络协议分析器。它使您能够深入了解捕获的流量并分析网络中发生的情况。今天，让我们谈谈如何使用Wireshark的命令行界面Tshark完成类似的结果。

We will go through some example commands, so feel free to use a PCAP file to follow along! You can find some sample capture files here.

我们将通过一些示例命令，因此请随时使用PCAP文件！您可以在此处找到一些示例捕获文件。

入门 (Getting started)

Without an input file, Tshark simply acts like Tcpdump. It will capture traffic from the first available network and display its packets to standard output. Alternatively, you can use the “-r” flag to specify the network capture file.

没有输入文件，Tshark就像Tcpdump一样。它将捕获来自第一个可用网络的流量，并将其数据包显示到标准输出。或者，您可以使用“ -r”标志来指定网络捕获文件。

tshark -r network.pcap

This way, Tshark will display the packets of the capture file in standard output. Let’s take a look at a line of the output!

这样，Tshark将在标准输出中显示捕获文件的数据包。让我们看一下输出的一行！

35 29.947879 192.168.0.55 → 192.168.0.91 HTTP 423 HTTP/1.1 200 OK

This may seem complicated, but remember that the command line output of Tshark mirrors the Wireshark interface. The fields from left to right in the command line output are:

这可能看起来很复杂，但是请记住，Tshark的命令行输出反映了Wireshark界面。命令行输出中从左到右的字段是：

Packet number, Time, Source, Destination, Protocol, Length, Info
35, 29.947879, 192.168.0.55, 192.168.0.91, HTTP, 423, HTTP/1.1 200 OK

The “Time” field shows when the packet was captured. The “Source” and “Destination” fields show the source IP and destination IP of that packet. The “Protocol” field displays the protocol used. The “Length” field shows the length of the packet. And finally, the “Info” field displays any additional info about the packet.

“时间”字段显示何时捕获数据包。 “源”和“目标”字段显示该数据包的源IP和目标IP。 “协议”字段显示所使用的协议。 “长度”字段显示数据包的长度。最后，“信息”字段显示有关数据包的所有其他信息。

You can filter these packet summaries by piping Tshark’s output into grep. For example, this command will output the packets with a “200 OK” HTTP status code.

您可以通过将Tshark的输出传递到grep中来过滤这些数据包摘要。例如，此命令将输出带有“ 200 OK” HTTP状态代码的数据包。

tshark -r network.pcap | grep "200 OK"

导出有趣的数据包 (Exporting interesting packets)

You can examine packet contents by exporting its objects. Object exporting in Tshark enables you to extract different types of packet data, such as HTTP and SMB objects. The syntax for exporting objects is as follows.

您可以通过导出包对象来检查包内容。通过Tshark中的对象导出，您可以提取不同类型的数据包数据，例如HTTP和SMB对象。导出对象的语法如下。

tshark -r network.pcap --export-objects PROTOCOL,DESTINATION_DIR

The PROTOCOL specifies the export object type, while the DESTINATION_DIR is the directory Tshark will use to store the exported files. For example, this command will export the files that have been transported through the network and store them in the “exported_files_dir” directory.

PROTOCOL指定导出对象类型，而DESTINATION_DIR是Tshark将用于存储导出文件的目录。例如，此命令将导出通过网络传输的文件，并将它们存储在“ exported_files_dir”目录中。

tshark -r network.pcap --export-objects http,exported_files_dir

使用数据包过滤器 (Using packet filters)

Just like in Wireshark, you can also filter packets based on certain criteria. You can simply put your filters in quotes at the end of the command.

就像在Wireshark中一样，您还可以根据某些条件过滤数据包。您只需将过滤器放在命令末尾的引号中即可。

tshark -r network.pcap “http.request.method == POST and http.file_data contains password"

The format of the filters that can be applied is identical to that in Wireshark. You can find a list of available filters here.

可以应用的过滤器格式与Wireshark中的相同。您可以在此处找到可用过滤器的列表。

You can also specify the output format for the decoded packet data using the “-T” flag. For example, this command will display all HTTP GET requests in the JSON format.

您也可以使用“ -T”标志为解码后的数据包数据指定输出格式。例如，此命令将以JSON格式显示所有HTTP GET请求。

tshark -r network.pcap -T json “http.request.method==GET”

Finally, you can process the output from Tshark by piping it into other command-line tools such as grep.

最后，您可以通过将其输出到其他命令行工具(如grep)中来处理Tshark的输出。

结论 (Conclusion)

This post only introduces a small fraction of what Wireshark and Tshark can do. They are versatile tools that are capable of performing many different types of analysis.

这篇文章仅介绍Wireshark和Tshark可以做的一小部分。它们是通用工具，能够执行许多不同类型的分析。

If you are interested in learning more about these tools, visit their documentation here.

如果您有兴趣了解有关这些工具的更多信息，请在此处访问其文档。

Thanks for reading! Follow me on Twitter here.

谢谢阅读！在这里关注我。