使用tshark进行数据包分析

时间:2015-03-07 06:20:49   收藏:0   阅读:11634

 

选项说明Options


命令tshark -d <layer type>==<selector>,<decode-as protocol>

tshark -r vmx.cap -d tcp.port==446,http

命令注解

在一些分析中可能会遇到接口信息没有采用标准的类型所以可以通过-d选项将其解码为特定的协议。



命令

tshark -r vmx.cap -n -q -z conv,ip | more


输出

================================================================================
IPv4 Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.195.4.41          <-> 10.1.8.130             45659   7028815   51959  35447192   97618  42476007     0.000000000        59.9950
================================================================================


命令

tshark -r vmx.cap -n -q -z conv,tcp | more


输出

================================================================================
TCP Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.1.8.130:48530     <-> 10.195.4.41:446           48     59974      20      2046      68     62020    33.202062959         0.4118
10.1.8.130:33358     <-> 10.195.4.41:446           23     25884      11      1519      34     27403    47.077873979         0.3215
10.1.8.130:38756     <-> 10.195.4.41:446           23     26021      11      1519      34     27540    38.824171939         0.3706
10.1.8.130:57689     <-> 10.195.4.41:446           23     25963      11      1520      34     27483    24.038616709         0.1452
10.1.8.130:50477     <-> 10.195.4.41:446           22     25872      12      1566      34     27438    23.735327709         0.2429
10.1.8.130:40895     <-> 10.195.4.41:446           22     25369      11      1538      33     26907    58.201053489         0.4079
10.1.8.130:36051     <-> 10.195.4.41:446           23     27147      10      1426      33     28573    52.082732009         0.3124


命令

tshark -r vmx.cap -q -n -t ad -z follow,tcp,ascii,10.1.8.130:56087,10.195.4.41:446 | more


输出

===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.1.8.130 and tcp.srcport eq 56087) and (ip.dst eq 10.195.4.41 and tcp.dstport eq 446)) or ((ip.src eq 10.195.4.41 and tcp.srcport eq 446) and (ip.dst eq 10.1.8.130 and tcp.dstport eq 56087))
Node 0: 10.1.8.130:56087
Node 1: 10.195.4.41:446
603
POST /vmx  HTTP/1.0
Host: :
Content-Type: text/xml;charset=utf-8
Content-Length: 00515

<?xml version="1.0" encoding="UTF-8"?><VMX_ROOT><VMX_HEADER><MSGID>VMX.ACCT.STMT.INQ</MSGID><VERSION>C8V2</VERSION><CLIENTID>08682</CLIENTID><CORRELID></CORRELID><CONTEXT></CONTEXT><NAME></NAME><TermJourNo>000857083955</TermJourNo><TermId>85000001</TermId></VMX_HEADER><VMX_MSGIN><CONTEXT></CONTEXT><NAME></NAME><ORG>102</ORG><ACCT>3568390051948787</ACCT><SVC_TYPE>S</SVC_TYPE><FOREIGN_USE></FOREIGN_USE><STATEMENT_DATE>2012-10-15</STATEMENT_DATE><STATEMENT_NBR_MONTHS></STATEMENT_NBR_MONTHS></VMX_MSGIN></VMX_ROOT>
        1280
HTTP/1.1 200 OK
Date: Thu, 23 May 2013 07:30:31 GMT
Server: Apache-Coyote/1.1
Content-Length: 2215
Connection: close
Content-Type: text/plain


命令

tshark -r vmx.cap -q -n -t ad -z expert

支持的选项内容error,warn,note,chat

可以配置过滤器过滤所需内容


输出

Warns (7640)
=============
   Frequency      Group           Protocol  Summary
        3312   Sequence                TCP  Previous segment not captured (common at capture start)
        2528   Sequence                TCP  This frame is a (suspected) out-of-order segment
        1800   Sequence                TCP  ACKed segment that wasn‘t captured (common at capture start)

Notes (1231)
=============
   Frequency      Group           Protocol  Summary
          67   Sequence                TCP  Duplicate ACK (#1)
          13   Sequence                TCP  TCP keep-alive segment
         964   Sequence                TCP  A new tcp session is started with the same ports as an earlier session in this trace
          70   Sequence                TCP  This frame is a (suspected) spurious retransmission
         117   Sequence                TCP  This frame is a (suspected) retransmission

Chats (38800)
=============
   Frequency      Group           Protocol  Summary
        7823   Sequence                TCP  Connection establish request (SYN): server port 446
        7805   Sequence                TCP  Connection establish acknowledge (SYN+ACK): server port 446
       15573   Sequence                TCP  Connection finish (FIN)
        7499   Sequence               HTTP  HTTP/1.1 200 OK\r\n
          79   Sequence                TCP  TCP window update
          21   Sequence               HTTP  POST /vmx  HTTP/1.0\n


命令

tshark -r vmx.cap -q -n -t ad -z io,phs


输出

===================================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:97618 bytes:42476007
  ip                                     frames:97618 bytes:42476007
    tcp                                  frames:97618 bytes:42476007
      data                               frames:8158 bytes:5159676
      http                               frames:6254 bytes:4807267
        xml                              frames:6254 bytes:4807267
          tcp.segments                   frames:5545 bytes:4140344
      tcp.segments                       frames:1267 bytes:1396103
        http                             frames:1267 bytes:1396103
          xml                            frames:1266 bytes:1394931

===================================================================


命令

tshark -r vmx.cap -q -n -t ad -z io,stat,1

选项

可以添加具体的过滤器


输出

=========================================
| IO Statistics                         |
|                                       |
| Duration: 59.995032 secs              |
| Interval:  1 secs                     |
|                                       |
| Col 1: Frames and bytes               |
|---------------------------------------|
|                     |1                |
| Date and time       | Frames |  Bytes |
|---------------------------------------|
| 2013-05-23 15:31:15 |   1345 | 538915 |
| 2013-05-23 15:31:16 |   1540 | 639540 |
| 2013-05-23 15:31:17 |   2005 | 809226 |
| 2013-05-23 15:31:18 |   2109 | 905048 |
| 2013-05-23 15:31:19 |   1609 | 735785 |
| 2013-05-23 15:31:20 |   1725 | 783847 |
| 2013-05-23 15:31:21 |   1390 | 612697 |

| 2013-05-23 15:31:22 |   1338 | 591380 |


过滤TCP三次握手的数据包信息

tshark -r vmx.cap -q -n -t ad -z io,stat,1,"COUNT(tcp.flags)tcp.flags==0x02","COUNT(tcp.flags)tcp.flags==0x12"


==========================================
| IO Statistics                          |
|                                        |
| Duration: 59.995032 secs               |
| Interval:  1 secs                      |
|                                        |
| Col 1: COUNT(tcp.flags)tcp.flags==0x02 |
|     2: COUNT(tcp.flags)tcp.flags==0x12 |
|----------------------------------------|
|                     |1      |2      |  |
| Date and time       | COUNT | COUNT |  |
|-------------------------------------|  |
| 2013-05-23 15:31:15 |   114 |   114 |  |
| 2013-05-23 15:31:16 |   125 |   121 |  |
| 2013-05-23 15:31:17 |   162 |   163 |  |
| 2013-05-23 15:31:18 |   168 |   169 |  |
| 2013-05-23 15:31:19 |   126 |   127 |  |
| 2013-05-23 15:31:20 |   130 |   127 |  |
| 2013-05-23 15:31:21 |   113 |   114 |  |
| 2013-05-23 15:31:22 |   104 |   106 |  |
| 2013-05-23 15:31:23 |   122 |   121 |  |


通过过滤统计TCP通讯的单方向的平局窗口大小最大窗口最小窗口

tshark -r vmx.cap -q -n -t ad -z io,stat,1,"AVG(tcp.window_size)tcp.window_size && tcp.srcport==446","MAX(tcp.window_size)tcp.window_size && tcp.srcport==446","MIN(tcp.window_size)tcp.window_size && tcp.srcport==446" | more

==================================================================
| IO Statistics                                                  |
|                                                                |
| Duration: 59.995032 secs                                       |
| Interval:  1 secs                                              |
|                                                                |
| Col 1: AVG(tcp.window_size)tcp.window_size && tcp.srcport==446 |
|     2: MAX(tcp.window_size)tcp.window_size && tcp.srcport==446 |
|     3: MIN(tcp.window_size)tcp.window_size && tcp.srcport==446 |
|----------------------------------------------------------------|
|                     |1      |2      |3      |                  |
| Date and time       |  AVG  |  MAX  |  MIN  |                  |
|---------------------------------------------|                  |
| 2013-05-23 15:31:15 | 57704 | 65535 | 17520 |                  |
| 2013-05-23 15:31:16 | 58380 | 65535 | 17520 |                  |
| 2013-05-23 15:31:17 | 58106 | 65535 | 17520 |                  |
| 2013-05-23 15:31:18 | 58296 | 65535 | 17520 |                  |
| 2013-05-23 15:31:19 | 58413 | 65535 | 17520 |                  |
| 2013-05-23 15:31:20 | 59013 | 65535 | 17520 |                  |
| 2013-05-23 15:31:21 | 58107 | 65535 | 17520 |                  |
| 2013-05-23 15:31:22 | 58379 | 65535 | 17520 |                  |
| 2013-05-23 15:31:23 | 58254 | 65535 | 17520 |                  |
| 2013-05-23 15:31:24 | 58112 | 65535 | 17520 |                  |
| 2013-05-23 15:31:25 | 58611 | 65535 | 17520 |                  |
| 2013-05-23 15:31:26 | 58101 | 65535 | 17520 |                  |
| 2013-05-23 15:31:27 | 58229 | 65535 | 17520 |                  |

 

本文出自 “流量分析技术” 博客,谢绝转载!

评论(0
© 2014 mamicode.com 版权所有 京ICP备13008772号-2  联系我们:gaon5@hotmail.com
迷上了代码!