使用tshark进行数据包分析
选项说明Options
-r 读取数据包
-C 选择对应的配置文件
-d 解码为。。。
-D 通过行进行打印输出
-e 定义需要打印的行内容
-E 定义具体的打印格式
-T 定义具体的打印方式
命令tshark -d <layer type>==<selector>,<decode-as protocol>
tshark -r vmx.cap -d tcp.port==446,http
命令注解
在一些分析中可能会遇到接口信息没有采用标准的类型所以可以通过-d选项将其解码为特定的协议。
命令
tshark -r vmx.cap -n -q -z conv,ip | more
输出
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.195.4.41 <-> 10.1.8.130 45659 7028815 51959 35447192 97618 42476007 0.000000000 59.9950
================================================================================
命令
tshark -r vmx.cap -n -q -z conv,tcp | more
输出
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.1.8.130:48530 <-> 10.195.4.41:446 48 59974 20 2046 68 62020 33.202062959 0.4118
10.1.8.130:33358 <-> 10.195.4.41:446 23 25884 11 1519 34 27403 47.077873979 0.3215
10.1.8.130:38756 <-> 10.195.4.41:446 23 26021 11 1519 34 27540 38.824171939 0.3706
10.1.8.130:57689 <-> 10.195.4.41:446 23 25963 11 1520 34 27483 24.038616709 0.1452
10.1.8.130:50477 <-> 10.195.4.41:446 22 25872 12 1566 34 27438 23.735327709 0.2429
10.1.8.130:40895 <-> 10.195.4.41:446 22 25369 11 1538 33 26907 58.201053489 0.4079
10.1.8.130:36051 <-> 10.195.4.41:446 23 27147 10 1426 33 28573 52.082732009 0.3124
命令
tshark -r vmx.cap -q -n -t ad -z follow,tcp,ascii,10.1.8.130:56087,10.195.4.41:446 | more
输出
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.1.8.130 and tcp.srcport eq 56087) and (ip.dst eq 10.195.4.41 and tcp.dstport eq 446)) or ((ip.src eq 10.195.4.41 and tcp.srcport eq 446) and (ip.dst eq 10.1.8.130 and tcp.dstport eq 56087))
Node 0: 10.1.8.130:56087
Node 1: 10.195.4.41:446
603
POST /vmx HTTP/1.0
Host: :
Content-Type: text/xml;charset=utf-8
Content-Length: 00515
<?xml version="1.0" encoding="UTF-8"?><VMX_ROOT><VMX_HEADER><MSGID>VMX.ACCT.STMT.INQ</MSGID><VERSION>C8V2</VERSION><CLIENTID>08682</CLIENTID><CORRELID></CORRELID><CONTEXT></CONTEXT><NAME></NAME><TermJourNo>000857083955</TermJourNo><TermId>85000001</TermId></VMX_HEADER><VMX_MSGIN><CONTEXT></CONTEXT><NAME></NAME><ORG>102</ORG><ACCT>3568390051948787</ACCT><SVC_TYPE>S</SVC_TYPE><FOREIGN_USE></FOREIGN_USE><STATEMENT_DATE>2012-10-15</STATEMENT_DATE><STATEMENT_NBR_MONTHS></STATEMENT_NBR_MONTHS></VMX_MSGIN></VMX_ROOT>
1280
HTTP/1.1 200 OK
Date: Thu, 23 May 2013 07:30:31 GMT
Server: Apache-Coyote/1.1
Content-Length: 2215
Connection: close
Content-Type: text/plain
命令
tshark -r vmx.cap -q -n -t ad -z expert
支持的选项内容error,warn,note,chat
可以配置过滤器过滤所需内容
输出
Warns (7640)
=============
Frequency Group Protocol Summary
3312 Sequence TCP Previous segment not captured (common at capture start)
2528 Sequence TCP This frame is a (suspected) out-of-order segment
1800 Sequence TCP ACKed segment that wasn‘t captured (common at capture start)
Notes (1231)
=============
Frequency Group Protocol Summary
67 Sequence TCP Duplicate ACK (#1)
13 Sequence TCP TCP keep-alive segment
964 Sequence TCP A new tcp session is started with the same ports as an earlier session in this trace
70 Sequence TCP This frame is a (suspected) spurious retransmission
117 Sequence TCP This frame is a (suspected) retransmission
Chats (38800)
=============
Frequency Group Protocol Summary
7823 Sequence TCP Connection establish request (SYN): server port 446
7805 Sequence TCP Connection establish acknowledge (SYN+ACK): server port 446
15573 Sequence TCP Connection finish (FIN)
7499 Sequence HTTP HTTP/1.1 200 OK\r\n
79 Sequence TCP TCP window update
21 Sequence HTTP POST /vmx HTTP/1.0\n
命令
tshark -r vmx.cap -q -n -t ad -z io,phs
输出
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:97618 bytes:42476007
ip frames:97618 bytes:42476007
tcp frames:97618 bytes:42476007
data frames:8158 bytes:5159676
http frames:6254 bytes:4807267
xml frames:6254 bytes:4807267
tcp.segments frames:5545 bytes:4140344
tcp.segments frames:1267 bytes:1396103
http frames:1267 bytes:1396103
xml frames:1266 bytes:1394931
===================================================================
命令
tshark -r vmx.cap -q -n -t ad -z io,stat,1
选项
可以添加具体的过滤器
输出
=========================================
| IO Statistics |
| |
| Duration: 59.995032 secs |
| Interval: 1 secs |
| |
| Col 1: Frames and bytes |
|---------------------------------------|
| |1 |
| Date and time | Frames | Bytes |
|---------------------------------------|
| 2013-05-23 15:31:15 | 1345 | 538915 |
| 2013-05-23 15:31:16 | 1540 | 639540 |
| 2013-05-23 15:31:17 | 2005 | 809226 |
| 2013-05-23 15:31:18 | 2109 | 905048 |
| 2013-05-23 15:31:19 | 1609 | 735785 |
| 2013-05-23 15:31:20 | 1725 | 783847 |
| 2013-05-23 15:31:21 | 1390 | 612697 |
| 2013-05-23 15:31:22 | 1338 | 591380 |
过滤TCP三次握手的数据包信息
tshark -r vmx.cap -q -n -t ad -z io,stat,1,"COUNT(tcp.flags)tcp.flags==0x02","COUNT(tcp.flags)tcp.flags==0x12"
==========================================
| IO Statistics |
| |
| Duration: 59.995032 secs |
| Interval: 1 secs |
| |
| Col 1: COUNT(tcp.flags)tcp.flags==0x02 |
| 2: COUNT(tcp.flags)tcp.flags==0x12 |
|----------------------------------------|
| |1 |2 | |
| Date and time | COUNT | COUNT | |
|-------------------------------------| |
| 2013-05-23 15:31:15 | 114 | 114 | |
| 2013-05-23 15:31:16 | 125 | 121 | |
| 2013-05-23 15:31:17 | 162 | 163 | |
| 2013-05-23 15:31:18 | 168 | 169 | |
| 2013-05-23 15:31:19 | 126 | 127 | |
| 2013-05-23 15:31:20 | 130 | 127 | |
| 2013-05-23 15:31:21 | 113 | 114 | |
| 2013-05-23 15:31:22 | 104 | 106 | |
| 2013-05-23 15:31:23 | 122 | 121 | |
通过过滤统计TCP通讯的单方向的平局窗口大小最大窗口最小窗口
tshark -r vmx.cap -q -n -t ad -z io,stat,1,"AVG(tcp.window_size)tcp.window_size && tcp.srcport==446","MAX(tcp.window_size)tcp.window_size && tcp.srcport==446","MIN(tcp.window_size)tcp.window_size && tcp.srcport==446" | more
==================================================================
| IO Statistics |
| |
| Duration: 59.995032 secs |
| Interval: 1 secs |
| |
| Col 1: AVG(tcp.window_size)tcp.window_size && tcp.srcport==446 |
| 2: MAX(tcp.window_size)tcp.window_size && tcp.srcport==446 |
| 3: MIN(tcp.window_size)tcp.window_size && tcp.srcport==446 |
|----------------------------------------------------------------|
| |1 |2 |3 | |
| Date and time | AVG | MAX | MIN | |
|---------------------------------------------| |
| 2013-05-23 15:31:15 | 57704 | 65535 | 17520 | |
| 2013-05-23 15:31:16 | 58380 | 65535 | 17520 | |
| 2013-05-23 15:31:17 | 58106 | 65535 | 17520 | |
| 2013-05-23 15:31:18 | 58296 | 65535 | 17520 | |
| 2013-05-23 15:31:19 | 58413 | 65535 | 17520 | |
| 2013-05-23 15:31:20 | 59013 | 65535 | 17520 | |
| 2013-05-23 15:31:21 | 58107 | 65535 | 17520 | |
| 2013-05-23 15:31:22 | 58379 | 65535 | 17520 | |
| 2013-05-23 15:31:23 | 58254 | 65535 | 17520 | |
| 2013-05-23 15:31:24 | 58112 | 65535 | 17520 | |
| 2013-05-23 15:31:25 | 58611 | 65535 | 17520 | |
| 2013-05-23 15:31:26 | 58101 | 65535 | 17520 | |
| 2013-05-23 15:31:27 | 58229 | 65535 | 17520 | |
本文出自 “流量分析技术” 博客,谢绝转载!