如何在 tshark 函数 tshark 管道后添加管道

How to add a pipe after tshark function tshark pipe

我想使用tshark来查找不是我的目标或源ip。为此,我使用 (ip-ifconfig gives my ip from ifconfig)

# tshark -T fields -e ip.addr -E aggregator=" " | sed "s/$(ip-ifconfig)//"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Capturing on 'wlp3s0'
**5500** 

我得到了捕获数据包的数量。我想要 IP。

可能需要使用 awk 来操作输出。

不带 sed 管道的此命令的输出是 IP 列表

命令sed "s/$(ip-ifconfig)//"只是将您的IP地址替换为空字符串。这可能不是您想要的。另外,我不知道 ip-ifconfig 命令,我假设它给你一个 IP 地址。

实现此目的的一种粗略方法是禁止包含您的 IP 地址的所有行,例如以下两个示例之一:

tshark -T fields -e ip.addr -E aggregator=" " | grep -v "$(ip-ifconfig)"
tshark -T fields -e ip.addr -E aggregator=" " | sed "/$(ip-ifconfig)/d"

虽然这个解决方案不是很可靠。如果您的 IP 地址是 192.168.1.1,那么上面的模式也将匹配 192.168.1.10 或 192.168.1.123。您可以用 angular 括号匹配整个单词:

tshark -T fields -e ip.addr -E aggregator=" " | grep -vE "\<$(ip-ifconfig)\>"
tshark -T fields -e ip.addr -E aggregator=" " | sed "/\<$(ip-ifconfig)\>/d"

这应该在大多数情况下都有效。请注意,IP 地址中的点最好进行转义,否则它将被用作正则表达式中的全匹配字符。

最后,您可以简单地使用 tshark 中的显示过滤器:

tshark -T fields -e ip.addr -E aggregator=" " -Y "ip.addr != $(ip-ifconfig)"

这让您可以构建非常复杂的过滤器。

我在找 tshark -l

 -l        Flush the standard output after the information for each packet is printed.  (This is not, strictly speaking, line-buffered if -V was specified; however, it is the same as line-
           buffered if -V wasn't specified, as only one line is printed for each packet, and, as -l is normally used when piping a live capture to a program or script, so that output for a
           packet shows up as soon as the packet is seen and dissected, it should work just as well as true line-buffering.  We do this as a workaround for a deficiency in the Microsoft
           Visual C++ C library.)

           This may be useful when piping the output of TShark to another program, as it means that the program to which the output is piped will see the dissected data for a packet as soon
           as TShark sees the packet and generates that output, rather than seeing it only when the standard output buffer containing that data fills up.