使用不带 -z 选项的 ascii 输出从 cap 文件中读取
read from cap file with ascii output without -z option
我一直在使用此脚本自动将 pcap 文件拆分为单个 tcp 流:
for stream in $(tshark -r -T fields -e tcp.stream | sort -n | uniq)
do
echo $stream
tshark -r -w /stream-$stream.cap -Y "tcp.stream==$stream"
done
现在,对于代表流的每个捕获文件,我可以使用
读取它们
tshark -r somefile.cap
但我得到这样的输出:
1 0.000000 172.18.0.4 → 172.18.0.5 HTTP 386 GET /eureka/apps/delta HTTP/1.1
2 0.001457 172.18.0.5 → 172.18.0.4 HTTP 466 HTTP/1.1 200 OK (application/json)
3 0.001490 172.18.0.4 → 172.18.0.5 TCP 66 37830 → 8761 [ACK] Seq=321 Ack=401 Win=287 Len=0 TSval=330522 TSecr=330522
...
我想以与使用 -z 跟随流时获得的格式相同的格式阅读它,例如
tshark -r somefile.pcap -z "follow,http,ascii,172.18.0.6:57238,172.18.0.4:8081"
与上面相同,加上
===================================================================
Follow: http,ascii
Filter: ((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238))
Node 0: 172.18.0.6:57238
Node 1: 172.18.0.4:8081
821
POST /api/cars?cacheBuster=1511774200847 HTTP/1.1
Origin: http://localhost:8080
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImF1dGgiOiJST0xFX0FETUlOLFJPTEVfVVNFUiIsImV4cCI6MTUxMzI1NzU5MX0.xyXj0-7xjluW0jB9y2UGzcZcruADHkgTH_mnTIYsSmggqDW7XIeHC7ftKPmaMjozLhpIGofHAbrXj6TOTQlvXQ
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Referer: http://localhost:8080/
Accept-Language: en-US,en;q=0.9,it;q=0.8,ru;q=0.7
Accept-Encoding: gzip
Content-Type: application/json;charset=UTF-8
x-forwarded-host: localhost:8080
x-forwarded-proto: http
x-forwarded-prefix: /carapp
x-forwarded-port: 8080
x-forwarded-for: 172.18.0.1
Content-Length: 61
Host: 172.18.0.4:8081
Connection: Keep-Alive
...
最后。
是否存在这样的选项?
也许像下面这样的东西会有所帮助?
tshark -r somefile.pcap -Y "http and (((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238)))" -O http
...或者更简单一点,应该完成同样的事情:
tshark -r somefile.pcap -Y "http and (ip.addr eq 172.18.0.6 and tcp.port eq 57238 and ip.addr eq 172.18.0.4 and tcp.port eq 8081)" -O http
...如果您知道与此对话关联的 TCP 流编号,甚至更简单:
tshark -r somefile.pcap -Y "http and tcp.stream eq 0" -O http
(此处,我假设流索引为 0。)
有关详细信息,请参阅 tshark man page。
我一直在使用此脚本自动将 pcap 文件拆分为单个 tcp 流:
for stream in $(tshark -r -T fields -e tcp.stream | sort -n | uniq)
do
echo $stream
tshark -r -w /stream-$stream.cap -Y "tcp.stream==$stream"
done
现在,对于代表流的每个捕获文件,我可以使用
读取它们tshark -r somefile.cap
但我得到这样的输出:
1 0.000000 172.18.0.4 → 172.18.0.5 HTTP 386 GET /eureka/apps/delta HTTP/1.1
2 0.001457 172.18.0.5 → 172.18.0.4 HTTP 466 HTTP/1.1 200 OK (application/json)
3 0.001490 172.18.0.4 → 172.18.0.5 TCP 66 37830 → 8761 [ACK] Seq=321 Ack=401 Win=287 Len=0 TSval=330522 TSecr=330522
...
我想以与使用 -z 跟随流时获得的格式相同的格式阅读它,例如
tshark -r somefile.pcap -z "follow,http,ascii,172.18.0.6:57238,172.18.0.4:8081"
与上面相同,加上
===================================================================
Follow: http,ascii
Filter: ((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238))
Node 0: 172.18.0.6:57238
Node 1: 172.18.0.4:8081
821
POST /api/cars?cacheBuster=1511774200847 HTTP/1.1
Origin: http://localhost:8080
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImF1dGgiOiJST0xFX0FETUlOLFJPTEVfVVNFUiIsImV4cCI6MTUxMzI1NzU5MX0.xyXj0-7xjluW0jB9y2UGzcZcruADHkgTH_mnTIYsSmggqDW7XIeHC7ftKPmaMjozLhpIGofHAbrXj6TOTQlvXQ
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Referer: http://localhost:8080/
Accept-Language: en-US,en;q=0.9,it;q=0.8,ru;q=0.7
Accept-Encoding: gzip
Content-Type: application/json;charset=UTF-8
x-forwarded-host: localhost:8080
x-forwarded-proto: http
x-forwarded-prefix: /carapp
x-forwarded-port: 8080
x-forwarded-for: 172.18.0.1
Content-Length: 61
Host: 172.18.0.4:8081
Connection: Keep-Alive
...
最后。
是否存在这样的选项?
也许像下面这样的东西会有所帮助?
tshark -r somefile.pcap -Y "http and (((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238)))" -O http
...或者更简单一点,应该完成同样的事情:
tshark -r somefile.pcap -Y "http and (ip.addr eq 172.18.0.6 and tcp.port eq 57238 and ip.addr eq 172.18.0.4 and tcp.port eq 8081)" -O http
...如果您知道与此对话关联的 TCP 流编号,甚至更简单:
tshark -r somefile.pcap -Y "http and tcp.stream eq 0" -O http
(此处,我假设流索引为 0。)
有关详细信息,请参阅 tshark man page。