我怎样才能更好地组织我的 TShark 输出以使其更具可读性?
How can I better organize my TShark output to make it more readable?
我正在尝试制作一个强大的 shell 脚本,我可以从指定接口上的捕获中获取 tshark 输出文件并对其执行分析。我目前能够指定要捕获的接口和执行捕获的时间量,但输出都被压缩成一行。
我如何格式化下面的 tshark 输出和统计数据 table 以使其更具可读性,或者回到当您 运行 工具本身时 tshark 最初显示的格式?
#Capture the Client Subnets for the Tap/SPAN
param([string[]]$subnets)
$ErrorActionPreference = 'SilentlyContinue'
#Capture variables
$shark = ".\tshark.exe"
$flagshark = "-i"
$interfaceshark = ".\tshark.exe -D"
Invoke-Expression $interfaceshark
$userinterface = Read-Host -Prompt 'Input the number beside the interface that you would like to capture?'
$time = Read-Host -Prompt 'How much time would you like to capture for the assessment?'
#Run Tshark
& $shark -i "$userinterface" -a duration:"$time" -w testingoutput.pcap
foreach ($nets in $subnets) {
$analysis = '.\tshark.exe -r testingoutput.pcap -2 -R "ip.addr == $nets" -z conv,ip'
$result = Invoke-Expression $analysis
Write-Host $result | Format-Table -AutoSize
}
这是我想要的输出:
84 0.707630 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161
85 0.751054 52.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74
86 0.751055 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
87 0.751055 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
88 0.751057 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
89 0.751057 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
90 0.751058 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
91 0.751198 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
92 0.751199 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
93 0.751199 52.112.6.179 → 10.201.0.49 UDP 1096 57560 → 50052 Len=1054
94 0.751200 52.112.6.179 → 10.201.0.49 UDP 304 57560 → 50052 Len=262
95 0.752471 52.112.6.179 → 10.201.0.49 UDP 93 54450 → 50000 Len=51
96 0.767686 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161
97 0.827670 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161
97 packets captured
==============================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.201.0.49 <-> 52.112.6.179 78 26413 11 6395 89 32808 0.000000000 0.8277
10.201.0.1 <-> 224.0.0.10 0 0 2 160 2 160 0.379198000 0.1439
10.201.0.49 <-> 165.225.34.36 1 107 1 54 2 161 0.624698000 0.0405
10.201.0.16 <-> 239.255.255.250 0 0 1 216 1 216 0.088173000 0.0000
10.201.0.40 <-> 239.255.255.250 0 0 1 216 1 216 0.090642000 0.0000
==============================================================================
这是我目前得到的:
91 0.549731 52.112.6.179 → 10.201.0.49 STUN 130 Binding Success Response XOR-MAPPED-ADDRESS: 206.27.171.242:50000 user: c6Si:m9Dx 92 0.565386 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 93 0.584513 5
2.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 94 0.584513 52.112.6.179 → 10.201.0.49 UDP 177 57560 → 50052 Len=135 95 0.584513 52.112.6.179 → 10.201.0.49 UDP 156 57560 → 50052 Len=114 96 0.584513 52.112.6.179 → 10.201
.0.49 UDP 219 57560 → 50052 Len=177 97 0.584514 52.112.6.179 → 10.201.0.49 UDP 395 57560 → 50052 Len=353 98 0.584514 52.112.6.179 → 10.201.0.49 UDP 395 57560 → 50052 Len=353 99 0.584516 52.112.6.179 → 10.201.0.49 UDP 395 57560
→ 50052 Len=353 100 0.584516 52.112.6.179 → 10.201.0.49 UDP 394 57560 → 50052 Len=352 101 0.584661 52.112.6.179 → 10.201.0.49 UDP 411 57560 → 50052 Len=369 102 0.625153 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 1
03 0.659342 52.112.6.179 → 10.201.0.49 UDP 1196 57560 → 50052 Len=1154 104 0.686102 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 105 0.731077 52.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 106 0.731077 52.112
.6.179 → 10.201.0.49 UDP 177 57560 → 50052 Len=135 107 0.731078 52.112.6.179 → 10.201.0.49 UDP 156 57560 → 50052 Len=114 108 0.731078 52.112.6.179 → 10.201.0.49 UDP 213 57560 → 50052 Len=171 109 0.731079 52.112.6.179 → 10.201.0.4
9 UDP 403 57560 → 50052 Len=361 110 0.731079 52.112.6.179 → 10.201.0.49 UDP 403 57560 → 50052 Len=361 111 0.731079 52.112.6.179 → 10.201.0.49 UDP 403 57560 → 50052 Len=361 112 0.731080 52.112.6.179 → 10.201.0.49 UDP 403 57560 →
50052 Len=361 113 0.731081 52.112.6.179 → 10.201.0.49 UDP 403 57560 → 50052 Len=361 114 0.731086 52.112.6.179 → 10.201.0.49 UDP 400 57560 → 50052 Len=358 115 0.731086 52.112.6.179 → 10.201.0.49 UDP 419 57560 → 50052 Len=377 116
0.745221 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 117 0.784472 52.112.6.179 → 10.201.0.49 UDP 450 57560 → 50052 Len=408 118 0.805436 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 119 0.855067 52.112.6.17
9 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 120 0.855068 52.112.6.179 → 10.201.0.49 UDP 177 57560 → 50052 Len=135 121 0.855068 52.112.6.179 → 10.201.0.49 UDP 156 57560 → 50052 Len=114 122 0.855069 52.112.6.179 → 10.201.0.49 UDP
210 57560 → 50052 Len=168 123 0.855069 52.112.6.179 → 10.201.0.49 UDP 442 57560 → 50052 Len=400 124 0.855070 52.112.6.179 → 10.201.0.49 UDP 442 57560 → 50052 Len=400 125 0.855071 52.112.6.179 → 10.201.0.49 UDP 458 57560 → 50052
Len=416 126 0.865431 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 127 0.924276 52.112.6.179 → 10.201.0.49 UDP 222 57560 → 50052 Len=180 128 0.925249 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 129 0.930
466 10.201.0.49 → 165.225.34.36 TCP 235 1091 → 80 [PSH, ACK] Seq=1 Ack=1 Win=1026 Len=181 130 0.985159 52.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 ================================================================================ IPv4
Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames
Bytes | Start | | 10.201.0.49 <-> 52.112.6.179 121 73200 4 742 125 73942 0.000000000 0.9852 10.201.0.49 <-> 52.112.67.77 2 250 1 54
3 304 0.280012000 0.0001 10.201.0.1 <-> 224.0.0.10 0 0 1 80 1 80 0.494976000 0.0000 10.201.0.49 <-> 165.225.34.36 0 0 1 235
1 235 0.930466000 0.0000 ================================================================================
将 Write-Host $result | Format-Table -AutoSize 更改为 $result。一旦将 $result 的内容转储到主机,就不能再将其通过管道传输到 Format-Table cmdlet。使用 Format-Table 没有任何意义,因为您收到一个 string 数组,您必须在其中拆分几列以使其用于 Format-Table.
要将给定的字符串转换为 PowerShell 数组 custom-objects 我想到了:
PS C:\> $result = iex '.\tshark.exe -r C:\temp\test.pcapng -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -e _ws.col.Info -E header=y -E separator="," -E quote=d -E occurrence=f' | ConvertFrom-Csv
现在 $result 是一个 PowerShell 对象数组。如果我转储数组的第一个对象:
PS C:\> $result | Select-Object -First 1
frame.number : 1
frame.time : May 14, 2019 06:59:40.011932000 W. Europe Daylight Time
eth.src : b0:fa:eb:1e:8f:a1
eth.dst : 00:50:56:a4:24:eb
ip.src : 172.22.21.50
ip.dst : 10.22.23.98
ip.proto : 17
_ws.col.Info : 58842  3389 Len=12
您看到该对象有几个属性。要查看所有可用的对象属性,我们可以使用 Get-Membercmdlet:
PS C:\> $result[0] | Get-Member
TypeName: Selected.System.Management.Automation.PSCustomObject
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
eth.dst NoteProperty string eth.dst=00:50:56:a4:24:eb
eth.src NoteProperty string eth.src=b0:fa:eb:1e:8f:a1
frame.number NoteProperty string frame.number=1
frame.time NoteProperty string frame.time=May 14, 2019 06:59:40.011932000 W. Europe Daylight Time
ip.dst NoteProperty string ip.dst=10.22.23.98
ip.proto NoteProperty string ip.proto=17
ip.src NoteProperty string ip.src=172.22.21.50
_ws.col.Info NoteProperty string _ws.col.Info=58842  3389 Len=12
在上面您看到了几个属性,您可以使用这些属性来进一步过滤、排序(例如 $result | Sort-Object ip.dst)或通过 Format-Table cmdlet select 几个属性。
示例:
PS C:\> $result[0] | Format-Table -Property frame.number, ip.dst, ip.src
frame.number ip.dst ip.src
------------ ------ ------
1 10.22.23.98 172.22.21.50
希望对您有所帮助。
我正在尝试制作一个强大的 shell 脚本,我可以从指定接口上的捕获中获取 tshark 输出文件并对其执行分析。我目前能够指定要捕获的接口和执行捕获的时间量,但输出都被压缩成一行。
我如何格式化下面的 tshark 输出和统计数据 table 以使其更具可读性,或者回到当您 运行 工具本身时 tshark 最初显示的格式?
#Capture the Client Subnets for the Tap/SPAN
param([string[]]$subnets)
$ErrorActionPreference = 'SilentlyContinue'
#Capture variables
$shark = ".\tshark.exe"
$flagshark = "-i"
$interfaceshark = ".\tshark.exe -D"
Invoke-Expression $interfaceshark
$userinterface = Read-Host -Prompt 'Input the number beside the interface that you would like to capture?'
$time = Read-Host -Prompt 'How much time would you like to capture for the assessment?'
#Run Tshark
& $shark -i "$userinterface" -a duration:"$time" -w testingoutput.pcap
foreach ($nets in $subnets) {
$analysis = '.\tshark.exe -r testingoutput.pcap -2 -R "ip.addr == $nets" -z conv,ip'
$result = Invoke-Expression $analysis
Write-Host $result | Format-Table -AutoSize
}
这是我想要的输出:
84 0.707630 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161
85 0.751054 52.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74
86 0.751055 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
87 0.751055 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
88 0.751057 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
89 0.751057 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
90 0.751058 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
91 0.751198 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
92 0.751199 52.112.6.179 → 10.201.0.49 UDP 1097 57560 → 50052 Len=1055
93 0.751199 52.112.6.179 → 10.201.0.49 UDP 1096 57560 → 50052 Len=1054
94 0.751200 52.112.6.179 → 10.201.0.49 UDP 304 57560 → 50052 Len=262
95 0.752471 52.112.6.179 → 10.201.0.49 UDP 93 54450 → 50000 Len=51
96 0.767686 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161
97 0.827670 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161
97 packets captured
==============================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.201.0.49 <-> 52.112.6.179 78 26413 11 6395 89 32808 0.000000000 0.8277
10.201.0.1 <-> 224.0.0.10 0 0 2 160 2 160 0.379198000 0.1439
10.201.0.49 <-> 165.225.34.36 1 107 1 54 2 161 0.624698000 0.0405
10.201.0.16 <-> 239.255.255.250 0 0 1 216 1 216 0.088173000 0.0000
10.201.0.40 <-> 239.255.255.250 0 0 1 216 1 216 0.090642000 0.0000
==============================================================================
这是我目前得到的:
91 0.549731 52.112.6.179 → 10.201.0.49 STUN 130 Binding Success Response XOR-MAPPED-ADDRESS: 206.27.171.242:50000 user: c6Si:m9Dx 92 0.565386 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 93 0.584513 5
2.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 94 0.584513 52.112.6.179 → 10.201.0.49 UDP 177 57560 → 50052 Len=135 95 0.584513 52.112.6.179 → 10.201.0.49 UDP 156 57560 → 50052 Len=114 96 0.584513 52.112.6.179 → 10.201
.0.49 UDP 219 57560 → 50052 Len=177 97 0.584514 52.112.6.179 → 10.201.0.49 UDP 395 57560 → 50052 Len=353 98 0.584514 52.112.6.179 → 10.201.0.49 UDP 395 57560 → 50052 Len=353 99 0.584516 52.112.6.179 → 10.201.0.49 UDP 395 57560
→ 50052 Len=353 100 0.584516 52.112.6.179 → 10.201.0.49 UDP 394 57560 → 50052 Len=352 101 0.584661 52.112.6.179 → 10.201.0.49 UDP 411 57560 → 50052 Len=369 102 0.625153 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 1
03 0.659342 52.112.6.179 → 10.201.0.49 UDP 1196 57560 → 50052 Len=1154 104 0.686102 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 105 0.731077 52.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 106 0.731077 52.112
.6.179 → 10.201.0.49 UDP 177 57560 → 50052 Len=135 107 0.731078 52.112.6.179 → 10.201.0.49 UDP 156 57560 → 50052 Len=114 108 0.731078 52.112.6.179 → 10.201.0.49 UDP 213 57560 → 50052 Len=171 109 0.731079 52.112.6.179 → 10.201.0.4
9 UDP 403 57560 → 50052 Len=361 110 0.731079 52.112.6.179 → 10.201.0.49 UDP 403 57560 → 50052 Len=361 111 0.731079 52.112.6.179 → 10.201.0.49 UDP 403 57560 → 50052 Len=361 112 0.731080 52.112.6.179 → 10.201.0.49 UDP 403 57560 →
50052 Len=361 113 0.731081 52.112.6.179 → 10.201.0.49 UDP 403 57560 → 50052 Len=361 114 0.731086 52.112.6.179 → 10.201.0.49 UDP 400 57560 → 50052 Len=358 115 0.731086 52.112.6.179 → 10.201.0.49 UDP 419 57560 → 50052 Len=377 116
0.745221 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 117 0.784472 52.112.6.179 → 10.201.0.49 UDP 450 57560 → 50052 Len=408 118 0.805436 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 119 0.855067 52.112.6.17
9 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 120 0.855068 52.112.6.179 → 10.201.0.49 UDP 177 57560 → 50052 Len=135 121 0.855068 52.112.6.179 → 10.201.0.49 UDP 156 57560 → 50052 Len=114 122 0.855069 52.112.6.179 → 10.201.0.49 UDP
210 57560 → 50052 Len=168 123 0.855069 52.112.6.179 → 10.201.0.49 UDP 442 57560 → 50052 Len=400 124 0.855070 52.112.6.179 → 10.201.0.49 UDP 442 57560 → 50052 Len=400 125 0.855071 52.112.6.179 → 10.201.0.49 UDP 458 57560 → 50052
Len=416 126 0.865431 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 127 0.924276 52.112.6.179 → 10.201.0.49 UDP 222 57560 → 50052 Len=180 128 0.925249 52.112.6.179 → 10.201.0.49 UDP 203 54450 → 50000 Len=161 129 0.930
466 10.201.0.49 → 165.225.34.36 TCP 235 1091 → 80 [PSH, ACK] Seq=1 Ack=1 Win=1026 Len=181 130 0.985159 52.112.6.179 → 10.201.0.49 UDP 116 57560 → 50052 Len=74 ================================================================================ IPv4
Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames
Bytes | Start | | 10.201.0.49 <-> 52.112.6.179 121 73200 4 742 125 73942 0.000000000 0.9852 10.201.0.49 <-> 52.112.67.77 2 250 1 54
3 304 0.280012000 0.0001 10.201.0.1 <-> 224.0.0.10 0 0 1 80 1 80 0.494976000 0.0000 10.201.0.49 <-> 165.225.34.36 0 0 1 235
1 235 0.930466000 0.0000 ================================================================================
将 Write-Host $result | Format-Table -AutoSize 更改为 $result。一旦将 $result 的内容转储到主机,就不能再将其通过管道传输到 Format-Table cmdlet。使用 Format-Table 没有任何意义,因为您收到一个 string 数组,您必须在其中拆分几列以使其用于 Format-Table.
要将给定的字符串转换为 PowerShell 数组 custom-objects 我想到了:
PS C:\> $result = iex '.\tshark.exe -r C:\temp\test.pcapng -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -e _ws.col.Info -E header=y -E separator="," -E quote=d -E occurrence=f' | ConvertFrom-Csv
现在 $result 是一个 PowerShell 对象数组。如果我转储数组的第一个对象:
PS C:\> $result | Select-Object -First 1
frame.number : 1
frame.time : May 14, 2019 06:59:40.011932000 W. Europe Daylight Time
eth.src : b0:fa:eb:1e:8f:a1
eth.dst : 00:50:56:a4:24:eb
ip.src : 172.22.21.50
ip.dst : 10.22.23.98
ip.proto : 17
_ws.col.Info : 58842  3389 Len=12
您看到该对象有几个属性。要查看所有可用的对象属性,我们可以使用 Get-Membercmdlet:
PS C:\> $result[0] | Get-Member
TypeName: Selected.System.Management.Automation.PSCustomObject
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
eth.dst NoteProperty string eth.dst=00:50:56:a4:24:eb
eth.src NoteProperty string eth.src=b0:fa:eb:1e:8f:a1
frame.number NoteProperty string frame.number=1
frame.time NoteProperty string frame.time=May 14, 2019 06:59:40.011932000 W. Europe Daylight Time
ip.dst NoteProperty string ip.dst=10.22.23.98
ip.proto NoteProperty string ip.proto=17
ip.src NoteProperty string ip.src=172.22.21.50
_ws.col.Info NoteProperty string _ws.col.Info=58842  3389 Len=12
在上面您看到了几个属性,您可以使用这些属性来进一步过滤、排序(例如 $result | Sort-Object ip.dst)或通过 Format-Table cmdlet select 几个属性。
示例:
PS C:\> $result[0] | Format-Table -Property frame.number, ip.dst, ip.src
frame.number ip.dst ip.src
------------ ------ ------
1 10.22.23.98 172.22.21.50
希望对您有所帮助。