Tshark 的 -z conv,ip 似乎有一个错误
There seems to be a bug with Tshark's -z conv,ip
为了在 .cap file with Tshark 中列出 ip conversations,我做了很多尝试。我可以用 *wireshark -> statistics -> conversations -> "ipv4" lable* 轻松做到这一点,所以我想用 Tshark 也很容易做到这一点:
tshark -n -r "d:\test\test.cap" -z conv,ip,"ip.len>50" -t ad
但是,打印完所有消息后,tshark crashed : Tshark has stopped working.
tshark 真的有问题吗? ...还是和我一起?
您可以使用选项 -q:
读取抓包文件时,或者抓包不保存到文件时,不打印数据包信息;如果您使用 -z 选项来计算统计信息并且不希望打印数据包信息而只打印统计信息,这将很有用。
tshark -r test2905a.pcap -q -z conv,ip,"ip.len>50"
有关详细信息,请参阅 man-page。
我找到东西了!问题是我使用 -t ad 表达式:
ad absolute with date: The absolute date, displayed as YYYY-MM-DD, and time, as local time in your time zone, is the actual time and date
the packet was captured
当我改成-t r表达式时:
r relative: The relative time is the time elapsed between the first
packet and the current packet
tshark不会崩溃,相对时间为负数,如“-6063.000000”!
所以我猜 -t ad 是罪魁祸首。但是,当我使用 -z conv,tcp,[filter] 时,Tshark 不会崩溃。
!!!!!!!! -z conv,ip,[filter] + -t ad + negative number time = BUG??!!
为了在 .cap file with Tshark 中列出 ip conversations,我做了很多尝试。我可以用 *wireshark -> statistics -> conversations -> "ipv4" lable* 轻松做到这一点,所以我想用 Tshark 也很容易做到这一点:
tshark -n -r "d:\test\test.cap" -z conv,ip,"ip.len>50" -t ad
但是,打印完所有消息后,tshark crashed : Tshark has stopped working.
tshark 真的有问题吗? ...还是和我一起?
您可以使用选项 -q:
读取抓包文件时,或者抓包不保存到文件时,不打印数据包信息;如果您使用 -z 选项来计算统计信息并且不希望打印数据包信息而只打印统计信息,这将很有用。
tshark -r test2905a.pcap -q -z conv,ip,"ip.len>50"
有关详细信息,请参阅 man-page。
我找到东西了!问题是我使用 -t ad 表达式:
ad absolute with date: The absolute date, displayed as YYYY-MM-DD, and time, as local time in your time zone, is the actual time and date the packet was captured
当我改成-t r表达式时:
r relative: The relative time is the time elapsed between the first packet and the current packet
tshark不会崩溃,相对时间为负数,如“-6063.000000”!
所以我猜 -t ad 是罪魁祸首。但是,当我使用 -z conv,tcp,[filter] 时,Tshark 不会崩溃。
!!!!!!!! -z conv,ip,[filter] + -t ad + negative number time = BUG??!!