zoukankan      html  css  js  c++  java
  • tshark

    https://tshark.dev/

    https://github.com/pocc/tshark.dev

    How Is This Different from Wireshark Docs?

    Most Wireshark documentation focuses on the GUI. In its many forms, it spans two Wireshark guides, multiple forums, a wiki, man pages, developer email chains, etc. That is not to say the existing documentation is not good. You will find what you are looking for eventually.

    Being outside of the Wireshark project allows this website to cover topics that are external to it. Depending on the article, this can vary from scripting with bash or example usage of other programs. Tshark.dev and Wireshark docs are related but differ in their scopes.

    Wireshark Display Filter for Unique Source/Destination IP and Protocol

    When I've done that sort of thing before, I typically use tshark to extract the data and then other tools (Python, Perl, awk, etc.) to further refine the resulting data. So with that approach in mind, you could use this:

    tshark -r mysample.pcapng.gz -2 -Tfields -eip.src -eip.dst -eframe.protocols
    

    With that command line, you'll get exactly those fields, but be aware that some lines, such as those with ARP packets, won't have IP addresses (because they're not IP packets), and that IPv6 packets won't show IP addresses because those field names (ip.src and ip.dst) are only for IPv4. Here's sample output from a capture file I happened to have handy:

    10.68.40.152    224.0.0.252 eth:ethertype:ip:udp:dns
    10.68.40.119    255.255.255.255 eth:ethertype:ip:udp:db-lsp-disc
    10.68.40.119    10.68.41.255    eth:ethertype:ip:udp:db-lsp-disc
            eth:ethertype:arp
    10.68.40.152    224.0.0.252 eth:ethertype:ip:udp:dns
    10.68.40.65 10.68.41.255    eth:ethertype:ip:udp:nbns
            eth:ethertype:ipv6:ipv6.nxt:udp:dns
            eth:ethertype:ipv6:ipv6.nxt:udp:dns
    

    If you'd prefer to eliminate the non-IPv4 packets, just add a filter:

    tshark -r mysample.pcapng.gz -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols
    

    Under Linux (which is what I use), you can easily pipe the output of that into various other utility programs. For example, if you append this to that command line:

    |sort -n |uniq -c |sort -n 
    

    You'll get list, in ascending order of frequency, of each unique src, dst and proto combination present within your sample file.

    Wireshark Display Filter for Unique Source/Destination IP and Protocol

    I think you'll have to use tshark for this. One potential solution might be:

    `tshark -r file.pcap -Y ip -T fields -e ip.src -e ip.dst -e _ws.col.Protocol | sort | uniq`
    

    Note: If you want protocol numbers instead of protocol names, substitute -e ip.proto for _ws.col.Protocol, or use both if you prefer that.

  • 相关阅读:
    jquery ready()的几种实现方法小结
    jQuery之$(document).ready()使用介绍
    jquery的$(document).ready()和onload的加载顺序
    php var_export与var_dump 输出的不同
    PHP获取和操作配置文件php.ini的几个函数
    PHP 网站保存快捷方式的实现代码
    php 图形验证码的3种方法
    面向对象基础01
    提高记忆力
    Python数据分析环境和工具
  • 原文地址:https://www.cnblogs.com/chucklu/p/13629420.html
Copyright © 2011-2022 走看看