List of articles
- 1. tshark
-
- 1.1 install
- 1.2 Use
-
- 1.2.1 Description of bag grabbing parameters
- 1.2.2 Output parameter description
- 1.3 Example
- 2. tcpdump
-
- 2.1 install
- 2.2 Use
1. tshark
1.1 install
Centos
yum install -y wireshark
Ubuntu
apt-get install -y tshark
1.2 Use
1.2.1 Description of bag grabbing parameters
Commonly used
-i
and-f
Parameters
-i
Set network interface for packet capturing , If it is not set, it defaults to the first non self ring interface .-f
Set the capture filter expression (capture filter expression). The expression of packet capturing filter is similar to tcpdump, May refer to tcpdump man page The relevant part of .-D
List the currently existing network interfaces . I don’t know OS When the network device under control , Usually use first “tshark -D” Check the number of the network interface for -i Parameters use .-s
Set the size of each grab , The default is 65535, Data larger than this size will not be written into memory by the program 、 write file .( This parameter is equivalent to tcpdump Of -s,tcpdump The default size of the grab is just 68)-p
Set up the network interface to work in non hybrid mode , That is, only the traffic related to the machine is concerned .-B
Set kernel buffer size , Only on windows It works .-y
Set the data link layer protocol for packet capturing , If it is not set, it defaults to -L The first agreement found , LAN is generally EN10MB etc. .-L
List the data link layer protocols supported by this machine , for -y Parameters use .
-f
Parameters,
- Set the protocol type of listening :
-f udp/tcp/http
Must be in lowercase - Set source ip:
-f "src host x.x.x.x"
- Set source port :
-f "src port 80"
- Set source ip And source port :
-f "src host x.x.x.x and src port xx"
- Set purpose ip:
-f "dst host x.x.x.x"
- Set destination port :
-f "dst port xx"
- Set purpose ip And port :
-f "dsthost x.x.x.x and port xx"
1.2.2 Output parameter description
Commonly used
-T
and-l
Parameters
-w
Set up raw Data output file-F
Set output raw The format of the data , The default is libpcap.-V
Set the detail output of the decoded result , Otherwise, only one result will be displayed packet A line of summary.-x
Set in decoding output result , Every packet Behind HEX dump How to display specific data .-T
Set the format of decoding result output , Include text,ps,psml and pdml, The default is text.-t
Set the time format of decoding result .“ad” Absolute time with date ,“a” Absolute time without date ,“r” Represents the relative time from the first package to now ,“d” Represents the incremental time between two adjacent packets-S
In the raw File output at the same time , Print the decoding results to the console .-l
Refresh the output as each package is processed .-X
Extensions .-q
Set up a quiet stdout Output ( For example, when doing Statistics )-z
Set statistical parameters .
1.3 Example
- Real time printing current http Requested url
tshark -i eth0 -n -f "tcp dst port 80" -T fields -e http.host -e http.request.uri -l
- Real time printing current mysql Query statement
tshark -i eth0 -n -f "tcp dst port 3306" -T fields -e mysql.query
2. tcpdump
It’s also a bag grabbing tool , But no tshark To use , Let’s give you a brief introduction ..
2.1 install
Centos
yum install -y tcpdump
Ubuntu
apt-get install -y tcpdump
2.2 Use
- Intercept from the net
eth0
Out or received packets
tcpdum -i eth0
- Intercept everything with the host xx.xx.xx.xx Related to the package
tcpdump host xx.xx.xx.xx
- to intercept tpc Agreed 80 The packet of the port
tcpdump tcp port 80