首页 文章

基于命令行流的pcap文件查看器工具

提问于
浏览
0

我需要一些命令行工具,它打印基于流的捕获的pcap文件,如下所示:src-ip src-port dst-ip dst-port protocol(tcp / udp)duration number of of packet now,我用captcp它是完美,但它有一个主要问题:它不是为UDP流量设计的,你在运行纯UDP pcap文件时会出错 .

I need something like this(it is CAPTCP but with support to UDP)

我渴望得到你的所有评论,但最好的是它们产生的工具!

tcp wireshark pcap flow network-traffic

2 回答

  • 0

    您可以使用tshark读取PCAP文件并编写聚合脚本 . 这不是大型PCAP文件(几GB)的选项,但以下工作在我的测试中:

    #!/bin/sh
PCAP="mypackets.pcap"

tshark -r "$PCAP" -T fields -e ip.addr udp | 
sort |
uniq |
while read x; do
    left=${x%%,*};
    right=${x##*,};
    echo;
    echo "==================";
    echo "$left -> $right";
    tshark -r "$PCAP" -T text ip.src==$left and ip.dst==$right 2>/dev/null;
done

    内部IP的结果(在几个地方审查):

    192.168.0.1 -> 192.168.0.19
  5 0.905186262  192.168.0.1 -> 192.168.0.19 NBNS 92 Name query NBSTAT ...
  6 0.905274977 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)
773 54.218903171  192.168.0.1 -> 192.168.0.19 NBNS 92 Name query NBSTAT ...
774 54.218991396 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)

==================
192.168.0.19 -> 192.168.0.19
  6 0.905274977 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)
774 54.218991396 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)

==================
192.168.0.19 -> 8.8.8.8
  7 7.527339007 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x3321 A
  8 7.527426252 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xcbe7 AAAA
  9 7.527479187 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xc470 A
 60 7.865822939 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xe7f7 A
 61 7.865862640 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xf994 AAAA
137 7.993523685 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x580c A
138 7.993563877 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x1da8 AAAA
149 8.050389092 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xf953 A
150 8.050429283 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xba7c AAAA
156 8.095814170 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xd808 A
157 8.095853871 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x27bf AAAA
160 8.134157723 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x5970 A
161 8.134196444 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xc00f AAAA
176 8.156413943 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xfe0c A
177 8.156432568 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x8fa1 AAAA
180 8.187659798 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x9870 A
181 8.187698028 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xb453 AAAA

==================
8.8.8.8 -> 192.168.0.19
 10 7.552742408      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x3321 A
 11 7.555262701      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xc470 A
 13 7.559084313      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xcbe7 AAAA
 69 7.893370696      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xf994 AAAA
 70 7.895752770      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xe7f7 A
139 8.016281317      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x580c A
140 8.017124846      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x1da8 AAAA
154 8.073028600      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xf953 A
155 8.078469630      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xba7c AAAA
158 8.121705259      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x27bf AAAA
159 8.123310463      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xd808 A
162 8.149581409      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x5970 A
163 8.150471991      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xc00f AAAA
178 8.180086664      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xfe0c A
179 8.180913038      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x8fa1 AAAA
212 8.216175579      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xb453 AAAA
213 8.217023519      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x9870 A

    然后,您可以编辑对tshark的最后一次调用,而不是 -T text ,您可以添加 -Tfields 和几个 -e 选项以仅获取所需的字段 . 例如,您可以添加另一个 while 聚合来计算数据包的数量(tshark将始终在一行上输出数据包) .

    回复于
  • 0

    你可以使用TShark Statistics
    tshark -r yourfile.pcap -q -z conv,udp

    TShark是Wireshark distribution的一部分 .
    您也可以使用SplitCap来拆分文件 .
    也可以看看:
    SplitCap and TShark
    Wireshark Statistics

    回复于

相关问题