简介
命令行版本的 wireshark, 类似于 tcpdump.
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.
编译
参考 https://www.yuque.com/zzqcn/wireshark/pylrcy.
$ makdir -p wireshark_build$ cd wirehark_build/$ cmake -G Ninja -DCMAKE_BUILD_TYPE=Debug -DBUILD_wireshark=off -DENABLE_LUA=on <wireshark>$ ninja
基本选项
pcap文件
抓包
过滤器
结果导出
统计
统计协议层
$./tshark -z io,phs -r ~/pcap/http_gnu.pcapProtocol Hierarchy StatisticsFilter:eth frames:49 bytes:35163ip frames:49 bytes:35163tcp frames:49 bytes:35163http frames:10 bytes:6523data-text-lines frames:2 bytes:2617tcp.segments frames:1 bytes:1203png frames:1 bytes:1174tcp.segments frames:1 bytes:1174image-jfif frames:1 bytes:267tcp.segments frames:1 bytes:267
统计报文长度
$./tshark -z plen,tree -r ~/pcap/http_gnu.pcapPacket Lengths:Topic / Item Count Average Min Val Max Val Rate (ms) Percent Burst Rate Burst Start----------------------------------------------------------------------------------------------------------------------------------Packet Lengths 49 717.61 54 1448 0.0094 100% 0.1400 0.6190-19 0 - - - 0.0000 0.00% - -20-39 0 - - - 0.0000 0.00% - -40-79 20 56.40 54 66 0.0038 40.82% 0.0500 0.61980-159 0 - - - 0.0000 0.00% - -160-319 1 267.00 267 267 0.0002 2.04% 0.0100 1.618320-639 6 410.83 375 466 0.0011 12.24% 0.0200 0.990640-1279 2 1188.50 1174 1203 0.0004 4.08% 0.0100 0.6341280-2559 20 1446.30 1414 1448 0.0038 40.82% 0.0700 0.6332560-5119 0 - - - 0.0000 0.00% - -5120 and greater 0 - - - 0.0000 0.00% - -
参考
若有收获,就点个赞吧
0 人点赞
