Примеры использования анализатора сетевого трафика WIRESHARK под linux
источник: http://white55.narod.ru/iris.html
tshark -i eth0 icmp - только ICMP-трафик.
tshark -i eth0 'not broadcast and not multicast' - Без broadcast и multicast.
tshark -i eth0 'port 80' - UDP и TCP трафик на порт 80.
tshark -i eth0 'tcp port 80' - Только HTTP-трафик.
tshark -i eth0 'tcp port 110 or tcp port 25' - Только почтовый трафик.
tshark -i eth0 'host yandex.ru' - Трафик по yandex.ru.
tshark -i eth0 'host 212.245.4.23' - Только трафик по IP 212.245.4.23.
tshark -i eth0 'not host 212.245.4.23' - Исключая трафик по IP.
tshark -i eth0 "tshark -i 3 'not host 192.168.0.100 and not icmp'" - Исключая IP 192.168.0.100 и icmp-трафик.
tshark -i eth0 'host 212.345.4.23' -w 'log.txt' - То же с записью в файл log.txt.
tshark -i eth0 'host 212.345.4.23' -w 'log.txt' -S - C записью в файл log.txt и выдачей на экран.
tshark -r 'log.txt' -w 'visnet.txt' -F visual - Преобразовать файл log.txt в формат Wisual Network Traffic Capture.
tshark -r 'log.txt' - Обработать ранее записанный файл log.txt.
tshark -r 'log.txt' -V | more - То же, но с выдачей подробной информации и в постраничном режиме.
tshark -r 'log.txt' -V > 'output.txt' - То же, но с выдачей результатов в файлoutput.txt.
Справочная информация
# tshark -h
TShark 1.0.15
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2010 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
Показать сетевые интерфейсы
# tshark -D
1. eth0
2. eth1
3. any (Pseudo-device that captures on all interfaces)
4. lo
источник: http://white55.narod.ru/iris.html
tshark -i eth0 icmp - только ICMP-трафик.
tshark -i eth0 'not broadcast and not multicast' - Без broadcast и multicast.
tshark -i eth0 'port 80' - UDP и TCP трафик на порт 80.
tshark -i eth0 'tcp port 80' - Только HTTP-трафик.
tshark -i eth0 'tcp port 110 or tcp port 25' - Только почтовый трафик.
tshark -i eth0 'host yandex.ru' - Трафик по yandex.ru.
tshark -i eth0 'host 212.245.4.23' - Только трафик по IP 212.245.4.23.
tshark -i eth0 'not host 212.245.4.23' - Исключая трафик по IP.
tshark -i eth0 "tshark -i 3 'not host 192.168.0.100 and not icmp'" - Исключая IP 192.168.0.100 и icmp-трафик.
tshark -i eth0 'host 212.345.4.23' -w 'log.txt' - То же с записью в файл log.txt.
tshark -i eth0 'host 212.345.4.23' -w 'log.txt' -S - C записью в файл log.txt и выдачей на экран.
tshark -r 'log.txt' -w 'visnet.txt' -F visual - Преобразовать файл log.txt в формат Wisual Network Traffic Capture.
tshark -r 'log.txt' - Обработать ранее записанный файл log.txt.
tshark -r 'log.txt' -V | more - То же, но с выдачей подробной информации и в постраничном режиме.
tshark -r 'log.txt' -V > 'output.txt' - То же, но с выдачей результатов в файлoutput.txt.
Справочная информация
# tshark -h
TShark 1.0.15
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2010 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
Показать сетевые интерфейсы
# tshark -D
1. eth0
2. eth1
3. any (Pseudo-device that captures on all interfaces)
4. lo
Комментариев нет:
Отправить комментарий