标签 tshark 下的文章

“”

列出当前存在的网络接口

tshark -D
  1. ciscodump (Cisco remote capture)
  2. dpauxmon (DisplayPort AUX channel monitor capture)
  3. randpkt (Random packet generator)
  4. sdjournal (systemd Journal Export)
  5. sshdump (SSH remote capture)
  6. udpdump (UDP Listener remote capture)

    sudo tshark -D

Running as user "root" and group "root". This could be dangerous.

  1. eth0
  2. any
  3. lo (Loopback)
  4. docker0
  5. nflog
  6. nfqueue
  7. usbmon1
  8. ciscodump (Cisco remote capture)
  9. dpauxmon (DisplayPort AUX channel monitor capture)
  10. randpkt (Random packet generator)
  11. sdjournal (systemd Journal Export)
  12. sshdump (SSH remote capture)
  13. udpdump (UDP Listener remote capture)

tshark对指定网卡监听,抓包

sudo tshark -i <interface>

抓取网卡eth0的流量并写入capture123.pcap

tshark -i eth0 -w capture123.pcap

读取之前的文件capture123.pcap

tshark -i eth0 -r capture123.pcap

抓取网卡eth0的流量10分钟

tshark -i eth0 -a duration:600

注: 默认时间单位为秒

抓取网卡eth0的10000个数据包

tshark -c 10000 -i eth0

抓取网卡eth0涉及192.168.1.1的流量报文

tshark -i eth0 -f "host 192.168.1.1"

注: 与wireshark、tcpdump一致,均使用BPF过滤表达式
抓取网卡eth0指定协议的流量报文

tshark -i eth0 -f "<协议名>"

协议名可以为: tcp, udp, dns, icmp, http等

实时打印当前mysql查询语句

tshark -s 512 -i eth1 -n -f 'tcp dst port 3306' -R 'mysql.query' -T fields -e mysql.query

说明:

-s 512 :只抓取前512个字节数据
-i eth0 :监听eth0网卡
-n :禁止域名解析
-f ‘tcp dst port 3306’ :只捕捉协议为tcp,目的端口为3306的数据包
-R ‘mysql.query’ :过滤出mysql.query查询语句的报文
-T fields -e mysql.query :打印mysql查询语句
实时打印当前http请求的url(包括域名)

tshark -s 512 -i eth1 -n -f 'tcp dst port 8000' -R 'http.host and http.request.uri' -T fields -e http.host -e http.request.uri -l | tr -d 't'

说明:

-s 512 :只抓取前512个字节数据
-i eth1 :监听eth1网卡
-n :禁止网络对象名称解析
-f ‘tcp dst port 8000’ :只捕捉协议为tcp,目的端口为8000的数据包
-R ‘http.host and http.request.uri’ :过滤出http.host和http.request.uri
-T fields -e http.host -e http.request.uri :打印http.host和http.request.uri
-l :输出到标准输出
读取之前抓包文件进行报文数据分析
需要从抓包的文件evidence04.pcap中提取出报文相关数据信息,如时间、源IP、目的IP、协议名、源Port、標Port、包大小等信息,最后输出到csv文件。

tshark -r evidence.pcap -T fields -e frame.time_relative -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e frame.len -E header=n -E separator=, -E quote=n -E occurrence=f > output.csv

说明:

-r evidence.pcap 需要分析的报文记录文件(pcap格式)
-T fields 输出格式,选fields按字段,也可以选json等其他格式,需结合-e 及 -E使用
-e frame.time_relative 取出封包的相对时间
-e ip.src 提取源IP
-e ip.dst 提取目的IP
-e ip.proto 提取协议名
-e tcp.srcport 提取源Port
-e tcp.dstport 提取目的Port
-e frame.len 提取数据帧大小
-E header=n 是否输出字段名称(cvs的第1行)
-E separator=, 指定分割符,/t是tab,/s是一格空格
-E quote=n 指定是否对字段用引号,d是双引号,s是单引号,n是不用
-E occurrence=f 多值时是否保留,f是第一个值,l是最后一个值,a是所有值都列出,默认全部
output.csv 输出文件路径及名称
DNS报文过滤
使用tshark过滤dns cap包中源ip、目的ip、request请求

tshark -r test.cap -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -R 'udp.dstport==53 || dns'
说明:

-r test.pcap 需要分析的报文记录文件(pcap格式)
-T fields 输出格式,选fields按字段,也可以选json等其他格式,需结合-e 及 -E使用
-e frame.time 提取数据帧时间
-e ip.src 提取源IP
-e ip.dst 提取目的IP
-e dns.qry.name 提取dns查询的域名信息
-R 'udp.dstport==53 || dns' 显示过滤,仅对udp目标端口为53或者dns协议的报文进行处理
默认直接显示在终端上,不记录文件。

tshark: Couldn't run /usr/bin/dumpcap in child process: Permission denied
解决办法:
On Debian and Debian derivatives such as Ubuntu, if you have installed Wireshark from a package, 1.try running

sudo dpkg-reconfigure wireshark-common

selecting "<Yes>" in response to the question

2.adding yourself to the "wireshark" group by running

sudo usermod -a -G wireshark {your username}
  1. then logging out and logging back in again.

tshark 示例

tshark -T ek -e data.data -i eth0 "udp port 12345"

Capturing on 'eth0'
{"index" : {"_index": "packets-2022-03-03", "_type": "pcap_file"}}
{"timestamp" : "1646291304083", "layers" : {"data_data": ["ff:ff:00:b0:e1:3e:c9:42:6f:32:01:19:21:23:07:10:27:12:49:bd:ad:cb:d5:32:01:00:01:00:40:32:01:62:19:61:61:29:82:20:19:10:21:20:29:10:21:cb:d5:42:31:53:30:36:30:00:00:00:00:00:00:01:00:00:2e:11:0f:04:02:00:1c:00:00:05:d0:a1:d0:cd:c6:fb:b3:b5:00:00:00:00:00:00:00:00:32:34:31:35:31:34:54:00:00:00:00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:bd:ad:cb:d5:32:01:00:01:17:40:32:01:19:21:23:07:10:27:12:49:20:19:10:21:20:29:10:21:cb:d5:42:31:53:30:36:30:00:00:00:00:00:00:01:ff:ff:ff:ff:ff:ff:ff:20:01:00:00:00:00:85:59"]}}
{"index" : {"_index": "packets-2022-03-03", "_type": "pcap_file"}}
{"timestamp" : "1646291304084", "layers" : {"data_data": ["ff:ff:00:10:f1:00:3e:c9:42:6f:32:01:19:21:23:07:10:27:12:49:61:b9"]}}

tshark 高端用法
tshark结合elasticsearch分析WIFI网络流量
https://harrunisk.github.io/2018-09-12-ElasticWifiAnalysisEn/

  • Tshark captures wireless packets by using filters.

    tshark -a duration:600 -i phy0.mon -t ad -t ad -lT fields -E separator=, -E quote=d -e _ws.col.Time -e wlan.fc.type -e wlan.fc.type_subtype -e radiotap.dbm_antsignal -e frame.len -e radiotap.datarate > tshark.csv

  • Tshark writes captured wireless packets as .csv.
  • Filebeat listens .csv file sends to Logstash.
  • Logstash filters data again and sends to Elasticsearch.
  • Analyze data by using Kibana. Dashboard, graph etc.

架构图

tshark 输出csv格式数据
命令

tshark -a duration:6 -t ad -t ad  -Tfields -E separator=, -E quote=d -e ip.src -e ip.dst -e data.len -i eth0 "udp port 12345"

结果

"61.54.103.229","172.18.73.109","182"
"172.18.73.109","61.54.103.229","22"
"61.153.149.53","172.18.73.109","182"
"172.18.73.109","61.153.149.53","22"
"223.112.138.246","172.18.73.109","182"
"172.18.73.109","223.112.138.246","22"

tshark支持将pcap报文分析后生成json文件导入elasticsearch,同时支持elasticsearch的批量导入接口_bulk的格式,命令如下:

tshark -r test_trace.pcap -T ek > test_trace.pcap.json

之后可以将json文件通过curl导入。

curl -s -H "Content-Type: application/x-ndjson" -XPOST "localhost:9200/foo/_bulk" --data-binary "@/Users/test-elastic/test_trace.pcap.json"

网络流量回溯分析(https://paper.seebug.org/427/

ubuntu20 安装最新版的wireshark/tshark
默认的tshark 版本还是2.6.10

tshark -v

TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

tshark -v 

TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

安装最新的
可选

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt update
sudo apt -y install wireshark tshark
tshark -v

TShark (Wireshark) 3.4.8 (Git v3.4.8 packaged as 3.4.8-1~ubuntu20.04.0+wiresharkdevstable1)

wireshark/tshark相关权限配置

sudo usermod -a -G wireshark $USER
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Then verify it by submitting command line :

sudo getcap /usr/bin/dumpcap

/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
tshark -G elastic-mapping
Starting with Wireshark 3.0.0rc1, TShark can now generate an Elasticsearch mapping file by using the -G elastic-mapping option.
Analyzing Network Packets with Wireshark, Elasticsearch, and Kibana
https://www.elastic.co/cn/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana