Question

我需要一些命令行工具，它按如下方式打印基于流的捕获的pcap文件： src-ip src-port dst-ip dst-port protocol（tcp / udp）duration number-of-packet 现在，我使用captcp它是完美的，但它有一个主要问题：它不是为UDP流量设计的，运行纯UDP pcap文件时会出错。

I need something like this(it is CAPTCP but with support to UDP)

我渴望得到你的所有评论，但最好的是它们产生的工具！

Answer 1

您可以使用 tshark 来读取PCAP文件并编写聚合脚本。这不是大型PCAP文件（几GB）的选项，但以下工作在我的测试中：

#!/bin/sh
PCAP="mypackets.pcap"

tshark -r "$PCAP" -T fields -e ip.addr udp | 
sort |
uniq |
while read x; do
    left=${x%%,*};
    right=${x##*,};
    echo;
    echo "==================";
    echo "$left -> $right";
    tshark -r "$PCAP" -T text ip.src==$left and ip.dst==$right 2>/dev/null;
done

内部IP的结果（在几个地方审查）：

192.168.0.1 -> 192.168.0.19
  5 0.905186262  192.168.0.1 -> 192.168.0.19 NBNS 92 Name query NBSTAT ...
  6 0.905274977 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)
773 54.218903171  192.168.0.1 -> 192.168.0.19 NBNS 92 Name query NBSTAT ...
774 54.218991396 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)

==================
192.168.0.19 -> 192.168.0.19
  6 0.905274977 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)
774 54.218991396 192.168.0.19 -> 192.168.0.1  ICMP 120 Destination unreachable (Port unreachable)

==================
192.168.0.19 -> 8.8.8.8
  7 7.527339007 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x3321 A
  8 7.527426252 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xcbe7 AAAA
  9 7.527479187 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xc470 A
 60 7.865822939 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xe7f7 A
 61 7.865862640 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xf994 AAAA
137 7.993523685 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x580c A
138 7.993563877 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x1da8 AAAA
149 8.050389092 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xf953 A
150 8.050429283 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xba7c AAAA
156 8.095814170 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xd808 A
157 8.095853871 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x27bf AAAA
160 8.134157723 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x5970 A
161 8.134196444 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xc00f AAAA
176 8.156413943 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xfe0c A
177 8.156432568 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x8fa1 AAAA
180 8.187659798 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0x9870 A
181 8.187698028 192.168.0.19 -> 8.8.8.8      DNS 79 Standard query 0xb453 AAAA

==================
8.8.8.8 -> 192.168.0.19
 10 7.552742408      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x3321 A
 11 7.555262701      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xc470 A
 13 7.559084313      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xcbe7 AAAA
 69 7.893370696      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xf994 AAAA
 70 7.895752770      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xe7f7 A
139 8.016281317      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x580c A
140 8.017124846      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x1da8 AAAA
154 8.073028600      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xf953 A
155 8.078469630      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xba7c AAAA
158 8.121705259      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x27bf AAAA
159 8.123310463      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xd808 A
162 8.149581409      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x5970 A
163 8.150471991      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xc00f AAAA
178 8.180086664      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xfe0c A
179 8.180913038      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x8fa1 AAAA
212 8.216175579      8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xb453 AAAA
213 8.217023519      8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x9870 A

然后，您可以修改对 tshark 的最后一次调用，而不是-T text您可以添加-Tfields和多个-e选项，以便只获取您需要的字段。例如，您可以添加另一个while聚合来计算数据包的数量（tshark将始终在一行上输出数据包）。

Answer 2

您可以使用TShark Statistics：
tshark -r yourfile.pcap -q -z conv，udp

TShark是Wireshark distribution的一部分您也可以使用SplitCap分割文件另见：
SplitCap and TShark
Wireshark Statistics

基于命令行流的pcap文件查看器工具

2 个答案: