如何在tshark函数tshark管道后添加管道

时间:2016-10-06 15:34:04

标签: awk sed pipe tshark

我想使用tshark来查找不属于我的目标或源IP。为此,我使用(ip-ifconfigifconfig提供我的IP)

# tshark -T fields -e ip.addr -E aggregator=" " | sed "s/$(ip-ifconfig)//"
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Capturing on 'wlp3s0'
**5500** 

我得到了抓包的数量。我想改用IP。

可能必须使用awk操作输出。

没有sed管道的此命令的输出是IP列表

2 个答案:

答案 0 :(得分:2)

我在寻找tshark -l

 -l        Flush the standard output after the information for each packet is printed.  (This is not, strictly speaking, line-buffered if -V was specified; however, it is the same as line-
           buffered if -V wasn't specified, as only one line is printed for each packet, and, as -l is normally used when piping a live capture to a program or script, so that output for a
           packet shows up as soon as the packet is seen and dissected, it should work just as well as true line-buffering.  We do this as a workaround for a deficiency in the Microsoft
           Visual C++ C library.)

           This may be useful when piping the output of TShark to another program, as it means that the program to which the output is piped will see the dissected data for a packet as soon
           as TShark sees the packet and generates that output, rather than seeing it only when the standard output buffer containing that data fills up.

答案 1 :(得分:1)

命令sed "s/$(ip-ifconfig)//"只是用空字符串替换您的IP地址。这可能不是你想要的。另外,我不知道ip-ifconfig命令,我假设它给你一个IP地址。

实现此目的的一种粗略方法是禁止包含您的IP地址的所有行,例如:以下两个例子中的一个:

tshark -T fields -e ip.addr -E aggregator=" " | grep -v "$(ip-ifconfig)"
tshark -T fields -e ip.addr -E aggregator=" " | sed "/$(ip-ifconfig)/d"

这个解决方案虽然不是很强大。如果您的IP地址是192.168.1.1,那么上面的模式也将匹配192.168.1.10或192.168.1.123。您可以使用尖括号匹配整个单词:

tshark -T fields -e ip.addr -E aggregator=" " | grep -vE "\<$(ip-ifconfig)\>"
tshark -T fields -e ip.addr -E aggregator=" " | sed "/\<$(ip-ifconfig)\>/d"

这应该在大部分时间都有效。请注意,理想情况下,IP地址中的点应该被转义,否则它将被用作正则表达式中的匹配所有字符。

最后,你可以简单地使用tshark中的显示过滤器:

tshark -T fields -e ip.addr -E aggregator=" " -Y "ip.addr != $(ip-ifconfig)"

这可以让你构建相当复杂的过滤器。