如何在使用tcpdump或tshark时取消屏蔽websockets?

时间:2017-04-11 06:28:09

标签: bash websocket wireshark tcpdump tshark

无需在以后启动Wireshark或存储和分析数据包。

如果没有websockets那样的乱码,如何对此进行实时查看?

tcpdump -nnXSs 0 port 1234

2 个答案:

答案 0 :(得分:1)

该功能已在Wireshark的2.0版本中删除。

所以必须从Ubuntu trusty 14.04获取以下软件包并安装它们:

<span class="price"><select data-bind="options: preferedTimeToPickup, optionsCaption: 'Dont Know or Does not Matter', optionsValue: 'name', optionsText: 'name', value: _preferedTimeToPickupVal" id="u3413_input" ></select> </span> var vm = function () { this.preferedTimeToPickup = [ {}, {} ] this._preferedTimeToPickupVal = ko.observable(); this.preferedTimeToPickupVal = ko.pureComputed(function() { var selectedVal = this._preferedTimeToPickupVal() var defaultVal = { price: null, name: null } var found = null if (selectedVal) { found = this.preferedTimeToPickup.filter(function(i) { return i.name === selectedVal }) } return found && found[0] ? found[0] : defaultVal }, this) }

禁用更新:

sudo dpkg -i wireshark-common_1.10.6-1_amd64.deb tshark_1.10.6-1_amd64.deb libwireshark3_1.10.6-1_amd64.deb libwsutil3_1.10.6-1_amd64.deb libwiretap3_1.10.6-1_amd64.deb libgnutls26_2.12.23-12ubuntu2.7_amd64.deb libgcrypt11_1.5.3-2ubuntu4.4_amd64.deb

修复依赖项:

sudo apt-mark hold tshark

转储内容的命令:

sudo apt install -f

答案 1 :(得分:1)

tshark -r out.pcap -Y websocket.payload -E occurrence=l -T fields -e text

将未屏蔽的文本传递给基于行的文本数据&#34;解析器,所以你需要使用字段选择器,并将事件设置为数据包中该字段的最后一个实例,以删除&#34; noise&#34;。我还添加了一个过滤器来限制输出到包含websocket有效负载的数据包。

https://ask.wireshark.org/questions/60725/how-to-dump-websockets-live-with-tshark

中的grahamb撰写