使用ascii输出从cap文件中读取而不使用-z选项

时间:2017-12-04 09:06:49

标签: wireshark tshark

我一直在使用此脚本自动将pcap文件拆分为单个tcp流:

for stream in $(tshark -r $1 -T fields -e tcp.stream | sort -n | uniq)
do
    echo $stream
    tshark -r $1 -w $2/stream-$stream.cap -Y "tcp.stream==$stream"
done

现在,对于代表流的每个捕获文件,我可以用

读取它们
tshark -r somefile.cap

但是我得到了这种输出:

1   0.000000   172.18.0.4 → 172.18.0.5   HTTP 386 GET /eureka/apps/delta HTTP/1.1 
    2   0.001457   172.18.0.5 → 172.18.0.4   HTTP 466 HTTP/1.1 200 OK  (application/json)
    3   0.001490   172.18.0.4 → 172.18.0.5   TCP 66 37830 → 8761 [ACK] Seq=321 Ack=401 Win=287 Len=0 TSval=330522 TSecr=330522
...

我想使用与使用-z跟踪流时相同的格式来阅读它,例如

tshark -r somefile.pcap -z "follow,http,ascii,172.18.0.6:57238,172.18.0.4:8081"

,它与上面相同,加上

===================================================================
Follow: http,ascii
Filter: ((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238))
Node 0: 172.18.0.6:57238
Node 1: 172.18.0.4:8081
821
POST /api/cars?cacheBuster=1511774200847 HTTP/1.1
Origin: http://localhost:8080
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImF1dGgiOiJST0xFX0FETUlOLFJPTEVfVVNFUiIsImV4cCI6MTUxMzI1NzU5MX0.xyXj0-7xjluW0jB9y2UGzcZcruADHkgTH_mnTIYsSmggqDW7XIeHC7ftKPmaMjozLhpIGofHAbrXj6TOTQlvXQ
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Referer: http://localhost:8080/
Accept-Language: en-US,en;q=0.9,it;q=0.8,ru;q=0.7
Accept-Encoding: gzip
Content-Type: application/json;charset=UTF-8
x-forwarded-host: localhost:8080
x-forwarded-proto: http
x-forwarded-prefix: /carapp
x-forwarded-port: 8080
x-forwarded-for: 172.18.0.1
Content-Length: 61
Host: 172.18.0.4:8081
Connection: Keep-Alive
...

最后。

是否存在这样做的选项?

1 个答案:

答案 0 :(得分:1)

也许以下内容会有所帮助?

tshark -r somefile.pcap -Y "http and (((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238)))" -O http

......或者更简单一点,它应该完成同样的事情:

tshark -r somefile.pcap -Y "http and (ip.addr eq 172.18.0.6 and tcp.port eq 57238 and ip.addr eq 172.18.0.4 and tcp.port eq 8081)" -O http

...如果您知道与此对话关联的TCP流编号,则更简单:

tshark -r somefile.pcap -Y "http and tcp.stream eq 0" -O http

(这里,我只假设流索引为0。)

有关详细信息,请参阅tshark man page