我一直在使用此脚本自动将pcap文件拆分为单个tcp流:
for stream in $(tshark -r $1 -T fields -e tcp.stream | sort -n | uniq)
do
echo $stream
tshark -r $1 -w $2/stream-$stream.cap -Y "tcp.stream==$stream"
done
现在,对于代表流的每个捕获文件,我可以用
读取它们tshark -r somefile.cap
但是我得到了这种输出:
1 0.000000 172.18.0.4 → 172.18.0.5 HTTP 386 GET /eureka/apps/delta HTTP/1.1
2 0.001457 172.18.0.5 → 172.18.0.4 HTTP 466 HTTP/1.1 200 OK (application/json)
3 0.001490 172.18.0.4 → 172.18.0.5 TCP 66 37830 → 8761 [ACK] Seq=321 Ack=401 Win=287 Len=0 TSval=330522 TSecr=330522
...
我想使用与使用-z跟踪流时相同的格式来阅读它,例如
tshark -r somefile.pcap -z "follow,http,ascii,172.18.0.6:57238,172.18.0.4:8081"
,它与上面相同,加上
===================================================================
Follow: http,ascii
Filter: ((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238))
Node 0: 172.18.0.6:57238
Node 1: 172.18.0.4:8081
821
POST /api/cars?cacheBuster=1511774200847 HTTP/1.1
Origin: http://localhost:8080
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImF1dGgiOiJST0xFX0FETUlOLFJPTEVfVVNFUiIsImV4cCI6MTUxMzI1NzU5MX0.xyXj0-7xjluW0jB9y2UGzcZcruADHkgTH_mnTIYsSmggqDW7XIeHC7ftKPmaMjozLhpIGofHAbrXj6TOTQlvXQ
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Referer: http://localhost:8080/
Accept-Language: en-US,en;q=0.9,it;q=0.8,ru;q=0.7
Accept-Encoding: gzip
Content-Type: application/json;charset=UTF-8
x-forwarded-host: localhost:8080
x-forwarded-proto: http
x-forwarded-prefix: /carapp
x-forwarded-port: 8080
x-forwarded-for: 172.18.0.1
Content-Length: 61
Host: 172.18.0.4:8081
Connection: Keep-Alive
...
最后。
是否存在这样做的选项?
答案 0 :(得分:1)
也许以下内容会有所帮助?
tshark -r somefile.pcap -Y "http and (((ip.src eq 172.18.0.6 and tcp.srcport eq 57238) and (ip.dst eq 172.18.0.4 and tcp.dstport eq 8081)) or ((ip.src eq 172.18.0.4 and tcp.srcport eq 8081) and (ip.dst eq 172.18.0.6 and tcp.dstport eq 57238)))" -O http
......或者更简单一点,它应该完成同样的事情:
tshark -r somefile.pcap -Y "http and (ip.addr eq 172.18.0.6 and tcp.port eq 57238 and ip.addr eq 172.18.0.4 and tcp.port eq 8081)" -O http
...如果您知道与此对话关联的TCP流编号,则更简单:
tshark -r somefile.pcap -Y "http and tcp.stream eq 0" -O http
(这里,我只假设流索引为0。)
有关详细信息,请参阅tshark
man page。