我正在尝试对tshark运行多个并行实例,以梳理目录中的大量pcap文件并将已过滤的内容复制到新文件中。我遇到了一个问题,其中Tshark在我输入的命令上引发了错误。
它必须与tshark解释命令字符串的方式有关,因为我可以将格式化的命令字符串复制/粘贴到控制台,并且它运行得很好。我尝试过几种格式化命令的方式,并从其他遇到类似问题的人那里读取线程。我相信我的格式正确...但是仍然会收到错误消息。
这就是我正在使用的东西:
脚本1:-过滤器
#Takes user arguments <directory> and <filter> and runs a filter on all captures for a given directory.
#
#TO DO:
#Add user prompts and data sanitization to avoid running bogus job.
#Add concatenation via mergecap /w .pcap suffix
#Delete filtered, unmerged files
#Add mtime filter for x days of logs
starttime=$(date)
if [$1 = '']; then echo "no directory specified, you must specify a directory (VLAN)"
else if [$2 = '']; then echo "no filter specified, you must specify a valid tshark filter expression"
else
echo $2 > /home/captures-user/filtered/filter-reference
find /home/captures-user/Captures/$1 -type f | xargs -P 5 -L 1 /home/captures-user/tshark-worker
rm /home/captures-user/filtered/filter-reference
fi
fi
echo Start time is $starttime
echo End time is $(date)
脚本2:-tshark-worker
# $1 = path and file name
#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter=$(cat /home/captures-user/filtered/filter-reference)
#strips the directory off the current working file
file=$(sed 's/.*\///' <<< $1 )
echo $1 'is the file to run' $filter 'on.'
#runs the filter and places the filtered results in the /filtered directory
command=$"tshark -r $1 -Y '$filter' -w /home/captures-user/filtered/$file-filtered"
echo $command
$command
运行./filter ICE 'ip.addr == 1.1.1.1'时,每个文件都得到以下输出。请注意,在过滤器表达式中包含==并不是问题,我尝试用'or'代替并获得相同的输出。另外,tshark不别名为任何东西,并且没有使用该名称的脚本。这是/ usr / sbin中的原始tshark可执行文件。
输出:
/home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 is the file to run ip.addr == 1.1.1.1 on.
tshark -r /home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 -Y 'ip.addr == 1.1.1.1' -w /home/captures-user/filtered/ICE-2019-05-26_00:00:01-filtered
tshark: Display filters were specified both with "-d" and with additional command-line arguments.
答案 0 :(得分:0)
正如我在评论中提到的那样,由于过滤器(可能还有文件名和/或路径)中的空格,我认为这是引号以及命令构造方式的问题。
您可以尝试将tshark-worker脚本更改为以下内容:
# $1 = path and file name
#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter="$(cat /home/captures-user/filtered/filter-reference)"
#strips the directory off the current working file
file="$(sed 's/.*\///' <<< $1 )"
echo $1 'is the file to run' $filter 'on.'
#runs the filter and places the filtered results in the /filtered directory
tshark -r "${1}" -Y "${filter}" -w "${file}"-filtered