chinanetcloud online lecture:something about tshark
TRANSCRIPT
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
Something about tsharkCecil.Han
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
What is tshark? Tshark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.
TShark's native capture file format is pcap format, which is also the format used by tcpdump and various other tools.
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
Why we need tshark even we have tcpdump? Better readability.
Support more advanced features.
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
Common parameters• -f <capture filter>
tshark -f "port 80 and host 52.8.46.243"
• Advance (capture all SYN packets):tshark -f "tcp[tcpflags] & (tcp-syn) != 0”
Capture the start and end packets(the SYN and FIN packets) of each TCP conversation that involves a non-local host
tshark –f “tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet”
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
• -R/-Y <display filter>tshark -r test.pcap -R "ip.addr==52.8.46.243“
tshark -r test.pcap -R “ip.ttl < 10”
• Advance( The filter eth.src[4:2] looks at the last two
bytes of the Ethernet Source Address field)tshark -r test.pcap -R "eth.src[4:2]==F7:49"
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
• The filter ip[14:2] looks at the 15th and 16th bytes(start counting at 0) in IPv4 header source address field
tshark -r test.pcap -R "ip[14:2]==29:2f"
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
• -s <capture snaplen>
set capture size to 100 Bytes
1 0.000000000 52.8.46.243 -> 172.31.41.47 HTTP 448 GET / HTTP/1.1
[Packet size limited during capture]
Without “-s”
1 0.000000000 52.8.46.243 -> 172.31.41.47 HTTP 448 GET / HTTP/1.1
Compare file size (348 Bytes offset)
-rw-r--r-- 1 root root 472 Jul 4 07:10 1.pcap
-rw-r--r-- 1 root root 820 Jul 4 07:11 2.pcap
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
• Print packets details, hex and ASCII dump
tshark -nr test.pcap -Vx
• Follow TCP stream
tshark -r test.pcap -T fields -e tcp.stream | sed -n '90p'
tshark -r test.pcap -R "tcp.stream eq 11" | head
• Usage about “-T”
tshark -r test.pcap -T fields -e "http.request.uri" -e "http.x_forwarded_for"
-E header=y | grep -v ^.$ | column -t
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
• -a (autostop)
tshark -a duration:3200 -a filesize:500000 -f “host X.X.X.X” -w test.pcap
• -b (ring buffer option)
tshark -b filesize:1024 –b files:5 -w test.pcap
• -G (Dump glossaries, we can change column here for the output)tshark -G defaultprefs > ~/.wireshark/preferences
column.format: "No.", "%m", "Time", "%t", "Delta_Time", "%Cus:frame.time_delta_displayed", "TCP_Stream", "%Cus:tcp.stream", "Source", "%s", "Destination", "%d", "Protocol", "%p", "Length", "%L", "Info", "%i"
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
• -z (statistics)
tshark -r test.pcap -q -z http_req,tree ===========================================================
===========================================================
HTTP/Requests value rate percent------------------------------------------------------------------------------------------------------
-
HTTP Requests by HTTP Host
29 0.001298
www.chinanetcloud.com 29 0.001298 100.00%
/ 1 0.000045 3.45%/en 1 0.000045 3.45%
/favicon.ico 27 0.001208 93.10%
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
扫码关注云络科技微信公众号了解更多行业资讯及最新运维技术
OaaS·OpsStack· 公有云和私有云的运维管理 Copyright © 2016 ChinaNetCloud
THANK YOU谢谢您的观赏