This is the ninth day of my participation in the August More text Challenge. For details, see: August More Text Challenge
Introduction to the
Tshark is a command line packet capture tool for the Wireshark. The methods of using tshark are similar to those of using tcpdump.
Wireshark provide official documentation: www.wireshark.org/docs/man-pa…
Method of use
Here are the parameters for tshark
-i Sets the network interface for packet capture. If this parameter is not set, the first non-loopback interface is used by default. -d Lists the existing network interfaces. If you do not know the network devices controlled by the OS, you can run the tshark-d command to view the number of the network port for the -i parameter. -f Specifies the capture filter expression. The method of writing packet capture filter expressions is similar to that of writing tcpdump expressions. For details, see the section on the tcpdump Man Page. -s Sets the size of each captured packet. The default value is 65535. Data larger than this size will not be recorded in memory or written to files by the program. This parameter is equivalent to tcpdump's -s, Duration: num-stop after NUM seconds filesize: num-stop this file after NUM KB Files: num-stop after NUM files -w Sets the output file of raw data. If this parameter is not set, tshark will output the decoded result to STdout. "-w-" indicates to output raw to stdout. If you want to output the decoded results to a file, use the redirect ">" instead of the -w parameter. -r Sets the input file for TSHARK analysis. Tshark can capture and analyze both real-time network traffic and data dumped in files. -r cannot be named pipe and standard input. -r Sets the read filter expression. Traffic that does not conform to this expression is also not written to the file. Note that the syntax of the read (display) filter expression is different from that of the underlying, related packet capture filter expression. Please refer to http://www.ethereal.com/docs/dfref/ and http://www.ethereal.com/docs/man-pages/ethereal-filter.4.html. Similar to packet capture filter expressions, it is best to quote them at the command line. -y (display) Filtering. -t Sets the output format of the decoding result, including fileds, TEXT,ps, PSML, and PDML. The default value is TEXT. -e is used with -t to specify the output format, delimiter, and so on. -t Sets the time format of the decoding result. "AD" is the absolute time with a date, "A" is the absolute time without a date, "r" is the relative time from the first packet to the present, and "d" is the delta time between two adjacent packets. -q Sets the quiet stdout output (for example, when collecting statistics). -z Sets statistics parameters. -p Sets the network interface to work in non-mixed mode, that is, only the traffic related to the local machine is concerned. -b Sets the kernel buffer size. This parameter is valid only for Windows. -y specifies the data link layer protocol for packet capture. If this parameter is not specified, the default protocol is the first protocol found by -l. In a LAN, the value is usually EN10MB. -l Lists the data link layer protocols supported by the local host. The -y parameter is used. -n Disables all address name resolution (by default, all address name resolution is allowed). -n Enables the address name resolution of a certain layer. "M" represents the MAC layer, "n" represents the network layer, "T" represents the transport layer, "C" represents the current asynchronous DNS lookup. If both -n and -n arguments exist, -n is ignored. If neither -n nor -n is specified, all address name resolution is enabled by default. -d unpacks the specified data for output according to the relevant protocol. To unpacket TCP port 8888 according to HTTP, write -d tcp.port==8888, HTTP. Note Do not leave Spaces between unpacking protocols. -f Sets the format of raw data output. The default value is libpcap. "Tshark-f" lists all supported RAW formats. The -v setting outputs the details of the decoded result. Otherwise, the decoded result displays only the summary of a single packet line. -x is set in the decoded output, and the specific data is displayed in HEX dump mode after each packet. -s prints the decoding result to the console while output to the RAW file. -l refreshes the output immediately as each package is processed. -x extension. -h Displays the command line help. -v Displays the tshark version. -o Indicates the reload option.Copy the code-i Specifies the interface for packet capture
tshark -i eth0
Copy the code
After -v is added, the packet information of the information is displayed
-f Indicates that filtering rules can be applied
Official filtering rules refer to: www.wireshark.org/docs/dfref/
tshark -f 'port 22' -i eth0
Copy the code
Here are some common filtering rules
Port 53: Captures UDP/TCP data flows to/from port 53 (typical DNS data flows) not port 53: Captures UDP/TCP data flows other than to/from port 53. Port 80: Captures UDP/TCP data flows to/from port 53. UDP port 67: Captures the UDP/TCP data flow sent to/from port 80 (typical HTTP data flow). TCP port 21: Captures the UDP/TCP data flow sent to/from port 67 (typical DHCP data flow). Portrange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1-80 PORTRange 1. IP broadcast: Captures broadcast packets. IP multicast: captures multicast packets. DST Host FF02 ::1: captures data flows to all hosts with IPv6 multicast addresses. Net 10.3.0.0/16: Captures the data flows from network 10.3.0.0 to/from all hosts (16 indicates length). Net 10.3.0.0 mask 255.255.0.0: captures the data flows from network 10.3.0.0 to/from all hosts. IP [2:2]==<number> : IP packet size IP [8]==<number> : TTL(Time to Live) value IP [9]==<number> : protocol value SRC host 10.1.1.1: Host 10.1.1.1: Capture the data flow to/from 10.1.1.1 ether DST 02:0A:42:23:41:AC: Grab data stream to 02:0a :42:23:41:AC not ether host 00:08:15: Capture all data streams except those sent to/from 00:08:15:00:08:15. Ether broadcast or ether DST FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: fetch broadcast packets. Ether multicast: multicast packetsCopy the code-z Collects the specified data packets
tshark -i eth0 -z icmp,srt
Copy the code
-qz Indicates that the captured packets are not displayed
tshark -i eth0 -qz icmp,srt
Copy the code
-w Saves the captured data packets to a file, which can be analyzed by using the Wireshark
tshark -i eth0 -w test.pcap
Copy the code
-r Reads the saved packet capture file
tshark -r test.pcap
Copy the code
Using the instance
Grab 500 packages to extract the url visited and print it out
tshark -s 0 -i eth0 -n -f 'tcp dst port 80' -Y 'http.host and http.request.uri' -T fields -e http.host -e http.request.uri -l -c 500
Copy the code
Collecting HTTP Status statistics
root@kali:~# tshark -n -q -z http,stat, -z http,tree Running as user "root" and group "root". This could be dangerous. Capturing on 'eth0' ^C2008 packets captured ========================================================================================= HTTP/Packet Counter: Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Total HTTP Packets to 2, 0.0021 100% 0.0100 10.717 HTTP Response Packets 1 0.0011 50.00% 0.0100 11.657 2xx: Success 1 0.0011 100.00% 0.0100 11.657 200 OK 1 0.0011 100.00% 0.0100 11.657?? : broken 0 0.0000 0.00% -- -5xx: Server Error 0 0.0000 0.00% -- -4xx: Client Error 0 0.0000 0.00% -- -3xx: Redirection 0 0.0000 0.00% - -1xx: Informational 0 0.0000 0.00% - - HTTP Request Packets 1 0.0011 50.00% 0.0100 10.717 POST 1 0.0011 100.00% 0.0100 10.717 Other HTTP Packets 0 0.0000 0.00% - ----------------------------------------------------------------------------------------- =================================================================== HTTP Statistics * HTTP Status Codes in reply packets HTTP 200 OK * List of HTTP Request methods POST 1 ===================================================================Copy the codeReference documentation
Tshark Summary of packet capture
Tshark,
Recommended reading
Linux Service Management!
Metasploit Penetration Framework for network security personnel must know!
Penetration Essential -Metasploit common module usage
Server Hardware Guide!