Wireshark中文使用教程(用戶版)附錄D.Wireshark相關命令行工具
Wireshark附帶了一系列命令行工具,這些工具可有助于數據包分析。
D.1 tshark:基于終端的Wireshark
TShark是Wireshark的面向終端的版本,旨在在不需要或不提供交互式用戶界面時捕獲和顯示數據包。
Usage: tshark [options] …
Capture interface:
-i <interface>, --interface <interface>
name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen>
packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode
don't capture in promiscuous mode
-I, --monitor-mode capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size>
size of kernel buffer (def: 2MB)
-y <link type>, --linktype <link type>
link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D, --list-interfaces print list of interfaces and exit
-L, --list-data-link-types
print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exitCapture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packetsCapture output:
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secsInput file:
-r <infile>, --read-file <infile>
set the filename to read from (or '-' for stdin)Processing:
-2 perform a two-pass analysis
-M <packet count> perform session auto reset
-R <read filter>, --read-filter <read filter>
packet Read filter in Wireshark display filter syntax
(requires -2)
-Y <display filter>, --display-filter <display filter>
packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
-H <hosts file> read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocolOutput:
-w <outfile|-> write packets to a pcapng-format file named "outfile"
(or '-' for stdout)
--capture-comment <comment>
set the capture file comment, if supported
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is pcapng
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-P, --print print packet summary even when writing to a file
-S <separator> the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
format of text output (def: text)
-j <protocolfilter> protocols layers filter if -T ek|pdml|json selected
(e.g. "ip ip.flags text", filter does not expand child
nodes, unless child is specified also in the filter)
-J <protocolfilter> top level protocol filter if -T ek|pdml|json selected
(e.g. "http tcp", filter which expands all child nodes)
-e <field> field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|adoy|d|dd|e|r|u|ud|udoy
output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X <key>:<value> eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z <statistics> various statistics, see the man page for details
--export-objects <protocol>,<destdir>
save exported objects for a protocol to a directory
named "destdir"
--color color output text similarly to the Wireshark GUI,
requires a terminal with 24-bit color support
Also supplies color attributes to pdml and psml formats
(Note that attributes are nonstandard)
--no-duplicate-keys If -T json is specified, merge duplicate keys in an object
into a single key with as value a json array containing all
values
--elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the
specified protocols within the mapping fileMiscellaneous:
-h, --help display this help and exit
-v, --version display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G help" for more help
Dumpcap can benefit from an enabled BPF JIT compiler if available.
You might want to enable it by executing:
“echo 1 > /proc/sys/net/core/bpf_jit_enable”
Note that this can make your system less secure!
D.2 tcpdump:使用“ tcpdump”捕獲以使用Wireshark查看
使用tcpdump而不是 捕獲數據包通常更有用wireshark。例如,在沒有GUI訪問權限或未在遠程計算機上安裝Wireshark,。
tcpdump截斷數據包的舊版本為68或96字節。如果是這種情況,請使用-s捕獲完整大小的數據包:
$ tcpdump -i <interface> -s 65535 -w <file>您將必須指定正確的接口和要保存到的文件的名稱。另外,如果您認為已捕獲了足夠的數據包,則必須以^ C終止捕獲。
tcpdump不是Wireshark發行版的一部分。您可以從https://www.tcpdump.org/或大多數Linux發行版中的標準軟件包中獲取它 。
D.3 dumpcap:使用“ dumpcap”捕獲以使用Wireshark查看
Dumpcap是一種網絡流量轉儲工具。它從實時網絡捕獲數據包數據,并將數據包寫入文件。Dumpcap的本機捕獲文件格式為pcapng,這也是Wireshark使用的格式。
默認情況下,Dumpcap使用pcap庫捕獲來自第一個可用網絡接口的流量,并將接收到的原始數據包數據以及數據包的時間戳記寫入pcapng文件。捕獲過濾器語法遵循pcap庫的規則。。
*可從dumpcap獲得幫助信息。 *
Dumpcap (Wireshark) 3.3.0 (v3.3.0rc0-55-g3c10d7308bde)
Capture network packets and dump them into a pcapng or pcap file.
Usage: dumpcap [options] …
Capture interface:
-i <interface>, --interface <interface>
name or idx of interface (def: first non-loopback),
or for remote capturing, use one of these formats:
rpcap://<host>/<interface>
TCP@<host>:<port>
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen>
packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode
don't capture in promiscuous mode
-I, --monitor-mode capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size>
size of kernel buffer in MiB (def: 2MiB)
-y <link type>, --linktype <link type>
link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D, --list-interfaces print list of interfaces and exit
-L, --list-data-link-types
print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
-d print generated BPF code for capture filter
-k <freq>,[<type>],[<center_freq1>],[<center_freq2>]
set channel on wifi interface
-S print statistics for each interface once per second
-M for -D, -L, and -S, produce machine-readable output
Stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM kB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets
Output (files):
-w <filename> name of file to save (def: tempfile)
-g enable group read access on the output file(s)
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM kB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - ringbuffer: replace after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secs
-n use pcapng format instead of pcap (default)
-P use libpcap format instead of pcapng
--capture-comment <comment>
add a capture comment to the output file
(only for pcapng)
Miscellaneous:
-N <packet_limit> maximum number of packets buffered within dumpcap
-C <byte_limit> maximum number of bytes used for buffering packets
within dumpcap
-t use a separate thread per interface
-q don't report packet capture counts
-v, --version print version information and exit
-h, --help display this help and exitDumpcap can benefit from an enabled BPF JIT compiler if available.
You might want to enable it by executing:
“echo 1 > /proc/sys/net/core/bpf_jit_enable”
Note that this can make your system less secure!
Example:
dumpcap -i eth0 -a duration:60 -w output.pcapng
“Capture packets from interface eth0 until 60s passed into output.pcapng”
Use Ctrl-C to stop capturing at any time.
D.4 capinfos:打印有關捕獲文件的信息
capinfos可以打印有關捕獲文件的信息,包括文件類型,數據包數量,日期和時間信息以及文件哈希。信息可以以人類和機器可讀的格式打印。
*可從capinfos獲得幫助信息。 *
Capinfos (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
Print various information (infos) about capture files.
Usage: capinfos [options] <infile> …
General infos:
-t display the capture file type
-E display the capture file encapsulation
-I display the capture file interface information
-F display additional capture file information
-H display the SHA256, RMD160, and SHA1 hashes of the file
-k display the capture comment
Size infos:
-c display the number of packets
-s display the size of the file (in bytes)
-d display the total length of all packets (in bytes)
-l display the packet size limit (snapshot length)
Time infos:
-u display the capture duration (in seconds)
-a display the capture start time
-e display the capture end time
-o display the capture file chronological status (True/False)
-S display start and end times as seconds
Statistic infos:
-y display average data rate (in bytes/sec)
-i display average data rate (in bits/sec)
-z display average packet size (in bytes)
-x display average packet rate (in packets/sec)
Metadata infos:
-n display number of resolved IPv4 and IPv6 addresses
-D display number of decryption secrets
Output format:
-L generate long report (default)
-T generate table report
-M display machine-readable values in long reports
Table report options:
-R generate header record (default)
-r do not generate header record
-B separate infos with TAB character (default)
-m separate infos with comma (,) character
-b separate infos with SPACE character
-N do not quote infos (default)
-q quote infos with single quotes (')
-Q quote infos with double quotes (")
Miscellaneous:
-h display this help and exit
-C cancel processing if file open fails (default is to continue)
-A generate all infos (default)
-K disable displaying the capture commentOptions are processed from left to right order with later options superseding
or adding to earlier options.
If no options are given the default is to display all infos in long report
output format.
D.5 rawshark:轉儲并分析網絡流量。
Rawshark從文件或管道讀取數據包流,并打印一行描述其輸出的內容,然后在stdout上為每個數據包顯示一組匹配字段。
*可從rawshark獲得幫助信息。 *
Rawshark (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
Dump and analyze network traffic.
Usage: rawshark [options] …
Input file:
-r <infile> set the pipe or file name to read from
Processing:
-d <encap:linktype>|<proto:protoname>
packet encapsulation or protocol
-F <field> field to display
-m virtual memory limit, in bytes
-n disable all name resolution (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-p use the system's packet header format
(which may have 64-bit timestamps)
-R <read filter> packet filter in Wireshark display filter syntax
-s skip PCAP header on input
Output:
-l flush output after each packet
-S format string for fields
(%D - name, %S - stringval, %N numval)
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
Miscellaneous:
-h display this help and exit
-o <name>:<value> ... override preference setting
-v display version info and exitD.6 editcap:編輯捕獲文件
editcap是用于修改捕獲文件的通用實用程序。它的主要功能是從捕獲文件中刪除數據包,但是它也可以用于將捕獲文件從一種格式轉換為另一種格式,以及打印有關捕獲文件的信息。。
*可從editcap獲得的幫助信息。 *
Editcap (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
Edit and/or translate the format of capture files.
Usage: editcap [options] … <infile> <outfile> [ <packet#>[-<packet#>] … ]
<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.
Packet selection:
-r keep the selected packets; default is to delete them.
-A <start time> only output packets whose timestamp is after (or equal
to) the given time (format as YYYY-MM-DD hh:mm:ss).
-B <stop time> only output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss).
Duplicate packet removal:
--novlan remove vlan info from packets before checking for duplicates.
-d remove packet if duplicate (window == 5).
-D <dup window> remove packet if duplicate; configurable <dup window>.
Valid <dup window> values are 0 to 1000000.
NOTE: A <dup window> of 0 with -v (verbose option) is
useful to print MD5 hashes.
-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
LESS THAN <dup time window> prior to current packet.
A <dup time window> is specified in relative seconds
(e.g. 0.000001).
NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -v may not always work as expected.
Specifically the -r, -t or -S options will very likely NOT have the
desired effect if combined with the -d, -D or -w.
--skip-radiotap-header skip radiotap header when checking for packet duplicates.
Useful when processing packets captured by multiple radios
on the same channel in the vicinity of each other.
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
chop at the packet beginning, negative values at the
packet end. If an optional offset precedes the length,
then the bytes chopped will be offset from that value.
Positive offsets are from the packet beginning,
negative offsets are from the packet end. You can use
this option more than once, allowing up to 2 chopping
regions within a packet provided that at least 1
choplen is positive and at least 1 is negative.
-L adjust the frame (i.e. reported) length when chopping
and/or snapping.
-t <time adjustment> adjust the timestamp of each packet.
<time adjustment> is in relative seconds (e.g. -0.5).
-S <strict adjustment> adjust timestamp of packets if necessary to ensure
strict chronological increasing order. The <strict
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E <error probability> set the probability (between 0.0 and 1.0 incl.) that
a particular packet byte will be randomly changed.
-o <change offset> When used in conjunction with -E, skip some bytes from the
beginning of the packet. This allows one to preserve some
bytes, in order to have some headers untouched.
--seed <seed> When used in conjunction with -E, set the seed to use for
the pseudo-random number generator. This allows one to
repeat a particular sequence of errors.
-I <bytes to ignore> ignore the specified number of bytes at the beginning
of the frame during MD5 hash calculation, unless the
frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on
several routers (different mac addresses for
example).
e.g. -I 26 in case of Ether/IP will ignore
ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
-a <framenum>:<comment> Add or replace comment for given frame number
Output File(s):
-c <packets per file> split the packet output to different files based on
uniform packet counts with a maximum of
<packets per file> each.
-i <seconds per file> split the packet output to different files based on
uniform time intervals with a maximum of
<seconds per file> each.
-F <capture type> set the output file type; default is pcapng.
An empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type; default is the
same as the input file. An empty "-T" option will
list the encapsulation types.
--inject-secrets <type>,<file> Insert decryption secrets from <file>. List
supported secret types with "--inject-secrets help".
--discard-all-secrets Discard all decryption secrets from the input file
when writing the output file. Does not discard
secrets added by "--inject-secrets" in the same
command line.
Miscellaneous:
-h display this help and exit.
-v verbose output.
If -v is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-error.
*Capture file types available from *editcap -F.
editcap: The available capture file types for the "-F" flag are:
5views - InfoVista 5View capture
btsnoop - Symbian OS btsnoop
commview - TamoSoft CommView
dct2000 - Catapult DCT2000 trace (.out format)
erf - Endace ERF capture
eyesdn - EyeSDN USB S0/E1 ISDN trace format
k12text - K12 text file
lanalyzer - Novell LANalyzer
logcat - Android Logcat Binary format
logcat-brief - Android Logcat Brief text format
logcat-long - Android Logcat Long text format
logcat-process - Android Logcat Process text format
logcat-tag - Android Logcat Tag text format
logcat-thread - Android Logcat Thread text format
logcat-threadtime - Android Logcat Threadtime text format
logcat-time - Android Logcat Time text format
modpcap - Modified tcpdump - pcap
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
ngsniffer - Sniffer (DOS)
ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
ngwsniffer_2_0 - Sniffer (Windows) 2.00x
niobserver - Network Instruments Observer
nokiapcap - Nokia tcpdump - pcap
nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
nstrace30 - NetScaler Trace (Version 3.0)
nstrace35 - NetScaler Trace (Version 3.5)
pcap - Wireshark/tcpdump/... - pcap
pcapng - Wireshark/... - pcapng
rf5 - Tektronix K12xx 32-bit .rf5 format
rh6_1pcap - RedHat 6.1 tcpdump - pcap
snoop - Sun snoop
suse6_3pcap - SuSE 6.3 tcpdump - pcap
visual - Visual Networks traffic capture
Encapsulation types available from editcap -T.
editcap: The available encapsulation types for the"-T" flag are:
ap1394 - Apple IP-over-IEEE 1394
arcnet - ARCNET
arcnet_linux - Linux ARCNET
ascend - Lucent/Ascend access equipment
atm-pdus - ATM PDUs
atm-pdus-untruncated - ATM PDUs - untruncated
atm-rfc1483 - RFC 1483 ATM
ax25 - Amateur Radio AX.25
ax25-kiss - AX.25 with KISS header
bacnet-ms-tp - BACnet MS/TP
bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
ber - ASN.1 Basic Encoding Rules
bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF
bluetooth-h4 - Bluetooth H4
bluetooth-h4-linux - Bluetooth H4 with linux header
bluetooth-hci - Bluetooth without transport layer
bluetooth-le-ll - Bluetooth Low Energy Link Layer
bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF
bluetooth-linux-monitor - Bluetooth Linux Monitor
can20b - Controller Area Network 2.0B
chdlc - Cisco HDLC
chdlc-with-direction - Cisco HDLC with Directional Info
cosine - CoSine L2 debug log
dbus - D-Bus
dct2000 - Catapult DCT2000
docsis - Data Over Cable Service Interface Specification
docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header
dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header
dpnss_link - Digital Private Signalling System No 1 Link Layer
dvbci - DVB-CI (Common Interface)
ebhscr - Elektrobit High Speed Capture and Replay
enc - OpenBSD enc(4) encapsulating interface
epon - Ethernet Passive Optical Network
erf - Extensible Record Format
ether - Ethernet
ether-mpacket - IEEE 802.3br mPackets
ether-nettl - Ethernet with nettl headers
fc2 - Fibre Channel FC-2
fc2sof - Fibre Channel FC-2 With Frame Delimiter
fddi - FDDI
fddi-nettl - FDDI with nettl headers
fddi-swapped - FDDI with bit-swapped MAC addresses
flexray - FlexRay
frelay - Frame Relay
frelay-with-direction - Frame Relay with Directional Info
gcom-serial - GCOM Serial
gcom-tie1 - GCOM TIE1
gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode
gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode
gprs-llc - GPRS LLC
gsm_um - GSM Um Interface
hhdlc - HiPath HDLC
i2c-linux - I2C with Linux-specific pseudo-header
ieee-802-11 - IEEE 802.11 Wireless LAN
ieee-802-11-avs - IEEE 802.11 plus AVS radio header
ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
infiniband - InfiniBand
ios - Cisco IOS internal
ip-ib - IP over IB
ip-over-fc - RFC 2625 IP-over-Fibre Channel
ip-over-ib - IP over InfiniBand
ipfix - RFC 5655/RFC 5101 IPFIX
ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header
ipmi-trace - IPMI Trace Data Collection
ipnet - Solaris IPNET
irda - IrDA
isdn - ISDN
iso14443 - ISO 14443 contactless smartcard standards
ixveriwave - IxVeriWave header and stats block
jfif - JPEG/JFIF
json - JavaScript Object Notation
juniper-atm1 - Juniper ATM1
juniper-atm2 - Juniper ATM2
juniper-chdlc - Juniper C-HDLC
juniper-ether - Juniper Ethernet
juniper-frelay - Juniper Frame-Relay
juniper-ggsn - Juniper GGSN
juniper-mlfr - Juniper MLFR
juniper-mlppp - Juniper MLPPP
juniper-ppp - Juniper PPP
juniper-pppoe - Juniper PPPoE
juniper-st - Juniper Secure Tunnel Information
juniper-svcs - Juniper Services
juniper-vn - Juniper VN
juniper-vp - Juniper Voice PIC
k12 - K12 protocol analyzer
lapb - LAPB
lapd - LAPD
layer1-event - EyeSDN Layer 1 event
lin - Local Interconnect Network
linux-atm-clip - Linux ATM CLIP
linux-lapd - LAPD with Linux pseudo-header
linux-sll - Linux cooked-mode capture v1
linux-sll2 - Linux cooked-mode capture v2
log_3GPP - 3GPP Phone Log
logcat - Android Logcat Binary format
logcat_brief - Android Logcat Brief text format
logcat_long - Android Logcat Long text format
logcat_process - Android Logcat Process text format
logcat_tag - Android Logcat Tag text format
logcat_thread - Android Logcat Thread text format
logcat_threadtime - Android Logcat Threadtime text format
logcat_time - Android Logcat Time text format
loop - OpenBSD loopback
loratap - LoRaTap
ltalk - Localtalk
message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4
message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6
message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4
message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6
message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4
message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6
mime - MIME
most - Media Oriented Systems Transport
mp2ts - ISO/IEC 13818-1 MPEG2-TS
mp4 - MP4 files
mpeg - MPEG
mtp2 - SS7 MTP2
mtp2-with-phdr - MTP2 with pseudoheader
mtp3 - SS7 MTP3
mux27010 - MUX27010
netanalyzer - Hilscher netANALYZER
netanalyzer-transparent - Hilscher netANALYZER-Transparent
netlink - Linux Netlink
netmon_event - Network Monitor Network Event
netmon_filter - Network Monitor Filter
netmon_header - Network Monitor Header
netmon_network_info - Network Monitor Network Info
nfc-llcp - NFC LLCP
nflog - NFLOG
nordic_ble - Nordic BLE Sniffer
nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
nstrace30 - NetScaler Encapsulation 3.0 of Ethernet
nstrace35 - NetScaler Encapsulation 3.5 of Ethernet
null - NULL/Loopback
packetlogger - Apple Bluetooth PacketLogger
pflog - OpenBSD PF Firewall logs
pflog-old - OpenBSD PF Firewall logs, pre-3.4
pktap - Apple PKTAP
ppi - Per-Packet Information header
ppp - PPP
ppp-with-direction - PPP with Directional Info
pppoes - PPP-over-Ethernet session
raw-icmp-nettl - Raw ICMP with nettl headers
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
raw-telnet-nettl - Raw telnet with nettl headers
rawip - Raw IP
rawip-nettl - Raw IP with nettl headers
rawip4 - Raw IPv4
rawip6 - Raw IPv6
redback - Redback SmartEdge
rfc7468 - RFC 7468 file
rtac-serial - RTAC serial-line
ruby_marshal - Ruby marshal object
s4607 - STANAG 4607
s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)
sccp - SS7 SCCP
sctp - SCTP
sdh - SDH
sdjournal - systemd journal
sdlc - SDLC
sita-wan - SITA WAN packets
slip - SLIP
socketcan - SocketCAN
symantec - Symantec Enterprise Firewall
tnef - Transport-Neutral Encapsulation Format
tr - Token Ring
tr-nettl - Token Ring with nettl headers
tzsp - Tazmen sniffer protocol
unknown - Unknown
unknown-nettl - Unknown link-layer type with nettl headers
usb-20 - USB 2.0/1.1/1.0 packets
usb-darwin - USB packets with Darwin (macOS, etc.) headers
usb-freebsd - USB packets with FreeBSD header
usb-linux - USB packets with Linux header
usb-linux-mmap - USB packets with Linux header and padding
usb-usbpcap - USB packets with USBPcap header
user0 - USER 0
user1 - USER 1
user2 - USER 2
user3 - USER 3
user4 - USER 4
user5 - USER 5
user6 - USER 6
user7 - USER 7
user8 - USER 8
user9 - USER 9
user10 - USER 10
user11 - USER 11
user12 - USER 12
user13 - USER 13
user14 - USER 14
user15 - USER 15
v5-ef - V5 Envelope Function
vpp - Vector Packet Processing graph dispatch trace
vsock - Linux vsock
whdlc - Wellfleet HDLC
wireshark-upper-pdu - Wireshark Upper PDU export
wpan - IEEE 802.15.4 Wireless PAN
wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header
x2e-serial - X2E serial line capture
x2e-xoraya - X2E Xoraya
x25-nettl - X.25 with nettl headers
xeth - Xerox 3MB EthernetD.7 mergecap:將多個捕獲文件合并為一個
Mergecap是一個程序,它將多個保存的捕獲文件組合到該-w參數指定的單個輸出文件中。Mergecap可以讀取libpcap捕獲文件,包括tcpdump的文件。此外,Mergecap可以從snoop(包括Shomiti)和atmsnoop,LanAlyzer,Sniffer(壓縮或未壓縮),Microsoft Network Monitor,AIX的iptrace,NetXray,Sniffer Pro,RADCOM的WAN / LAN分析器,Lucent / Ascend路由器調試輸出中讀取捕獲文件。 ,HP-UX的nettl和東芝ISDN路由器的轉儲輸出。無需告訴Mergecap您正在讀取哪種文件;它將自行確定文件類型。如果使用以下格式壓縮文件,則Mergecap還可以讀取任何這些文件格式gzip。Mergecap直接從文件中識別出此錯誤;為此,不需要“ .gz”擴展名。
默認情況下,Mergecap將輸入捕獲文件中的所有數據包寫入一個pcapng文件。該-F標志可用于指定捕獲文件的輸出格式;它可以以libpcap格式(標準libpcap格式,libpcap的某些修補版本使用的修改格式,Red Hat Linux 6.1使用的格式或SuSE Linux 6.3使用的格式)寫入文件,監聽格式,未壓縮的嗅探器格式, Microsoft Network Monitor 1.x格式,以及基于Windows的Sniffer軟件版本使用的格式。
除非-a指定了標志,否則基于每個幀的時間戳按時間順序合并來自輸入文件的數據包。Mergecap假定單個捕獲文件中的幀已按時間順序存儲。-a指定該標志后,數據包將從每個輸入文件直接復制到輸出文件,而與每個幀的時間戳無關。
如果使用該-s標志指定快照長度,則輸入文件中捕獲的數據多于指定快照長度的幀將僅將快照長度指定的數據量寫入輸出文件。如果要讀取輸出文件的程序無法處理大于特定大小的數據包(例如,Solaris 2.5.1和Solaris 2.6中的snoop版本似乎拒絕大于標準以太網MTU的以太網幀,如果使用巨型幀,則它們將無法處理千兆位以太網捕獲)。
如果使用該-T標志指定封裝類型,則將輸出捕獲文件的封裝類型強制為指定的類型,而不是適合于輸入捕獲文件的封裝類型的類型。注意,這僅強制輸出文件的封裝類型為指定的類型。數據包的數據包頭不會從輸入捕獲文件的封裝類型轉換為指定的封裝類型(例如,如果讀取并-T fddi指定了以太網捕獲,則不會將以太網捕獲轉換為FDDI捕獲)。
*可從mergecap獲得幫助信息。 *
Mergecap (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
Merge two or more capture files into one.
Usage: mergecap [options] -w <outfile>|- <infile> [<infile> …]
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
an empty "-I" option will list the merge modes.
Miscellaneous:
-h display this help and exit.
-v verbose output.一個簡單的例子合并dhcp-capture.pcapng和imap-1.pcapng成 outfile.pcapng如下所示。
*使用mergecap的簡單示例。 *
$ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng
D.8 text2pcap:將ASCII十六進制轉儲轉換為網絡捕獲
在某些情況下,您希望將某些網絡流量的十六進制轉儲轉換為libpcap文件。
text2pcap是一個程序,可讀取ASCII十六進制轉儲并將描述的數據寫入pcap或pcapng捕獲文件。text2pcap可以讀取其中包含多個數據包的十六進制轉儲,并構建包含多個數據包的捕獲文件。 text2pcap它還能夠生成虛擬的以太網,IP,UDP,TCP或SCTP標頭,以便僅從應用程序級別數據的十六進制轉儲構建完全可處理的數據包轉儲。
text2pcap理解由生成的形式的十六進制轉儲od -A x -t x1。換句話說,每個字節都單獨顯示并用空格包圍。每行以一個偏移量開頭,該偏移量描述了數據包中的位置,每個新數據包都以偏移量0開始,并且有一個空格將偏移量與后續字節分開。偏移量是一個十六進制數字(也可以是八進制-參見-o),超過兩個十六進制數字。這是text2pcap可以識別的示例轉儲:
000000 00 e0 1e a7 05 6f 00 10 ……..
000008 5a a0 b9 12 08 00 46 00 ……..
000010 03 68 00 00 00 00 0a 2e ……..
000018 ee 33 0f 19 08 7f 0f 19 ……..
000020 03 80 94 04 00 00 10 01 ……..
000028 16 a2 0a 00 03 50 00 0c ……..
000030 01 01 0f 19 03 80 11 01 ……..
每行的寬度或字節數沒有限制。行末的文本轉儲也將被忽略。字節/十六進制數可以是大寫或小寫。偏移量之前的所有文本都會被忽略,包括電子郵件轉發字符“>”。字節串行之間的任何文本行都將被忽略。偏移量用于跟蹤字節,因此偏移量必須正確。任何只有字節而沒有前導偏移的行將被忽略。偏移量被識別為長度超過兩個字符的十六進制數字。字節之后的任何文本都將被忽略(例如,字符轉儲)。本文中的任何十六進制數字也將被忽略。零偏移量表示開始一個新數據包,因此可以將具有一系列十六進制轉儲的單個文本文件轉換為具有多個數據包的數據包捕獲。分組之前可以帶有時間戳。根據命令行上給出的格式解釋這些內容。如果不是,則將第一個數據包加上當前轉換發生的時間。多個數據包以不同的時間戳寫入,每個時間戳相差一微秒。一般來說,除了這些限制,text2pcap 對于在十六進制轉儲中閱讀非常自由,并且已通過各種錯誤輸出進行了測試(包括多次通過電子郵件轉發,使用有限的換行等)
還有一些其他特殊功能需要注意。第一個非空白字符為“#”的行將被忽略作為注釋。以#TEXT2PCAP開頭的任何行都是偽指令,可以在此命令之后插入選項,以進行處理text2pcap。當前沒有實現指令。將來,這些可用于對轉儲及其處理方式進行更細粒度的控制,例如時間戳,封裝類型等。
text2pcap通過在每個數據包之前插入偽L2,L3和L4標頭,用戶還可以讀取應用程序級數據的轉儲。可能包括在每個數據包之前插入標頭,例如以太網,以太網+ IP,以太網+ IP + UDP或TCP或SCTP。這允許Wireshark或任何其他全包解碼器處理這些轉儲。
*可從text2pcap獲得幫助信息。 *
Text2pcap (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
Generate a capture file from an ASCII hexdump of packets.
Usage: text2pcap [options] <infile> <outfile>
where <infile> specifies input filename (use - for standard input)
<outfile> specifies output filename (use - for standard output)
Input:
-o hex|oct|dec parse offsets as (h)ex, (o)ctal or (d)ecimal;
default is hex.
-t <timefmt> treat the text before the packet as a date/time code;
the specified argument is a format string of the sort
supported by strptime.
Example: The time "10:15:14.5476" has the format code
"%H:%M:%S."
NOTE: The subsecond component delimiter, '.', must be
given, but no pattern is required; the remaining
number is assumed to be fractions of a second.
NOTE: Date/time fields from the current date/time are
used as the default for unspecified fields.
-D the text before the packet starts with an I or an O,
indicating that the packet is inbound or outbound.
This is used when generating dummy headers.
The indication is only stored if the output format is pcapng.
-a enable ASCII text dump identification.
The start of the ASCII text dump can be identified
and excluded from the packet data, even if it looks
like a HEX dump.
NOTE: Do not enable it if the input file does not
contain the ASCII text dump.
Output:
-l <typenum> link-layer type number; default is 1 (Ethernet). See
https://www.tcpdump.org/linktypes.html for a list of
numbers. Use this option if your dump is a complete
hex dump of an encapsulated packet and you wish to
specify the exact type of encapsulation.
Example: -l 7 for ARCNet packets.
-m <max-packet> max packet length in output; default is 262144
-n use pcapng instead of pcap as output format.
-N <intf-name> assign name to the interface in the pcapng file.
Prepend dummy header:
-e <l3pid> prepend dummy Ethernet II header with specified L3PID
(in HEX).
Example: -e 0x806 to specify an ARP packet.
-i <proto> prepend dummy IP header with specified IP protocol
(in DECIMAL).
Automatically prepends Ethernet header as well.
Example: -i 46
-4 <srcip>,<destip> prepend dummy IPv4 header with specified
dest and source address.
Example: -4 10.0.0.1,10.0.0.2
-6 <srcip>,<destip> prepend dummy IPv6 header with specified
dest and source address.
Example: -6 fe80::202:b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334
-u <srcp>,<destp> prepend dummy UDP header with specified
source and destination ports (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -u 1000,69 to make the packets look like
TFTP/UDP packets.
-T <srcp>,<destp> prepend dummy TCP header with specified
source and destination ports (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -T 50,60
-s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified
source/dest ports and verification tag (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -s 30,40,34
-S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified
source/dest ports and verification tag 0.
Automatically prepends a dummy SCTP DATA
chunk header with payload protocol identifier ppi.
Example: -S 30,40,34
Miscellaneous:
-h display this help and exit.
-d show detailed debug of parser states.
-q generate no output at all (automatically disables -d).D.9 reordercap:對捕獲文件重新排序
reordercap使您可以根據數據包時間戳重新排序捕獲文件。
可從reordercap獲得幫助信息。
Reordercap (Wireshark) 3.3.0 (v3.3.0rc0-15-g451a241e50bd)
Reorder timestamps of input file frames into output file.
Usage: reordercap [options] <infile> <outfile>
Options:
-n don't write to output file if the input file is ordered.
-h display this help and exit.
推薦文章: