I. Introduction
As the command line version of wireshark, tshark is very powerful. It can capture packets, analyze data packets, extract files, and extract analyzed data. It also supports various formats. It can be said to be a Swiss army knife for traffic analysis. , package the tshark command, and you can make an analysis system with rich functions. Combined with the detection rules, a simpler IDS system will come out.
Two core functions
2.1 Capture packets
Like tcpdump, tshark can also capture traffic through the command line, and its functions are not weak at all. The following example uses em1 as the test network card.
2.1.1 Select network interface
# 查看可以抓包的网卡信息
/usr/local/bin/tshark -Dexample:
[root@localhost xxx]# /usr/local/bin/tshark -D
Running as user "root" and group "root". This could be dangerous.
1. virbr0
2. docker0
3. nflog
4. nfqueue
5. em1
6. p1p1
7. p1p2
8. usbmon1
9. em2
10. usbmon2
11. usbmon3
12. usbmon4
13. br-7dd1f852358b
14. any
15. lo (Loopback)
16. randpkt (Random packet generator)2.1.2 Traffic capture
# 抓包 同时支持多个网卡抓包
/usr/local/bin/tshark -i em1 -i lo
#设置缓存大小,丢包场景可以设置下,单位为MB
/usr/local/bin/tshark -i em1 -B 2
#只抓前面512个字节,抓包小,大流量情况下有用
/usr/local/bin/tshark -i em1 -s 512
# 禁止域名解析 只想看ip
/usr/local/bin/tshark -i em1 -n
#设置包保存文件格式
/usr/local/bin/tshark -i em1 -F pcapng -w 1.pcapngexample:
[root@localhost xxx]# /usr/local/bin/tshark -i em1 -i lo
Running as user "root" and group "root". This could be dangerous.
Capturing on 'em1' and 'Loopback'
1 0.000000000 10.xx.xx.32 → 10.xx.xx.209 TCP 60 1902 → 22 [ACK] Seq=1 Ack=1 Win=515 Len=0
2 0.057326592 10.xx.xx.252 → 224.0.0.18 VRRP 60 Announcement (v2)
3 -0.105265214 127.0.0.1 → 127.0.0.1 UDP 237 41526 → 12345 Len=195
4 -0.105252544 127.0.0.1 → 127.0.0.1 ICMP 265 Destination unreachable (Port unreachable)
5 -0.104887691 127.0.0.1 → 127.0.0.1 TCP 78 58290 → 2181 [PSH, ACK] Seq=1 Ack=1 Win=512 Len=12 TSval=2758822980 TSecr=27588213132.1.3 Capture and filter
The syntax of packet capture and filtering adopts bpf filtering syntax, which is the same as tcpdump filtering syntax. For example, to view the traffic of a specific port:
/usr/local/bin/tshark -f 'port 8080 or port 54'
# 常用过滤语法
# 抓tcp端口为22 ,且含有fin标识的数据包
/usr/local/bin/tshark -f "tcp port 22 and (tcp[tcpflags] & tcp-fin != 0)"
#主机过滤
not host vs and ace
#网络过滤
ip and not net localnetexample:
[root@localhost xxxx]# /usr/local/bin/tshark -f 'port 80 or port 53' -i em1
Running as user "root" and group "root". This could be dangerous.
Capturing on 'em1'
1 0.000000000 10.xx.xx.xxx→ 223.5.5.5 DNS 75 Standard query 0x18ff A www.sina.com.cn
2 0.021213522 223.5.5.5 → 10.xx.xx.xxx DNS 281 Standard query response 0x18ff A www.sina.com.cn CNAME spool.grid.sinaedge.com CNAME ww1.sinaimg.cn.w.alikunlun.com A 218.98.31.191 A 218.98.31.194 A 218.98.31.197 A 218.98.31.193 A 218.98.31.198 A 218.98.31.195 A 218.98.31.192 A 218.98.31.196
3 0.027229144 10.10.xx.xxx → 223.5.5.5 DNS 86 Standard query 0xc21f PTR 191.31.98.218.in-addr.arpa2.1.4 Automatic stop parameter -a
Capture a certain amount of packets, or reach a certain time, or automatically stop capturing packets when the file size reaches a certain amount.
#抓包停止条件: 以数量作为停止条件
/usr/local/bin/tshark -i em1 -c 抓包数量
#抓包停止条件: 以时间作为停止条件 60秒
/usr/local/bin/tshark -i em1 -a duration:60
#抓包停止条件: 以文件大小作为停止条件 单位为KB
/usr/local/bin/tshark -i em1 -a filesize:10 -w 1.pcap2.1.5 Capturing output parameters
Capture output, aka ring buffer parameter "-b", with the same flags as autostop. However, the usage/output is a bit different, flag duration and file size, as it allows you to switch or save packets to another file after a specified time limit (in seconds) or file size has been reached.
#抓包保存自动停止和抓包停止参数类似,用于按照大小自动切换文件、按照时间自动切换文件、或者建个缓存,写多少个之后覆盖写
/usr/local/bin/tshark -i em1 -b filesize:100 -a files:2 -w /tmp/test.pcapSome command test results:
[root@localhost xxx]# /usr/local/bin/tshark -i lo -w 1.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'Loopback'
283 ^C
[root@localhost xxx]# /usr/local/bin/tshark -i lo
Running as user "root" and group "root". This could be dangerous.
Capturing on 'Loopback'
1 0.000000000 127.0.0.1 → 127.0.0.1 TCP 78 58286 → 2181 [PSH, ACK] Seq=1 Ack=1 Win=512 Len=12 TSval=2756988487 TSecr=2756986819
2 0.000076012 127.0.0.1 → 127.0.0.1 TCP 86 2181 → 58286 [PSH, ACK] Seq=1 Ack=13 Win=512 Len=20 TSval=2756988487 TSecr=2756988487
3 0.000082052 127.0.0.1 → 127.0.0.1 TCP 66 58286 → 2181 [ACK] Seq=13 Ack=21 Win=512 Len=0 TSval=2756988487 TSecr=2756988487
[root@localhost xxx]# /usr/local/bin/tshark -i lo -b filesize:100 -a files:2 -w /tmp/test.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'Loopback'
843
[root@localhost xxx]# ll /tmp/test_0000*
-rw------- 1 root root 100116 Dec 7 11:29 /tmp/test_00001_20221207112900.pcap
-rw------- 1 root root 100092 Dec 7 11:29 /tmp/test_00002_20221207112911.pcap
[root@localhost xxx]# /usr/local/bin/tshark -i lo -b filesize:100 -w /tmp/test.pcap2.2 Read package and analyze
2.2.1 Simple Analysis
Tshark can read packets for various analysis, as follows:
# 读取pcap包
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap
# 显示标准点的时间格式
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -t ad
example:
[root@localhost xxx]# /usr/local/bin/tshark -r pcap/tomcat_bru.pcap |more
Running as user "root" and group "root". This could be dangerous.
1 0.000000 137.135.12.16 → 172.16.66.100 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message
2 0.000098 172.16.66.100 → 137.135.12.16 TCP 54 7785 → 443 [ACK] Seq=1 Ack=60 Win=16560 Len=0
3 0.000379 172.16.66.100 → 137.135.12.16 TLSv1 715 Application Data
4 0.239551 172.16.66.100 → 125.119.8.1 ICMP 74 Echo (ping) request id=0x0100, seq=37927/10132, ttl=64
5 0.242259 125.119.8.1 → 172.16.66.100 ICMP 74 Echo (ping) reply id=0x0100, seq=37927/10132, ttl=250 (request in 4)
6 0.282825 137.135.12.16 → 172.16.66.100 TLSv1 603 Application Data
7 0.282969 172.16.66.100 → 137.135.12.16 TCP 54 7785 → 443 [ACK] Seq=662 Ack=609 Win=16422 Len=0
8 0.283384 172.16.66.100 → 137.135.12.16 TCP 54 7785 → 443 [FIN, ACK] Seq=662 Ack=609 Win=16422 Len=0
9 0.284748 172.16.66.100 → 137.135.12.16 TCP 66 7786 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
10 0.559238 137.135.12.16 → 172.16.66.100 TCP 60 443 → 7785 [FIN, ACK] Seq=609 Ack=663 Win=64 Len=0
11 0.559366 172.16.66.100 → 137.135.12.16 TCP 54 7785 → 443 [ACK] Seq=663 Ack=610 Win=16422 Len=0
12 0.696560 172.16.66.100 → 223.5.5.5 DNS 86 Standard query 0x4d25 PTR 16.12.135.137.in-addr.arpa2.2.2 Filtering and output format processing
Filtering fields is relatively simple, the command is as follows:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstportI know how to select the field, but the output format is not easy to handle in the table, and there is an easy-to-handle format:
xml format -T fields changed to -T pdml Others remain unchanged, I want to send to ES, no problem to arrange, the output format is changed to ek to send to elasticsearch, you can change -T fields to -T ek I want full information
, But I don’t want to write so many fields. Simple, remove all the -e fields and add the parameter -V. I want to achieve something similar to wireshark, click on a specific layer, and display the specific highlight on the right. Simply -T pdml -V to get the important information of size and pos .
I simply want to output the tab format, but it needs to have a header, enclose the value in double quotes, and the delimiter is a comma. Please see the example below:
/usr/local/bin/tshark -r pcap/mysql.pcap -T fields -e ip.src -e ip.dst -e mysql.query -E header=y -E separator=, -E quote=d
ip.src,ip.dst,mysql.query
"10.10.3.109","10.10.3.60",
"10.10.3.60","10.10.3.109",I need to filter better, such as filtering dns protocol specific content mysql protocol, filtering http protocol containing specific content. You can see the following example
#抓包或者读pcap文件都可以采用-Y语法进行过滤,语法功能很强。
# 过滤dns协议包含特定域名的
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y "dns.qry.name matches"in-addr""
#特定网段的
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y 'ip.addr == 172.16.0.0/16 '
#指定位置匹配 语法很像python的切片语法
eth.src[0:3] == 00:00:83
[i:j] i = start_offset, j = length
[i-j] i = start_offset, j = end_offset, inclusive.
[i] i = start_offset, length = 1
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
#端口范围过滤
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y "tcp.port in {53 8080}"
# 过滤http协议,且返回状态为200的报文 只会匹配返回报文
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y 'http and http.response.code == 200'
# 匹配mysql查询
/usr/local/bin/tshark -r pcap/mysql.pcap -T fields -e mysql.query -Y 'mysql.query contains select'
Running as user "root" and group "root". This could be dangerous.
select @@version_comment limit 1
select * from test_table
#匹配包中包含mysql的select或show命令的语句
/usr/local/bin/tshark -r pcap/mysql.pcap -T fields -e mysql.query -Y 'mysql.query matches "select|show"'
Running as user "root" and group "root". This could be dangerous.
show databases
show tables
select @@version_comment limit 1
select * from test_table
#查看特定时间范围的包 并且写入到文件
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -t ad -Y 'frame.time >= "2016-01-04 19:32:47" && frame.time < "2016-01-04 19:32:50" ' -w a.pcap
#Note that when the field content is matched, use contains to indicate that the string contains case-sensitive, and matches is used to match regular expressions, which is the regular expression syntax in perl format.
The filter can be changed into a display filter through -Y filter, and the filter is one-time, that is, after one filter, it is not cached. The -2 option, on the contrary, will cache the output, and will fill the fields with future information, such as return values, such as packet reassembly.
Filter example:
[root@localhost xxx]# /usr/local/bin/tshark -r pcap/tomcat_bru.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport |more
Running as user "root" and group "root". This could be dangerous.
1 137.135.12.16 172.16.66.100 443 7785
2 172.16.66.100 137.135.12.16 7785 443
3 172.16.66.100 137.135.12.16 77
[root@localhost xxx]# /usr/local/bin/tshark -r pcap/tomcat_bru.pcap -T ek -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -V|more
Running as user "root" and group "root". This could be dangerous.
{"index" : {"_index": "packets-2022-12-07", "_type": "pcap_file", "_score": null}}
{"timestamp" : "1451907159370", "layers" : {"frame_number": ["1"],"ip_src": ["137.135.12.16"],"ip_dst": ["172.16.66.100"],"tcp_srcport": ["443"],"tcp_dstport": ["7785"]}}
[root@localhost xxx]# /usr/local/bin/tshark -r pcap/tomcat_bru.pcap -T json -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -V|more
Running as user "root" and group "root". This could be dangerous.
[
{
"_index": "packets-2022-12-07",
"_type": "pcap_file",
"_score": null,
"_source": {
"layers": {
"frame.number": ["1"],
"ip.src": ["137.135.12.16"],
"ip.dst": ["172.16.66.100"],
"tcp.srcport": ["443"],
"tcp.dstport": ["7785"]
}
}
}
root@localhost xxx]# /usr/local/bin/tshark -r pcap/tomcat_bru.pcap -T json -V|more
Running as user "root" and group "root". This could be dangerous.
[
{
"_index": "packets-2022-12-07",
"_type": "pcap_file",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.encap_type": "1",
"frame.time": "Jan 4, 2016 19:32:39.370369000 CST",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1451907159.370369000",
"frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000",
"frame.time_relative": "0.000000000",
"frame.number": "1",
"frame.len": "113",
"frame.cap_len": "113",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ip:tcp:ssl"
},
"eth": {
"eth.dst": "20:89:84:32:73:c5",
"eth.dst_tree": {
"eth.dst_resolved": "CompalIn_32:73:c5",
"eth.addr": "20:89:84:32:73:c5",
"eth.addr_resolved": "CompalIn_32:73:c5",
"eth.lg": "0",
....
# 单包查看ascii和二进制
# /usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y 'frame.number == 1 ' -x
Running as user "root" and group "root". This could be dangerous.
0000 20 89 84 32 73 c5 0c da 41 9e cc 85 08 00 45 00 ..2s...A.....E.
0010 00 63 4a 3c 40 00 2d 06 7f 4d 89 87 0c 10 ac 10 .cJ<@.-..M......
0020 42 64 01 bb 1e 69 77 ea ff 2b 21 1f 7c f5 50 18 Bd...iw..+!.|.P.
0030 00 3e 49 58 00 00 14 03 01 00 01 01 16 03 01 00 .>IX............
0040 30 f7 e8 17 52 be c4 73 e2 69 73 ad dc 08 c7 19 0...R..s.is.....
0050 ef a6 21 78 1d 81 c3 42 e7 c5 ef 7e 81 32 4c e8 ..!x...B...~.2L.
0060 48 53 5b b6 0d d6 ca eb c2 df e6 6f 44 49 60 76 HS[........oDI`v
0070 f4 .Three lesser-known commands
3.1 Flow Analysis
That is, to realize two-way data display, right-click on wireshark and select "Trace Flow".
The corresponding command in tshark: (7 in the figure below is the value of tcp.stream, which can be regarded as the number of the stream in this pcap)
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -q -z follow,tcp,ascii,7
Follow: tcp,ascii
Filter: tcp.stream eq 7
Node 0: 172.16.66.100:7792
Node 1: 172.16.80.153:8080
0
0
0
512
GET /manager/html HTTP/1.1
Host: 172.16.80.153:8080
Cache-Control: max-age=0
Authorization: Basic YWRtaW46MTIzNDU2Nzg%3d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=561210C3F0B9EC906385BDCFD4B01B0A
Connection: close
1460
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 08:00:00 CST
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Content-Type: text/html;charset=ISO-8859-1
...You will find that there are a lot of numbers in the middle, which once bothered me (I haven’t found a similar explanation on the Internet), and then I finally understood that the analysis flow is still displayed according to the package, and the displayed format is: payload length + newline + payload Displayed according to the format, here is ascii, if it is in the other direction of the stream, there is ^I in front of the length, and the character is the tab keyboard. Also note that the length includes line feed and carriage return, which is two bytes more than what you see.
If you want to display hex on the left and ascii on the right, you can use the following parameters:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -q -z follow,tcp,hex,7Extract and store hexadecimal, you can change hex to raw. To filter pcap packets of a specific flow, you can enter the following command:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y 'tcp.stream == 7'3.2 Statistics
3.2.1 Expert Information Statistics
It can be used to find out whether the network is abnormal, etc.:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -z expert -q
3.2.2 Packet Length Statistics
It is useful to check whether there are abnormal packets:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -z plen,tree -q
3.2.3 Session statistics
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -z conv,ip -q
3.2.4 Statistics of all IP information
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -z endpoints,ip -q
3.2.5 Statistics of HTTP packets
/usr/local/bin/tshark -q -r ./pcap/tomcat_bru.pcap -2 -R http -z http,tree
3.2.5 Statistical data at regular intervals
For example, 5s is the interval to count the IO situation:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -z io,stat,5 -q
Statistics with filter
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -z io,stat,3,ip==172.16.0.0/16 -qThere are many dimensions of statistics, and you can use -z xxx to make mistakes on purpose to print out all the statistical dimension information.
3.3 Unpack with HTTPS key
-Y: 过滤条件
-o 设置参数
重点是ssl.keys_list 设置了https的服务器地址、端口、私钥文件
-V 展开所有协议
-x 输出16进制和ASCII
tshark -Y 'http contains "pmos.md.sgcc.com.cn" and frame.number==20' -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 10.x.1x.30,443,http,./key.pem" -o "ssl.debug_file: ./debug" -r ce0f77a1-a351-4e0f-b92f-a3e1b9612a5d.pcap -x -V -w 2.txt3.4 pcap hierarchical analysis
For example, I only want to view the tcp layer or ip layer in detail, the command is as follows: View the tcp layer:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y "frame.number == 1" -O tcpCheck the ip layer:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y "frame.number == 1" -O ipAll layers are expanded:
/usr/local/bin/tshark -r pcap/tomcat_bru.pcap -Y "frame.number == 1" -V3.5 Export files
Not all versions support
#tt为保存文件夹名字
/usr/local/bin/tshark pcap/tomcat_bru.pcap --export-objects http,tt -q3.6 Decode packets with specific conditions according to a certain protocol
# 将tcp端口为8888的报文按照http协议解码,应对tshark未识别出协议的场景
/usr/local/bin/tshark -q -r ./pcap/tomcat_bru.pcap -d tcp.port==8888,httpFour reference documents
官方文档:[https://www.wireshark.org/docs/man-pages/tshark.html](https://www.wireshark.org/docs/man-pages/tshark.html)
参考:[https://blog.csdn.net/weixin_44288604/article/details/123807294](https://blog.csdn.net/weixin_44288604/article/details/123807294)