背景
在进行网络抓包分析时,wireshark是最常用的工具,在抓包分析界面,info列显示了很多直接可进行初步判断的信息。
但info列是没有filter选项的,info列是wireshark根据内容网络包内容生成的概要信息。
那么怎么能在众多包中迅速找到自己需要的信息呢?
方法一:ctrl+f
直接用搜索,要注意的是得在前面搜索类型中修改为string。
方法二:tshark
tshark是wireshark的一个命令行工具,可以进行抓包和分析,配合命令行的管道符功能就可以实现对info列进行筛选的需求了。
1 | zhengkaideMacBook-Pro:wireshark zhengk$ tshark -r w.pcapng -T fields -e frame.number -e ip.addr -e udp -e _ws.col.Info | grep "BAIDU" |
其中参数说明如下:
-r:读取的抓包pcapng文件-r
Read packet data from infile, can be any supported capture file format (including gzipped files). It is possible to use named pipes or stdin (-) here but only with certain (not compressed) capture file formats (in particular: those that can be read without seeking backwards).
-T:设置输出文件的格式-T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
Set the format of the output when viewing decoded packet data. The options are one of:
-e:设置输出的列内容-e
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected. This option can be used multiple times on the command line. At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with “_ws.col.”
Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info
Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. -E controls the format of the printed fields.
扩展
tshark:https://www.wireshark.org/docs/man-pages/tshark.html
wireshark的筛选说明:https://wiki.wireshark.org/DisplayFilters
