WIRESHARK分析PCAP文件

发表于:2018-9-14 14:24

字体: | 上一篇 | 下一篇 | 我要投稿

 作者:bass    来源:博客园

  [root@ok Desktop]# yum search tcpdump
  Loaded plugins: fastestmirror, refresh-packagekit, security
  Loading mirror speeds from cached hostfile
  * base: mirrors.yun-idc.com
  * extras: mirrors.yun-idc.com
  * updates: mirrors.yun-idc.com
  ======================================================================= N/S Matched: tcpdump ========================================================================
  tcpdump.x86_64 : A network traffic monitoring tool
  Name and summary matches only, use "search all" for everything.
  [root@ok Desktop]# which tcpdump
  /usr/sbin/tcpdump
  [root@ok Desktop]# tcpdump -h
  tcpdump version 4.1-PRE-CVS_2015_07_23
  libpcap version 1.4.0
  Usage: tcpdump [-aAdDefhIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
  [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
  [ -i interface ] [ -j tstamptype ] [ -M secret ]
  [ -P in|out|inout ]
  [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
  [ -W filecount ] [ -y datalinktype ] [ -z command ]
  [ -Z user ] [ expression ]
  [root@ok Desktop]# yum search wireshark
  Loaded plugins: fastestmirror, refresh-packagekit, security
  Loading mirror speeds from cached hostfile
  * base: mirrors.yun-idc.com
  * extras: mirrors.yun-idc.com
  * updates: mirrors.yun-idc.com
  ================================================ N/S Matched: wireshark ================================================
  wireshark-devel.i686 : Development headers and libraries for wireshark
  wireshark-devel.x86_64 : Development headers and libraries for wireshark
  wireshark-gnome.x86_64 : Gnome desktop integration for wireshark and wireshark-usermode
  wireshark.i686 : Network traffic analyzer
  wireshark.x86_64 : Network traffic analyzer
  Name and summary matches only, use "search all" for everything.

  安装:
  [root@ok Desktop]# yum install wireshark* -y
  [root@ok Desktop]# which wireshark
  /usr/sbin/wireshark
  [root@ok Desktop]# rpm -qa|grep wireshark
  wireshark-devel-1.8.10-17.el6.x86_64
  wireshark-1.8.10-17.el6.x86_64
  wireshark-gnome-1.8.10-17.el6.x86_64
  保存tcpdump抓包结果
  [root@bass Desktop]# tcpdump -i eth0 -w dump.pcap
  -i #是指定要抓取的网卡
  -w #指定结果保存的位置
  [root@bass Desktop]# tcpdump -i eth0 -w dump.pcap -v
  tcpdump: WARNING: eth0: no IPv4 address assigned
  tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
  ^C189 packets captured
  189 packets received by filter
  0 packets dropped by kernel
  -v#主要是为了得到Got 15这个数,当想要停止的时候,按下ctrl + c
  [root@bass Desktop]# ll -h dump.pcap
  -rw-r--r--. 1 tcpdump tcpdump 18K Aug 30 13:19 dump.pcap
  在wireshark中打开:
  [root@bass Desktop]# wireshark dump.pcap #linux下查看
   
  我们用tcpdump抓包的时候,默认是显示这样的:
   
  上图中标出三快区域,红色框内,是用来显示简单的数据包信息,我们用tcpdump抓包如时候,默认情况是显示成这样的;深蓝框内,是用来显示选中的数据包的详细信息,是按照TCP/IP四层结构显示的,第一行是数据链路层的信息,第二行是网络层信息(IP协议),第三行是传输层信息(TCP协议),第四层是应用层信息(HTTP协议),可以展开第一行用来观察具体的内容;最后一个区域淡蓝色框中,是用来显示此数据包的真实面目。(下图列清楚)
  
  sh-4.1# tcpdump -i eth0 -c 20 -w 20gebao -v
  tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
  20 packets captured
  20 packets received by filter
  0 packets dropped by kernel
  使用-c参数指定要监听到的数据包数量
   
   上文内容不用于商业目的,如涉及知识产权问题,请权利人联系博为峰小编(021-64471599-8017),我们将立即处理。

《2023软件测试行业现状调查报告》独家发布~

关注51Testing

联系我们

快捷面板 站点地图 联系我们 广告服务 关于我们 站长统计 发展历程

法律顾问:上海兰迪律师事务所 项棋律师
版权所有 上海博为峰软件技术股份有限公司 Copyright©51testing.com 2003-2024
投诉及意见反馈:webmaster@51testing.com; 业务联系:service@51testing.com 021-64471599-8017

沪ICP备05003035号

沪公网安备 31010102002173号