成熟的人不问过去;聪明的人不问现在;豁达的人不问未来.....

转载~tethereal /tshark命令手册

上一篇 / 下一篇  2008-10-09 09:32:27 / 个人分类:测试知识



[翻译] tethereal 命令手册
 
NAME
       tethereal - Dump and analyze network traffic
 
# 注释 :tethereal 用于 dump 和 分析网络流量
 
# 补充 ;当前 tethereal 的版本信息
 
[bob@mail ~]$ /usr/sbin/tethereal -v
tethereal 0.10.6
Compiled with GLib 2.4.6, with libpcap 0.8.3, with libz 1.2.1.2,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.6.9-prepall-fs.
[bob@mail ~]$
 
 
SYNOPSYS
       tethereal [ -a capture autostop condition ] ... [ -b number of ring buffer files [:duration] ] [ -c count ]
       [ -d <layer type==<selector>,<decode-as protocol> ]> [ -D ] [ -f capture filter expression ] [ -F file format ] [ -h ] [ -i interface ]
       [ -l ] [ -L ] [ -n ] [ -N resolving flags ] [ -o preference setting ] ...  [ -p ] [ -q ] [ -r infile ] [ -R display filter expression ] [ -s snaplen ]
       [ -S ] [ -t time stamp format ] [ -T pdml│psml│ps│text ] [ -v ] [ -V ] [ -w savefile ] [ -x ][ -y link type ] [ -z statistics-string ] [ filter expression ]
 
DEscrīptION
       Tethereal is a network protocol analyzer.  It lets you capture packet data from a live network, or read packets from a previously saved cap-
       ture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.  Tethereal’s native
       capture file format is libpcap format, which is also the format used by tcpdump and various other tools.
 
# 注释 :tethereal 是一个网络协议的分析工具。它能够替你捕捉网络上的 packet ,或者从一个事先保存好的 capture 文件中读取 packets 。
 
# 也可以对 packet 进行解码然后打印出,或者把捕捉到的 packet 写入一个文件。
 
# Tethereal 的默认 capture 文件格式是 libcap ,可以被 tcpdump 或者其他工具所识别
 
       Ethereal can read / import the following file formats:
 
# 注释 :ethereal 可以读取/导入下面格式的文件
 
       *libpcap/WinPcap, tcpdump and various other tools using tcpdump’s capture format
       * snoop and atmsnoop
       * Shomiti/Finisar Surveyor captures
       * Novell LANalyzer captures
       * Microsoft Network Monitor captures
       *
AIX’s iptrace captures
       * Cinco Networks NetXRay captures
       * Network Associates Windows-based Sniffer captures
       * Network General/Network Associates DOS-based Sniffer (compressed or
       uncompressed) captures
       * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet-
       Grabber captures
       * RADCOM’s WAN/LAN analyzer captures
       * Network Instruments Observer version 9 captures
       * Lucent/Ascend router debug output
       * files from HP-UX’s nettl
       * Toshiba’s ISDN routers dump output
       * the output from i4btrace from the ISDN4BSD project
       * traces from the EyeSDN USB S0.
       * the output in IPLog format from the Cisco Secure Intrusion Detection System
       * pppd logs (pppdump format)
       * the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
       * the text output from the DBS Etherwatch VMS utility
       * Visual Networks’ Visual UpTime traffic capture
       * the output from CoSine L2 debug
       * the output from Accellent’s 5Views LAN agents
       * Endace Measurement Systems’ ERF format captures
       * Linux Bluez Bluetooth stack hcidump -w traces
 
       There is no need to tell Tethereal what type of file you are reading;
       it will determine the file type by itself.  Tethereal is also capable
       of reading any of these file formats if they are compressed using
       gzip.  Tethereal recognizes this directly from the file; the ’.gz’
       extension is not required for this purpose.
 
# 注释 :你不需要告诉 tehereal 它读取的 capture 文件的类型,它会自动判断。
 
# 而且 tethereal 也支持 gzip 格式的 capture 文件,而且不强制需要 .gz 后缀
 
       If the -w flag is not specified, Tethereal prints a decoded form of
       the packets it captures or reads; otherwise, it writes those packets
       to the file specified by that flag.
 
# 注释 :如果没有指定 -w 选项,tethereal 将会把解码后的内容打印到 stdout ,否则会写入到指定的文件
 
       When printing a decoded form of packets, Tethereal prints, by default,
       a summary line containing the fields specified by the preferences file
       (which are also the fields displayed in the packet list pane in Ethe-
       real), although if it’s printing packets as it captures them, rather
       than printing packets from a saved capture file, it won’t print the
       "frame number" field.
 
 
# 注释 :当打印一个解码过的 packet 时,tethereal 默认会打印一个汇总行

      If the -V flag is specified, it prints instead a view of the details of the packet, showing all the fields of all  protocols in the packet.
 
# 注释 :如果指定了 -V 选项,则会打印每个 packet 的详细内容
 
 
       When writing packets to a file, Tethereal, by default, writes the file
       in libpcap format, and writes all of the packets it sees to the output
       file.  The -F flag can be used to specify the format in which to write
       the file.  The following output formats are supported:
 
# 注释 :当使用 -w 写入文件时,tethereal 默认使用 libcap 格式,并把所有 packet 都输出到该文件
 
# -F 可以指定 capture 文件的格式
 
       *libpcap - libpcap (tcpdump, Ethereal, etc.)
       * rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump)
       * suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
       * modlibpcap - modified libpcap (tcpdump)
       * nokialibpcap - Nokia libpcap (tcpdump)
       * lanalyzer - Novell LANalyzer
       * ngsniffer - Network Associates Sniffer (DOS-based)
       * snoop - Sun snoop
       * netmon1 - Microsoft Network Monitor 1.x
       * netmon2 - Microsoft Network Monitor 2.x
       * ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
       * ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
       * visual - Visual Networks traffic capture
 
       This list is also displayed by the -h flag.
 
# 注释 :你可以用 -h 来显示 tethereal 所支持的格式
 
       Read filters in Tethereal, which allow you to select which packets are
       to be decoded or written to a file, are very powerful; more fields are
       filterable in Tethereal than in other protocol analyzers, and the syn-
       tax you can use to create your filters is richer.  As Tethereal pro-
       gresses, expect more and more protocol fields to be allowed in read
       filters.
 
# 注释 :你还可以使用过滤器来选择对那些 packet 进行解码,或者把那些 packet 写入一个文件
 
# 过滤器是一个非常强大的工具。tethereal 比其他协议分析器支持更多的过滤手段。
 
# 而且语法也更加复杂。
 
       Packet capturing is performed with the pcap library.  The capture fil-
       ter syntax follows the rules of the pcap library.  This syntax is dif-
       ferent from the read filter syntax.  A read filter can also be speci-
       fied when capturing, and only packets that pass the read filter will
       be displayed or saved to the output file; note, however, that capture
       filters are much more efficient than read filters, and it may be more
       difficult for Tethereal to keep up with a busy network if a read fil-
       ter is specified for a live capture.
 
# 注释 :packet caputre 是由 pcap 这个库是实现的。过滤器的语法格式和 pcap 库的语法格式一样。
 
# 它的格式和读取过滤器的语法格式不一样。读取过滤器能够在捕包时指定,只有那些匹配的 packet
 
# 才会被显示或者输出到文件;但捕包过滤器比读取过滤器的效率要高,所以对一个比较繁忙的网络来说,
 
# 用读取过滤器可能会跟不上速度

 
       Compressed file support uses (and therefore requires) the zlib
       library.  If the zlib library is not present, Tethereal will compile,
       but will be unable to read compressed files.
 
# 注释 :tethereal 使用 zlib 库来实现压缩功能,假如不存在 zlib 库,
 
# tethereal 会编译一个,但无法用它来读取压缩后的 capture 文件
 
 
       A capture or read filter can either be specified with the -f or -R
       option, respectively, in which case the entire filter expression must
       be specified as a single argument (which means that if it contains
       spaces, it must be quoted), or can be specified with command-line
       arguments after the option arguments, in which case all the arguments
       after the filter arguments are treated as a filter expression.  Cap-
       ture filters are supported only when doing a live capture; read fil-
       ters are supported when doing a live capture and when reading a cap-
       ture file, but require Tethereal to do more work when filtering, so
       you might be more likely to lose packets under heavy load if you’re
       using a read filter. 
If the filter is specified with command-line
       arguments after the option arguments, it’s a capture filter if a cap-
       ture is being done (i.e., if no -r flag was specified) and a read
       filter if a capture file is being read (i.e., if a -r flag was speci-
       fied).
 
# 注释 :capture 或者 read filter 可以用 -f 或者 -R 指定。这时候整个过滤表达式必须表现为一个参数,
 
# 也就是说,过滤规则如果含有空格,则必须用括号括起来。
 
# 也可以在选项后通过命令行参数指定,在过滤器参数之后的所有参数都被当成过滤表达式。
 
# 注释 :要注意,caputer filter 只有在做实际的捕包时才能被使用,而 read filter 则可以在实际捕包或者
 
# 从 capture 文件读取 packet 时使用,但是 read filter 的效率不高,它需要 Tethereal 做更多的工作
 
# 所以你在一个比较繁忙的网络上使用 read filter 时可能会漏掉一些数据包。
 
# 如果指定了 -r 则是 read filter ,否则是 capture filter
 
OPTIONS
      -a  Specify a criterion that specifies when Tethereal is to stop writing to a capture file.  The criterion is of the form test:value,
            where test is one of:
 
        # 注释 :-a 指定一个规则,该规则控制 Tethereal 什么时候停止写 capture 文件。
 
        # 规则的格式是 <condition>:<value> 。可选的规则有:

           duration
                Stop writing to a capture file after value seconds have  elapsed.
 
        # 注释 :第一个控制条件是 duration ,表示在捕包开始多少秒后停止写文件 
[root@mail ~]# tethereal -S -w lo.capture -i lo  -t ad -a duration:2
Capturing on lo
2007-08-2211:24:23.912709    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
2007-08-22 11:24:23.912723    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
2007-08-22 11:24:24.912556    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
2007-08-22 11:24:24.912571    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
2007-08-22 11:24:25.912406    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
2007-08-2211:24:25.912425    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
 
6 packets captured
[root@mail ~]#
   filesize
        Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024  bytes).
 
    # 注释 :filesize 控制的是 capture 文件的大小,单位是 1000 字节,而不是 1024 字节  
 
 
-b  If a maximum capture file size was specified, cause Tethereal to
            run in "ring buffer" mode, with the specified number of files.  In
            "ring buffer" mode, Tethereal will write to several capture files.
            Their name is based on the number of the file and on the creation
            date and time.
 
    # 注释 :如果指定了 capture 文件的最大大小,-b  使 Tethereal 运行在 'ring buffer' 模式。
 
    # 你可以指定文件的数量。在 ring buffer 模式下,Tethereal 会写到多个 capture 文件。它们的
 
    # 文件名是基于文件数量和文件的创建时间的。
 
    # 补充 :-b 并不是指当 tethereal 写满多少个文件就退出,相反它是一直运行的。例如 -a filesize:100 -b 2 则 tethereal
 
    # 会在写满第一个文件时(100*1000 字节)后,再创建第二个文件。在写满第二个文件后,又再删除第一个文件,再创建
 
    # 一个新的 capture 文件,继续写。总之是一种循环使用的方式,保持 capture 文件的大小总是固定在 N * max_filesize
-rw-------  1 root root    10056 Aug 22 11:30 lo_00003_20070822113001.capture
-rw-------  1 root root        0 Aug 22 11:30 lo_00004_20070822113045.capture
 
-rw-------  1 root root    10084 Aug 22 11:31 lo_00004_20070822113045.capture
-rw-------  1 root root     9270 Aug 22 11:31 lo_00005_20070822113109.capture
 
      # 可以看到文件名一直在变,但总数总是保持2个,大小总是不超过 -a filesize 的指定值
 
    # 补充 :-a 和 -b 必须同时用,用于指定每个文件的最大大小,否则会报错。
[root@mail ~]# tethereal -S -w lo.capture -i lo  -t ad -a duration:2 -b 10
tethereal: Ring buffer requested, but no maximum capture file size was specified.
[root@mail ~]#
 
# 补充 :如果你想按时间分割文件应该用 -a filesize:MAX -b N:<TIME> 
 
    When the first capture file fills up, Tethereal will switch to
    writing to the next file, until it fills up the last file, at
    which point it’ll discard the data in the first file (unless 0 is
    specified, in which case, the number of files is unlimited) and
    start writing to that file and so on.
 
    # 注释 :当第一个 capture 文件达到指定的最大大小时,Tethereal 会创建一个新的 capture 文件,直到
 
    # capture 文件的数量达到 -b 指定的数量为止。
 
    # 注释 :注意!如果 -b 指定的值是 0 ,则表示不限制文件数量
 
    If the optional duration is specified, Tethereal will switch also
    to the next file when the specified number of seconds has elapsed
    even if the current file is not completely fills up.
 
    # 注释 :假如你指定了 duration ,则 Tethereal 会在指定的时间后切换到写一个 captuer 文件,即使它还没有写满
 
 
    You can only save files in libpcap format when using a ring buffer.
 
    # 注释 :在使用 ring buffer 模式时,你只能以 libcap 的格式保存 capture 文件
 
       -c  Set the default number of packets to read when capturing live data.
 
    # 注释 :-c 表示在实时捕包时要读取多少个 packet
 
   
       -d  Specify that if the layer type in question (for example, tcp.port
    or udp.port for a TCP or UDP port number) has the specified selec-
    tor value, packets should be dissected as the specified protocol.
 
    # 注释 :-d 指定应该对那些端口的流量进行解码
 
    Example: -d tcp.port==8888,http will decode any traffic running over TCP port 8888 as HTTP.
 
    # 注释 :例如 -d tcp.port=8888,http 表示在 TCP 8888 端口的流量应该当成 HTTP 协议来解码
 
    # 补充 :这应该是针对那些运行在非常规端口上的服务的需要而创建的。
    
    # 它的语法格式是 :-d <layer_type>==<selector>,<decode_as_protocol>

 
       -D  Print a list of the interfaces on which Tethereal can capture, and
            exit.  For each network interface, a number and an interface name,
            possibly followed by a text descrīption of the interface, is
            printed.  The interface name or the number can be supplied to the
 
        # 注释 :-D 打印一个 Tethereal 能够捕捉到数据报的接口列表,然后退出。
[bob@mail ~]$ /usr/sbin/tethereal -D
1. eth0
2. eth1.no7
3. any (Pseudo-device that captures on all interfaces)
4. lo
[bob@mail ~]$

    -i flag to specify an interface on which to capture.
 
        # 注释 :-i 指定要在那个接口上捕包
 
    This can be useful on systems that don’t have a command to list
    them (e.g., Windows systems, or UNIX systems lacking ifconfig
    \-a); the number can be useful on Windows 2000 and later systems,
    where the interface name is a somewhat complex string.
 
    # 注释 :该选项同样也可以用于指定 -D 没有列出的接口
 
    Note that "can capture" means that Tethereal was able to open that
    device to do a live capture; if, on your system, a program doing a
    network capture must be run from an account with special privi-
    leges (for example, as root), then, if Tethereal is run with the
    -D flag and is not run from such an account, it will not list any
    interfaces.
 
    # 注释 :要注意,tethereal 最好以特权用户的身份运行,否则 -D 可能无法列出全部接口
 
[bob@mail ~]$ /usr/sbin/tethereal
tethereal:The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
[bob@mail ~]$ /usr/sbin/tethereal -i  lo
tethereal: The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
 
       -f  Set the capture filter expression.
 
    # 注释 :-f 设置 capture filter 表达式
 
       -F  Set the file format of the output capture file.
 
    # 注释 :-F 设置 capture filter 的格式文件,也就是从那个文件读入 capture filter 的表达式
 
       -h  Print the version and options and exits.
 
    # 注释 :-h 打印帮助信息
 
       -i  Set the name of the network interface or pipe to use for live packet capture.
 
    # 注释 :-i 设置要捕包的接口或者管道
 
    Network interface names should match one of the names listed in
    "tethereal -D" (described above); a number, as reported by "tethe-
    real -D", can also be used. If you’re using UNIX, "netstat -i" or
    "ifconfig -a" might also work to list interface names, although
    not all versions of UNIX support the -a flag to ifconfig.
 
    # 注释 :网络接口的名称应该匹配 -D 选项所列出的任意一个端口或者端口编号
[bob@mail ~]$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.063 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.021 ms
 
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.021/0.035/0.063/0.018 ms, pipe 2
[bob@mail ~]$
[root@mail ~]# /usr/sbin/tethereal -i lo
Capturing on lo
  0.000000    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.000030    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  0.999846    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.999858    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  1.999713    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  1.999733    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  2.999547    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  2.999558    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
8 packets captured
[root@mail ~]#
 
    If no interface is specified, Tethereal searches the list of
    interfaces, choosing the first non-loopback interface if there are
    any non-loopback interfaces, and choosing the first loopback
    interface if there are no non-loopback interfaces; if there are no
    interfaces, Tethereal reports an error and doesn’t start the cap-
    ture.
 
    # 注释 :如果没有指定接口,tethereal 会搜索接口列表,
 
    # 如果存在 non-loopback 接口的话,则选择第一个 non-loopback 接口
    
    # 如果只有 loopback 接口的话,则挑选第一个 loopback 接口
 
    # 如果搜索不到接口,则 ethereal 会报错并退出
[root@mail ~]# tethereal  -w all.capture
Warning:  Couldn't obtain netmask info (eth0: no IPv4 address assigned).
Capturing oneth0        // 它只在 eth0 上监听而已,因为 eth0 是第一个可用的 non-loopback 接口
20
[root@mail ~]#
 
    Pipe names should be either the name of a FIFO (named pipe) or‘-’’ to read data from the standard input. Data read from pipes
    must be in standard libpcap format.
 
    # 注释 :管道名必须是一个命名管道,或者 '-' ,表示从 stdin 接受输入,不过必须是标准的  libcap 格式(二进制文件)
 
      # 例如 :
[root@mail ~]# /usr/sbin/tethereal -i lo -w lo.capture
Capturing on lo
20
[root@mail ~]#
[root@mail ~]#
[root@mail ~]# file lo.capture
lo.capture: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
[root@mail ~]# tethereal -i - < lo.capture
Capturing on -
  0.000000    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.000018    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  0.999357    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.999372    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  1.999199    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  1.999211    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  2.999055    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  2.999071    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  3.998889    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  3.998896    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  4.998754    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  4.998772    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  5.998587    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  5.998596    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  6.998448    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  6.998467    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  7.998281    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  7.998289    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  8.998142    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  8.998158    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
20 packets captured
[root@mail ~]#
 
       -l  Flush the standard output after the information for each packet is
            printed.  (This is not, strictly speaking, line-buffered if -V was
            specified; however, it is the same as line-buffered if -V wasn’t
            specified, as only one line is printed for each packet, and, as -l
            is normally used when piping a live capture to a program or
            scrīpt, so that output for a packet shows up as soon as the packet
            is seen and dissected, it should work just as well as true
            line-buffering.  We do this as a workaround for a deficiency in
            the Microsoft Visual C++ C library.)
 
    # 注释 :-l 用于在输出每个 packet 后清除 stdout
 
 
    This may be useful when piping the output of Tethereal to another
    program, as it means that the program to which the output is piped
    will see the dissected data for a packet as soon as Tethereal sees
    the packet and generates that output, rather than seeing it only
    when the standard output buffer containing that data fills up.
 
       -L  List the data link types supported by the interface and exit.
 
    # 注释 :-L 列出接口所支持的数据链路类型并退出
[root@mail ~]# tethereal -L
Data link types (use option -y to set):
  EN10MB (Ethernet)
[root@mail ~]#
 
       -n  Disable network object name resolution (such as hostname, TCP and UDP port names).
 
    # 注释 :-n 表示显示 ip 地址/端口号,而不是主机名/端口名
 
       -N  Turn on name resolving for particular types of addresses and port
            numbers, with name resolving for other types of addresses and port
            numbers turned off; the argument is a string that may contain the
            letters m to enable MAC address resolution, n to enable network
            address resolution, and t to enable transport-layer port number
            resolution. This overrides -n if both -N and -n are present.  The
            letter C enables concurrent (asynchronous) DNS lookups.
 
    # 注释 :-N 表示对指定类型的项目显示名称。它会覆盖 -n 。
 
    # -N 可以带的参数有 :m(MAC 地址)、n (网络地址解释)、t(端口解释)、C (主机名)
 
       -o  Set a preference value, overriding the default value and any value
            read from a preference file.  The argument to the flag is a string
            of the form prefname:value, where prefname is the name of the
            preference (which is the same name that would appear in the pref-
            erence file), and value is the value to which it should be set.
 
    # 注释 :-o 设置 preference 值。
    
 
       -p  Don’t put the interface into promiscuous mode.  Note that the
            interface might be in promiscuous mode for some other reason;
            hence, -p cannot be used to ensure that the only traffic that is
            captured is traffic sent to or from the machine on which Tethereal
            is running, broadcast traffic, and multicast traffic to addresses
            received by that machine.
 
    # 注释 :-p 表示不把接口设置为 promiscuous 模式。
 
    # 不过 -p 不能确保一定处于 procmiscuous 模式。
 
    # 默认 tethereal 会把接口置于 promiscuous 模式,在退出时返回正常模式
Aug 22 10:44:32 mail kernel: device lo entered promiscuous mode
Aug 22 10:44:48 mail kernel: device lo left promiscuous mode
[root@mail ~]#
    
    # 补充 :应该是不可以的。例如在 as1 上 ping 172.17.64.34 ,但 tethereal 并不能抓到 ICMP 包,但 as1、172.17.64.34 以及本地主机
 
    # 都是在 172.17.64.0/24 这个网络内的。
n7css@as1:~> ping 172.17.64.34
PING 172.17.64.34 (172.17.64.34) from 172.17.64.11 : 56(84) bytes of data.
64 bytes from 172.17.64.34: icmp_seq=1 ttl=64 time=0.359 ms
 
[root@mail ~]# tethereal -r all.capture  |grep ICMP
[root@mail ~]#
 
       -q  When capturing packets, don’t display the continuous count of
            packets captured that is normally shown when saving a capture to a
            file; instead, just display, at the end of the capture, a count of
            packets captured.  On systems that support the SIGINFO signal,
            such as various BSDs, typing your "status" character (typically
            control-T, although it might be set to "disabled" by default on at
            least some BSDs, so you’d have to explicitly set it to use it)
            will cause the current count to be displayed.
 
     # 注释 :-q 表示在使用 -w 保存被捕捉数据包时,不要显示已经捕捉到的数据包的数量。
 
    # 默认情况下是会随时刷新显示的。在那些支持 SIGINIFO 信号的系统上,通过该信号可以显示
[root@mail ~]# tethereal -q -w all.capture
Warning:  Couldn't obtain netmask info (eth0: no IPv4 address assigned).
Capturing on eth0
20 packets captured    // 本来在 Capturing on eth0 的下面是会显示一个不断变动的数值的,加了 -q 就不显示了
[root@mail ~]#
        When reading a capture file, don’t print packet information; this
        is useful if you’re using a -z flag to calculate statistics and
        don’t want the packet information printed, just the statistics.
 
      # 注释 :在读取 capture 文件时,不显示包的信息。例如在你使用 -z 时,只想看统计信息,不想看具体的包内容
 
       -r  Read packet data from infile.
 
    # 注释 :-r 表示读取一个保存好的 capture 文件
[root@mail ~]# tethereal -r all.capture
  1   0.000000 202.105.95.35 -> 224.0.0.2    HSRP Hello (state Active)
  2   0.236027 202.105.95.34 -> 224.0.0.2    HSRP Hello (state Standby)
  3   0.976804 Cisco_25:40:fb -> CDP/VTP      LLC U, func=UI; SNAP, OUI 0x00000C (Cisco), PID 0x2004
  4   0.977104 Cisco_25:40:fb -> CDP/VTP      LLC U, func=UI; SNAP, OUI 0x00000C (Cisco), PID 0x2004
  5   1.969446 Cisco_dc:04:02 -> Broadcast    ARP Who has 202.105.95.59?  Tell 202.105.95.34
 
       -R  Cause the specified filter (which uses the syntax of read filters,
            rather than that of capture filters) to be applied before printing
            a decoded form of packets or writing packets to a file; packets
            not matching the filter are discarded rather than being printed or
            written.
 
    # 注释 :-R 导致表示启动一个 read filter ,而不是 capture filter 。
 
    # 它是用于解码后的过滤,而不是解码前的过滤,作用只是阻挡某个 packet 不被显示
 
    # 或者不写入文件,但实际上 tethereal 已经对该 packet 进行了一些处理。
 
    # 那些不匹配的 packet 会被丢弃而不是被打印或者写入文件
    

       -s  Set the default snapshot length to use when capturing live data.
            No more than snaplen bytes of each network packet will be read
            into memory, or saved to disk.
 
    # 注释 :-s 设置在捕捉网络上的 packet 时,默认的 snapshot 长度。
 
    # tethereal 只会把不超过指定长度的字节读入内存或者保存到磁盘
 
       -S  Decode and display packets even while writing to file.
 
    # 注释 :-S 表示解码的同时一边显示到 stdout ,一边保存到文件,就类似 tee 命令
[root@mail ~]# tethereal -S -w lo.capture -i lo
Capturing on lo
  0.000000    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.000019    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  0.999542    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  0.999555    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  1.999395    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  1.999410    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
  2.999238    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) request
  2.999249    127.0.0.1 -> 127.0.0.1    ICMP Echo (ping) reply
 
8 packets captured
[root@mail ~]#
 
       -t  Set the format of the packet timestamp p

TAG: 测试知识

 

评分:0

我来说两句