NAME
tethereal - Dump and analyze network traffic
# 注释 :tethereal 用于 dump 和 分析网络流量
# 补充 ;当前 tethereal 的版本信息
[bob@mail ~]$ /usr/sbin/tethereal -v
tethereal 0.10.6
Compiled with GLib 2.4.6, with libpcap 0.8.3, with libz 1.2.1.2,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.6.9-prepall-fs.
[bob@mail ~]$
SYNOPSYS
tethereal [ -a capture autostop condition ] ... [ -b number of ring buffer files [:duration] ] [ -c count ]
[ -d <layer type==<selector>,<decode-as protocol> ]> [ -D ] [ -f capture filter expression ] [ -F file format ] [ -h ] [ -i interface ]
[ -l ] [ -L ] [ -n ] [ -N resolving flags ] [ -o preference setting ] ... [ -p ] [ -q ] [ -r infile ] [ -R display filter expression ] [ -s snaplen ]
[ -S ] [ -t time stamp format ] [ -T pdml│psml│ps│text ] [ -v ] [ -V ] [ -w savefile ] [ -x ][ -y link type ] [ -z statistics-string ] [ filter expression ]
DEscrīptION
Tethereal is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved cap-
ture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. Tethereal’s native
capture file format is libpcap format, which is also the format used by tcpdump and various other tools.
# 注释 :tethereal 是一个网络协议的分析工具。它能够替你捕捉网络上的 packet ,或者从一个事先保存好的 capture 文件中读取 packets 。
# 也可以对 packet 进行解码然后打印出,或者把捕捉到的 packet 写入一个文件。
# Tethereal 的默认 capture 文件格式是 libcap ,可以被 tcpdump 或者其他工具所识别
Ethereal can read / import the following file formats:
# 注释 :ethereal 可以读取/导入下面格式的文件
*libpcap/WinPcap, tcpdump and various other tools using tcpdump’s capture format
* snoop and atmsnoop
* Shomiti/Finisar Surveyor captures
* Novell LANalyzer captures
* Microsoft Network Monitor captures
*AIX’s iptrace captures
* Cinco Networks NetXRay captures
* Network Associates Windows-based Sniffer captures
* Network General/Network Associates DOS-based Sniffer (compressed or
uncompressed) captures
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet-
Grabber captures
* RADCOM’s WAN/LAN analyzer captures
* Network Instruments Observer version 9 captures
* Lucent/Ascend router debug output
* files from HP-UX’s nettl
* Toshiba’s ISDN routers dump output
* the output from i4btrace from the ISDN4BSD project
* traces from the EyeSDN USB S0.
* the output in IPLog format from the Cisco Secure Intrusion Detection System
* pppd logs (pppdump format)
* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
* Visual Networks’ Visual UpTime traffic capture
* the output from CoSine L2 debug
* the output from Accellent’s 5Views LAN agents
* Endace Measurement Systems’ ERF format captures
* Linux Bluez Bluetooth stack hcidump -w traces
There is no need to tell Tethereal what type of file you are reading;
it will determine the file type by itself. Tethereal is also capable
of reading any of these file formats if they are compressed using
gzip. Tethereal recognizes this directly from the file; the ’.gz’
extension is not required for this purpose.
# 注释 :你不需要告诉 tehereal 它读取的 capture 文件的类型,它会自动判断。
# 而且 tethereal 也支持 gzip 格式的 capture 文件,而且不强制需要 .gz 后缀
If the -w flag is not specified, Tethereal prints a decoded form of
the packets it captures or reads; otherwise, it writes those packets
to the file specified by that flag.
# 注释 :如果没有指定 -w 选项,tethereal 将会把解码后的内容打印到 stdout ,否则会写入到指定的文件
When printing a decoded form of packets, Tethereal prints, by default,
a summary line containing the fields specified by the preferences file
(which are also the fields displayed in the packet list pane in Ethe-
real), although if it’s printing packets as it captures them, rather
than printing packets from a saved capture file, it won’t print the
"frame number" field.
# 注释 :当打印一个解码过的 packet 时,tethereal 默认会打印一个汇总行
If the -V flag is specified, it prints instead a view of the details of the packet, showing all the fields of all protocols in the packet.
# 注释 :如果指定了 -V 选项,则会打印每个 packet 的详细内容
When writing packets to a file, Tethereal, by default, writes the file
in libpcap format, and writes all of the packets it sees to the output
file. The -F flag can be used to specify the format in which to write
the file. The following output formats are supported:
# 注释 :当使用 -w 写入文件时,tethereal 默认使用 libcap 格式,并把所有 packet 都输出到该文件
# -F 可以指定 capture 文件的格式
*libpcap - libpcap (tcpdump, Ethereal, etc.)
* rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump)
* suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
* modlibpcap - modified libpcap (tcpdump)
* nokialibpcap - Nokia libpcap (tcpdump)
* lanalyzer - Novell LANalyzer
* ngsniffer - Network Associates Sniffer (DOS-based)
* snoop - Sun snoop
* netmon1 - Microsoft Network Monitor 1.x
* netmon2 - Microsoft Network Monitor 2.x
* ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
* ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
* visual - Visual Networks traffic capture
This list is also displayed by the -h flag.
# 注释 :你可以用 -h 来显示 tethereal 所支持的格式
Read filters in Tethereal, which allow you to select which packets are
to be decoded or written to a file, are very powerful; more fields are
filterable in Tethereal than in other protocol analyzers, and the syn-
tax you can use to create your filters is richer. As Tethereal pro-
gresses, expect more and more protocol fields to be allowed in read
filters.
# 注释 :你还可以使用过滤器来选择对那些 packet 进行解码,或者把那些 packet 写入一个文件
# 过滤器是一个非常强大的工具。tethereal 比其他协议分析器支持更多的过滤手段。
# 而且语法也更加复杂。
Packet capturing is performed with the pcap library. The capture fil-
ter syntax follows the rules of the pcap library. This syntax is dif-
ferent from the read filter syntax. A read filter can also be speci-
fied when capturing, and only packets that pass the read filter will
be displayed or saved to the output file; note, however, that capture
filters are much more efficient than read filters, and it may be more
difficult for Tethereal to keep up with a busy network if a read fil-
ter is specified for a live capture.
# 注释 :packet caputre 是由 pcap 这个库是实现的。过滤器的语法格式和 pcap 库的语法格式一样。
# 它的格式和读取过滤器的语法格式不一样。读取过滤器能够在捕包时指定,只有那些匹配的 packet
# 才会被显示或者输出到文件;但捕包过滤器比读取过滤器的效率要高,所以对一个比较繁忙的网络来说,
# 用读取过滤器可能会跟不上速度
Compressed file support uses (and therefore requires) the zlib
library. If the zlib library is not present, Tethereal will compile,
but will be unable to read compressed files.
# 注释 :tethereal 使用 zlib 库来实现压缩功能,假如不存在 zlib 库,
# tethereal 会编译一个,但无法用它来读取压缩后的 capture 文件
A capture or read filter can either be specified with the -f or -R
option, respectively, in which case the entire filter expression must
be specified as a single argument (which means that if it contains
spaces, it must be quoted), or can be specified with command-line
arguments after the option arguments, in which case all the arguments
after the filter arguments are treated as a filter expression. Cap-
ture filters are supported only when doing a live capture; read fil-
ters are supported when doing a live capture and when reading a cap-
ture file, but require Tethereal to do more work when filtering, so
you might be more likely to lose packets under heavy load if you’re
using a read filter. If the filter is specified with command-line
arguments after the option arguments, it’s a capture filter if a cap-
ture is being done (i.e., if no -r flag was specified) and a read
filter if a capture file is being read (i.e., if a -r flag was speci-
fied).
# 注释 :capture 或者 read filter 可以用 -f 或者 -R 指定。这时候整个过滤表达式必须表现为一个参数,
# 也就是说,过滤规则如果含有空格,则必须用括号括起来。
# 也可以在选项后通过命令行参数指定,在过滤器参数之后的所有参数都被当成过滤表达式。
# 注释 :要注意,caputer filter 只有在做实际的捕包时才能被使用,而 read filter 则可以在实际捕包或者
# 从 capture 文件读取 packet 时使用,但是 read filter 的效率不高,它需要 Tethereal 做更多的工作,
# 所以你在一个比较繁忙的网络上使用 read filter 时可能会漏掉一些数据包。
# 如果指定了 -r 则是 read filter ,否则是 capture filter
OPTIONS
-a Specify a criterion that specifies when Tethereal is to stop writing to a capture file. The criterion is of the form test:value,
where test is one of:
# 注释 :-a 指定一个规则,该规则控制 Tethereal 什么时候停止写 capture 文件。
# 规则的格式是 <condition>:<value> 。可选的规则有:
duration
Stop writing to a capture file after value seconds have elapsed.
# 注释 :第一个控制条件是 duration ,表示在捕包开始多少秒后停止写文件
[root@mail ~]# tethereal -S -w lo.capture -i lo -t ad -a duration:2
Capturing on lo
2007-08-2211:24:23.912709 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:24:23.912723 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:24:24.912556 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:24:24.912571 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:24:25.912406 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-2211:24:25.912425 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
6 packets captured
[root@mail ~]#
filesize
Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
# 注释 :filesize 控制的是 capture 文件的大小,单位是 1000 字节,而不是 1024 字节
-b If a maximum capture file size was specified, cause Tethereal to
run in "ring buffer" mode, with the specified number of files. In
"ring buffer" mode, Tethereal will write to several capture files.
Their name is based on the number of the file and on the creation
date and time.
# 注释 :如果指定了 capture 文件的最大大小,-b 使 Tethereal 运行在 'ring buffer' 模式。
# 你可以指定文件的数量。在 ring buffer 模式下,Tethereal 会写到多个 capture 文件。它们的
# 文件名是基于文件数量和文件的创建时间的。
# 补充 :-b 并不是指当 tethereal 写满多少个文件就退出,相反它是一直运行的。例如 -a filesize:100 -b 2 则 tethereal
# 会在写满第一个文件时(100*1000 字节)后,再创建第二个文件。在写满第二个文件后,又再删除第一个文件,再创建
# 一个新的 capture 文件,继续写。总之是一种循环使用的方式,保持 capture 文件的大小总是固定在 N * max_filesize
-rw------- 1 root root 10056 Aug 22 11:30 lo_00003_20070822113001.capture
-rw------- 1 root root 0 Aug 22 11:30 lo_00004_20070822113045.capture
-rw------- 1 root root 10084 Aug 22 11:31 lo_00004_20070822113045.capture
-rw------- 1 root root 9270 Aug 22 11:31 lo_00005_20070822113109.capture
# 可以看到文件名一直在变,但总数总是保持2个,大小总是不超过 -a filesize 的指定值
# 补充 :-a 和 -b 必须同时用,用于指定每个文件的最大大小,否则会报错。
[root@mail ~]# tethereal -S -w lo.capture -i lo -t ad -a duration:2 -b 10
tethereal: Ring buffer requested, but no maximum capture file size was specified.
[root@mail ~]#
# 补充 :如果你想按时间分割文件应该用 -a filesize:MAX -b N:<TIME>
When the first capture file fills up, Tethereal will switch to
writing to the next file, until it fills up the last file, at
which point it’ll discard the data in the first file (unless 0 is
specified, in which case, the number of files is unlimited) and
start writing to that file and so on.
# 注释 :当第一个 capture 文件达到指定的最大大小时,Tethereal 会创建一个新的 capture 文件,直到
# capture 文件的数量达到 -b 指定的数量为止。
# 注释 :注意!如果 -b 指定的值是 0 ,则表示不限制文件数量
If the optional duration is specified, Tethereal will switch also
to the next file when the specified number of seconds has elapsed
even if the current file is not completely fills up.
# 注释 :假如你指定了 duration ,则 Tethereal 会在指定的时间后切换到写一个 captuer 文件,即使它还没有写满
You can only save files in libpcap format when using a ring buffer.
# 注释 :在使用 ring buffer 模式时,你只能以 libcap 的格式保存 capture 文件
-c Set the default number of packets to read when capturing live data.
# 注释 :-c 表示在实时捕包时要读取多少个 packet
-d Specify that if the layer type in question (for example, tcp.port
or udp.port for a TCP or UDP port number) has the specified selec-
tor value, packets should be dissected as the specified protocol.
# 注释 :-d 指定应该对那些端口的流量进行解码
Example: -d tcp.port==8888,http will decode any traffic running over TCP port 8888 as HTTP.
# 注释 :例如 -d tcp.port=8888,http 表示在 TCP 8888 端口的流量应该当成 HTTP 协议来解码
# 补充 :这应该是针对那些运行在非常规端口上的服务的需要而创建的。
# 它的语法格式是 :-d <layer_type>==<selector>,<decode_as_protocol>
-D Print a list of the interfaces on which Tethereal can capture, and
exit. For each network interface, a number and an interface name,
possibly followed by a text descrīption of the interface, is
printed. The interface name or the number can be supplied to the
# 注释 :-D 打印一个 Tethereal 能够捕捉到数据报的接口列表,然后退出。
[bob@mail ~]$ /usr/sbin/tethereal -D
1. eth0
2. eth1.no7
3. any (Pseudo-device that captures on all interfaces)
4. lo
[bob@mail ~]$
-i flag to specify an interface on which to capture.
# 注释 :-i 指定要在那个接口上捕包
This can be useful on systems that don’t have a command to list
them (e.g., Windows systems, or UNIX systems lacking ifconfig
\-a); the number can be useful on Windows 2000 and later systems,
where the interface name is a somewhat complex string.
# 注释 :该选项同样也可以用于指定 -D 没有列出的接口
Note that "can capture" means that Tethereal was able to open that
device to do a live capture; if, on your system, a program doing a
network capture must be run from an account with special privi-
leges (for example, as root), then, if Tethereal is run with the
-D flag and is not run from such an account, it will not list any
interfaces.
# 注释 :要注意,tethereal 最好以特权用户的身份运行,否则 -D 可能无法列出全部接口
[bob@mail ~]$ /usr/sbin/tethereal
tethereal:The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
[bob@mail ~]$ /usr/sbin/tethereal -i lo
tethereal: The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
-f Set the capture filter expression.
# 注释 :-f 设置 capture filter 表达式
-F Set the file format of the output capture file.
# 注释 :-F 设置 capture filter 的格式文件,也就是从那个文件读入 capture filter 的表达式
-h Print the version and options and exits.
# 注释 :-h 打印帮助信息
-i Set the name of the network interface or pipe to use for live packet capture.
# 注释 :-i 设置要捕包的接口或者管道
Network interface names should match one of the names listed in
"tethereal -D" (described above); a number, as reported by "tethe-
real -D", can also be used. If you’re using UNIX, "netstat -i" or
"ifconfig -a" might also work to list interface names, although
not all versions of UNIX support the -a flag to ifconfig.
# 注释 :网络接口的名称应该匹配 -D 选项所列出的任意一个端口或者端口编号
[bob@mail ~]$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.063 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.021 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.021/0.035/0.063/0.018 ms, pipe 2
[bob@mail ~]$
[root@mail ~]# /usr/sbin/tethereal -i lo
Capturing on lo
0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.000030 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
0.999846 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.999858 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
1.999713 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
1.999733 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2.999547 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2.999558 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
8 packets captured
[root@mail ~]#
If no interface is specified, Tethereal searches the list of
interfaces, choosing the first non-loopback interface if there are
any non-loopback interfaces, and choosing the first loopback
interface if there are no non-loopback interfaces; if there are no
interfaces, Tethereal reports an error and doesn’t start the cap-
ture.
# 注释 :如果没有指定接口,tethereal 会搜索接口列表,
# 如果存在 non-loopback 接口的话,则选择第一个 non-loopback 接口
# 如果只有 loopback 接口的话,则挑选第一个 loopback 接口
# 如果搜索不到接口,则 ethereal 会报错并退出
[root@mail ~]# tethereal -w all.capture
Warning: Couldn't obtain netmask info (eth0: no IPv4 address assigned).
Capturing oneth0 // 它只在 eth0 上监听而已,因为 eth0 是第一个可用的 non-loopback 接口
20
[root@mail ~]#
Pipe names should be either the name of a FIFO (named pipe) or‘-’’ to read data from the standard input. Data read from pipes
must be in standard libpcap format.
# 注释 :管道名必须是一个命名管道,或者 '-' ,表示从 stdin 接受输入,不过必须是标准的 libcap 格式(二进制文件)
# 例如 :
[root@mail ~]# /usr/sbin/tethereal -i lo -w lo.capture
Capturing on lo
20
[root@mail ~]#
[root@mail ~]#
[root@mail ~]# file lo.capture
lo.capture: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
[root@mail ~]# tethereal -i - < lo.capture
Capturing on -
0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.000018 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
0.999357 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.999372 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
1.999199 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
1.999211 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2.999055 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2.999071 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3.998889 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
3.998896 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
4.998754 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4.998772 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5.998587 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
5.998596 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
6.998448 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6.998467 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
7.998281 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
7.998289 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
8.998142 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
8.998158 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
20 packets captured
[root@mail ~]#
-l Flush the standard output after the information for each packet is
printed. (This is not, strictly speaking, line-buffered if -V was
specified; however, it is the same as line-buffered if -V wasn’t
specified, as only one line is printed for each packet, and, as -l
is normally used when piping a live capture to a program or
scrīpt, so that output for a packet shows up as soon as the packet
is seen and dissected, it should work just as well as true
line-buffering. We do this as a workaround for a deficiency in
the Microsoft Visual C++ C library.)
# 注释 :-l 用于在输出每个 packet 后清除 stdout。
This may be useful when piping the output of Tethereal to another
program, as it means that the program to which the output is piped
will see the dissected data for a packet as soon as Tethereal sees
the packet and generates that output, rather than seeing it only
when the standard output buffer containing that data fills up.
-L List the data link types supported by the interface and exit.
# 注释 :-L 列出接口所支持的数据链路类型并退出
[root@mail ~]# tethereal -L
Data link types (use option -y to set):
EN10MB (Ethernet)
[root@mail ~]#
-n Disable network object name resolution (such as hostname, TCP and UDP port names).
# 注释 :-n 表示显示 ip 地址/端口号,而不是主机名/端口名
-N Turn on name resolving for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
numbers turned off; the argument is a string that may contain the
letters m to enable MAC address resolution, n to enable network
address resolution, and t to enable transport-layer port number
resolution. This overrides -n if both -N and -n are present. The
letter C enables concurrent (asynchronous) DNS lookups.
# 注释 :-N 表示对指定类型的项目显示名称。它会覆盖 -n 。
# -N 可以带的参数有 :m(MAC 地址)、n (网络地址解释)、t(端口解释)、C (主机名)
-o Set a preference value, overriding the default value and any value
read from a preference file. The argument to the flag is a string
of the form prefname:value, where prefname is the name of the
preference (which is the same name that would appear in the pref-
erence file), and value is the value to which it should be set.
# 注释 :-o 设置 preference 值。
-p Don’t put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason;
hence, -p cannot be used to ensure that the only traffic that is
captured is traffic sent to or from the machine on which Tethereal
is running, broadcast traffic, and multicast traffic to addresses
received by that machine.
# 注释 :-p 表示不把接口设置为 promiscuous 模式。
# 不过 -p 不能确保一定处于 procmiscuous 模式。
# 默认 tethereal 会把接口置于 promiscuous 模式,在退出时返回正常模式
Aug 22 10:44:32 mail kernel: device lo entered promiscuous mode
Aug 22 10:44:48 mail kernel: device lo left promiscuous mode
[root@mail ~]#
# 补充 :应该是不可以的。例如在 as1 上 ping 172.17.64.34 ,但 tethereal 并不能抓到 ICMP 包,但 as1、172.17.64.34 以及本地主机
# 都是在 172.17.64.0/24 这个网络内的。
n7css@as1:~> ping 172.17.64.34
PING 172.17.64.34 (172.17.64.34) from 172.17.64.11 : 56(84) bytes of data.
64 bytes from 172.17.64.34: icmp_seq=1 ttl=64 time=0.359 ms
[root@mail ~]# tethereal -r all.capture |grep ICMP
[root@mail ~]#
-q When capturing packets, don’t display the continuous count of
packets captured that is normally shown when saving a capture to a
file; instead, just display, at the end of the capture, a count of
packets captured. On systems that support the SIGINFO signal,
such as various BSDs, typing your "status" character (typically
control-T, although it might be set to "disabled" by default on at
least some BSDs, so you’d have to explicitly set it to use it)
will cause the current count to be displayed.
# 注释 :-q 表示在使用 -w 保存被捕捉数据包时,不要显示已经捕捉到的数据包的数量。
# 默认情况下是会随时刷新显示的。在那些支持 SIGINIFO 信号的系统上,通过该信号可以显示
[root@mail ~]# tethereal -q -w all.capture
Warning: Couldn't obtain netmask info (eth0: no IPv4 address assigned).
Capturing on eth0
20 packets captured // 本来在 Capturing on eth0 的下面是会显示一个不断变动的数值的,加了 -q 就不显示了
[root@mail ~]#
When reading a capture file, don’t print packet information; this
is useful if you’re using a -z flag to calculate statistics and
don’t want the packet information printed, just the statistics.
# 注释 :在读取 capture 文件时,不显示包的信息。例如在你使用 -z 时,只想看统计信息,不想看具体的包内容
-r Read packet data from infile.
# 注释 :-r 表示读取一个保存好的 capture 文件
[root@mail ~]# tethereal -r all.capture
1 0.000000 202.105.95.35 -> 224.0.0.2 HSRP Hello (state Active)
2 0.236027 202.105.95.34 -> 224.0.0.2 HSRP Hello (state Standby)
3 0.976804 Cisco_25:40:fb -> CDP/VTP LLC U, func=UI; SNAP, OUI 0x00000C (Cisco), PID 0x2004
4 0.977104 Cisco_25:40:fb -> CDP/VTP LLC U, func=UI; SNAP, OUI 0x00000C (Cisco), PID 0x2004
5 1.969446 Cisco_dc:04:02 -> Broadcast ARP Who has 202.105.95.59? Tell 202.105.95.34
-R Cause the specified filter (which uses the syntax of read filters,
rather than that of capture filters) to be applied before printing
a decoded form of packets or writing packets to a file; packets
not matching the filter are discarded rather than being printed or
written.
# 注释 :-R 导致表示启动一个 read filter ,而不是 capture filter 。
# 它是用于解码后的过滤,而不是解码前的过滤,作用只是阻挡某个 packet 不被显示
# 或者不写入文件,但实际上 tethereal 已经对该 packet 进行了一些处理。
# 那些不匹配的 packet 会被丢弃而不是被打印或者写入文件
-s Set the default snapshot length to use when capturing live data.
No more than snaplen bytes of each network packet will be read
into memory, or saved to disk.
# 注释 :-s 设置在捕捉网络上的 packet 时,默认的 snapshot 长度。
# tethereal 只会把不超过指定长度的字节读入内存或者保存到磁盘
-S Decode and display packets even while writing to file.
# 注释 :-S 表示解码的同时一边显示到 stdout ,一边保存到文件,就类似 tee 命令
[root@mail ~]# tethereal -S -w lo.capture -i lo
Capturing on lo
0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.000019 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
0.999542 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.999555 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
1.999395 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
1.999410 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2.999238 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2.999249 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
8 packets captured
[root@mail ~]#
-t Set the format of the packet timestamp p
收藏
举报
TAG:
测试知识