如何使用tshark获取我的计算机发送的请求

时间:2020-11-04 04:21:25

标签: tshark

我在自己的终端中运行tshark -V > file.log,然后在另一个终端中运行curl 'www.google.com'。然后,我返回第一个终端,关闭tshark,然后看着file.log。其中有许多“框架”。例如,这是其中之一:

 Frame 42: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface en0, id 0
    Interface id: 0 (en0)
        Interface name: en0
        Interface description: Wi-Fi
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov  3, 2020 17:28:15.022217000 PST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1604453295.022217000 seconds
    [Time delta from previous captured frame: 0.000244000 seconds]
    [Time delta from previous displayed frame: 0.000244000 seconds]
    [Time since reference or first frame: 12.164253000 seconds]
    Frame Number: 42
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: *****, Dst: *****
    Destination: *****
        Address: *****
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Apple_81:82:2f (ac:bc:32:81:82:2f)
        Address: Apple_81:82:2f (ac:bc:32:81:82:2f)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: *****, Dst: *****
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 52
    Identification: 0x0000 (0)
    Flags: 0x40, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0xabe8 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 134.87.182.156
    Destination Address: 172.217.165.14
Transmission Control Protocol, Src Port: 55888, Dst Port: 80, Seq: 76, Ack: 530, Len: 0
    Source Port: 55888
    Destination Port: 80
    [Stream index: 3]
    [TCP Segment Len: 0]
    Sequence Number: 76    (relative sequence number)
    Sequence Number (raw): 2379446728
    [Next Sequence Number: 76    (relative sequence number)]
    Acknowledgment Number: 530    (relative ack number)
    Acknowledgment number (raw): 278173922
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A····]
    Window: 2048
    [Calculated window size: 131072]
    [Window size scaling factor: 64]
    Checksum: 0xc5b6 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 190086814, TSecr 4203481592
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 190086814
            Timestamp echo reply: 4203481592
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 41]
        [The RTT to ACK the segment was: 0.000244000 seconds]
        [iRTT: 0.064637000 seconds]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.219685000 seconds]
        [Time since previous frame in this TCP stream: 0.000244000 seconds]

我认为每个帧都对应于我的计算机发送或接收的单个请求。我想知道如何重建我的计算机发送到googles服务器的确切请求。另外,我想知道如何捕获服务器返回的所有内容。

1 个答案:

答案 0 :(得分:2)

数据包捕获期间,您可以使用 -f(捕获过滤器)选项仅提取链接到 www.google.com 

tshark -a duration:10 -T text -V -f "host www.google.com" > capture.txt

我将 -a(自动停止)捕获选项设置为10秒,因为我只做过一次 curl'www.google.com'

上面的命令将捕获与 curl 请求相关的所有TCP和UDP。

如果要在捕获后重新组装连接,则需要在捕获期间创建一个 pcap文件

# this is capturing all traffic 
tshark -a duration:10 -w capture.pcap

您可以通过多种方式查询此 pcap文件

tshark -r capture.pcap -Y http.request -T fields -e http.host -e http.user_agent
# output 
www.google.com  curl/7.64.1'

tshark -r capture.pcap -Y "(http.host == www.google.com)"
44   1.631029 192.168.86.35 → 64.233.177.105 HTTP 144 GET / HTTP/1.1  

tshark -r capture.pcap -Y "dns.qry.name == www.google.com" 
#output 
36   1.546800 192.168.86.35 → 192.168.86.1 DNS 74 Standard query 0xe159 A www.google.com
39   1.587633 192.168.86.1 → 192.168.86.35 DNS 170 Standard query response 0xe159 A www.google.com A 64.233.177.105 A 64.233.177.104 A 64.233.177.103 A 64.233.177.99 A 64.233.177.147 A 64.233.177.106

# get the frame details for TCP packets associated with google
tshark -r capture.pcap  -T fields -e tcp.stream -Y "tcp contains google"
#output frame number(s)

# get the frame details for UDP packets associated with google
tshark -r capture.pcap  -T fields -e udp.stream -Y "udp contains google"

# follow the TCP frame 
# this should return the curl request for www.google.com
tshark -r capture.pcap -q -z follow,tcp,ascii,frame_number 

# follow the UDP frame
tshark -r capture.pcap -q -z follow,udp,ascii,frame_number

希望此答案有助于解决您的问题。

相关问题
最新问题