tshark是wireshark的命令行版本
下载:
选择Source Code
安装
yum install libpcap libpcap-devel
./configure&&make&&make install
使用:
文档:
例如:
监听http流量,并打印出host 和request url
./tshark -f "dst port 80" -l -p -a duration:10 -T fields -e http.host -e http.request.uri -i 1
其中-i 1 为使用的网卡,可以根据下面的命令获得:
其他参数
-l is normally used when piping a live capture to a program or script, so that output for a packet shows up as soon as the packet is seen and dissected, it should work just as well as true line-buffering
-a
... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used to ensure that the only traffic that is captured is traffic sent to or from the machine on which TShark is running, broadcast traffic, and multicast traffic to addresses received by that machine.
关于fields,可以通过-G来查看:
./tshark -G |grep http
阅读(7880) | 评论(0) | 转发(0) |
