tshark使用说明
Posted 帅胡
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了tshark使用说明相关的知识,希望对你有一定的参考价值。
1 tshark -h 2 TShark (Wireshark) 2.4.1 (v2.4.1-0-gf42a0d2b6c) 3 Dump and analyze network traffic. 4 See https://www.wireshark.org for more information. 5 6 Usage: tshark [options] ... 7 8 Capture interface: 9 -i <interface> name or idx of interface (def: first non-loopback) 10 -f <capture filter> packet filter in libpcap filter syntax 11 12 -s <snaplen> packet snapshot length (def: appropriate maximum) 13 -p don‘t capture in promiscuous mode 14 -I capture in monitor mode, if available 15 -B <buffer size> size of kernel buffer (def: 2MB) 16 -y <link type> link layer type (def: first appropriate) 17 -D print list of interfaces and exit 18 -L print list of link-layer types of iface and exit 19 20 Capture stop conditions: 21 -c <packet count> stop after n packets (def: infinite) 22 -a <autostop cond.> ... duration:NUM - stop after NUM seconds 23 filesize:NUM - stop this file after NUM KB 24 files:NUM - stop after NUM files 25 Capture output: 26 -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs 27 filesize:NUM - switch to next file after NUM KB 28 files:NUM - ringbuffer: replace after NUM files 29 RPCAP options: 30 -A <user>:<password> use RPCAP password authentication 31 32 Input file: 33 -r <infile> set the filename to read from (- to read from stdin) 34 35 Processing: 36 -2 perform a two-pass analysis 37 -M <packet count> perform session auto reset 38 -R <read filter> packet Read filter in Wireshark display filter syntax 39 40 (requires -2) 41 -Y <display filter> packet displaY filter in Wireshark display filter 42 syntax 43 -n disable all name resolutions (def: all enabled) 44 -N <name resolve flags> enable specific name resolution(s): "mnNtCd" 45 -d <layer_type>==<selector>,<decode_as_protocol> ... 46 "Decode As", see the man page for details 47 Example: tcp.port==8888,http 48 -H <hosts file> read a list of entries from a hosts file, which will 49 then be written to a capture file. (Implies -W n) 50 --enable-protocol <proto_name> 51 enable dissection of proto_name 52 --disable-protocol <proto_name> 53 disable dissection of proto_name 54 --enable-heuristic <short_name> 55 enable dissection of heuristic protocol 56 --disable-heuristic <short_name> 57 disable dissection of heuristic protocol 58 Output: 59 -w <outfile|-> write packets to a pcap-format file named "outfile" 60 (or to the standard output for "-") 61 -C <config profile> start with specified configuration profile 62 -F <output file type> set the output file type, default is pcapng 63 an empty "-F" option will list the file types 64 -V add output of packet tree (Packet Details) 65 -O <protocols> Only show packet details of these protocols, comma 66 separated 67 -P print packet summary even when writing to a file 68 -S <separator> the line separator to print between packets 69 -x add output of hex and ASCII dump (Packet Bytes) 70 -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? 71 format of text output (def: text) 72 -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected 73 (e.g. "ip ip.flags text", filter does not expand chil 74 d 75 nodes, unless child is specified also in the filter) 76 -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected 77 78 (e.g. "http tcp", filter which expands all child node 79 s) 80 -e <field> field to print if -Tfields selected (e.g. tcp.port, 81 _ws.col.Info) 82 this option can be repeated to print multiple fields 83 -E<fieldsoption>=<value> set options for output when -Tfields selected: 84 bom=y|n print a UTF-8 BOM 85 header=y|n switch headers on and off 86 separator=/t|/s|<char> select tab, space, printable character as separator 87 occurrence=f|l|a print first, last or all occurrences of each field 88 aggregator=,|/s|<char> select comma, space, printable character as 89 aggregator 90 quote=d|s|n select double, single, no quotes for values 91 -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first) 92 -u s|hms output format of seconds (def: s: seconds) 93 -l flush standard output after each packet 94 -q be more quiet on stdout (e.g. when using statistics) 95 -Q only log true errors to stderr (quieter than -q) 96 -g enable group read access on the output file(s) 97 -W n Save extra information in the file, if supported. 98 n = write network address resolution information 99 -X <key>:<value> eXtension options, see the man page for details 100 -U tap_name PDUs export mode, see the man page for details 101 -z <statistics> various statistics, see the man page for details 102 --capture-comment <comment> 103 add a capture comment to the newly created 104 output file (only for pcapng) 105 --export-objects <protocol>,<destdir> save exported objects for a protocol to 106 a directory named "destdir" 107 108 Miscellaneous: 109 -h display this help and exit 110 -v display version info and exit 111 -o <name>:<value> ... override preference setting 112 -K <keytab> keytab file to use for kerberos decryption 113 -G [report] dump one of several available reports and exit 114 default report="fields" 115 use "-G ?" for more help 116
117 tshark.exe -F 118 tshark.exe: option requires an argument -- ‘F‘ 119 tshark: The available capture file types for the "-F" flag are: 120 5views - InfoVista 5View capture 121 btsnoop - Symbian OS btsnoop 122 commview - TamoSoft CommView 123 dct2000 - Catapult DCT2000 trace (.out format) 124 erf - Endace ERF capture 125 eyesdn - EyeSDN USB S0/E1 ISDN trace format 126 k12text - K12 text file 127 lanalyzer - Novell LANalyzer 128 logcat - android Logcat Binary format 129 logcat-brief - Android Logcat Brief text format 130 logcat-long - Android Logcat Long text format 131 logcat-process - Android Logcat Process text format 132 logcat-tag - Android Logcat Tag text format 133 logcat-thread - Android Logcat Thread text format 134 logcat-threadtime - Android Logcat Threadtime text format 135 logcat-time - Android Logcat Time text format 136 modpcap - Modified tcpdump - pcap 137 netmon1 - Microsoft NetMon 1.x 138 netmon2 - Microsoft NetMon 2.x 139 nettl - HP-UX nettl trace 140 ngsniffer - Sniffer (DOS) 141 ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 142 ngwsniffer_2_0 - Sniffer (Windows) 2.00x 143 niobserver - Network Instruments Observer 144 nokiapcap - Nokia tcpdump - pcap 145 nsecpcap - Wireshark/tcpdump/... - nanosecond pcap 146 nstrace10 - NetScaler Trace (Version 1.0) 147 nstrace20 - NetScaler Trace (Version 2.0) 148 nstrace30 - NetScaler Trace (Version 3.0) 149 nstrace35 - NetScaler Trace (Version 3.5) 150 pcap - Wireshark/tcpdump/... - pcap 151 pcapng - Wireshark/... - pcapng 152 rf5 - Tektronix K12xx 32-bit .rf5 format 153 rh6_1pcap - RedHat 6.1 tcpdump - pcap 154 snoop - Sun snoop 155 suse6_3pcap - SuSE 6.3 tcpdump - pcap 156 visual - Visual Networks traffic capture 157
158 tshark -i4 -c 100 -f "tcp" -F pcap -w c:\test.pcap 159 tshark -i4 -a duration:60 -f "tcp" -F pcap -w e:\test.pcap
以上是关于tshark使用说明的主要内容,如果未能解决你的问题,请参考以下文章