MyTetra Share
Делитесь знаниями!
О, смотри-ка какое хорошее место. Дайте два!
tshark decode unstandart tcp port
23.07.2014
15:57
Раздел: root - Linux

-o http.desegment_headers: FALSE

http.tcp.port: 80,3128,3132,5985,8080,8088,11371,1900,2869,7210,180,7220


-d tcp.port==$i,http


From: Sake Blok <sake@xxxxxxxxxx>

Date: Mon, 19 May 2008 17:42:55 +0200

On Sun, May 18, 2008 at 02:30:35PM +0200, Elof Ofel wrote:

>

> >> 1. Where do I find a reference of the most useful field keywords to use?

> (for the -e option)

>

> Yeah, I found the complete list, but as you say, it was overwhelming.

> I understand it is a boring job to create a heavily reduzed version of

> this reference list, but if people is really to use the -e option, I

> think such list is needed. :-)


Well, the names are the same names as used in Wireshark, so you can

always use Wireshark to get the proper names of certain fields you

want to display in Tshark. You can find out about field-names in several

ways:


- Select some protocol value in the packet detail list and the fieldname

is shown in the status-bar


- Rightclick on some protocol value in the packet detail list and choose

"Filter Field Reference". This will take you to the wiki-page

with all filter fields of that protocol.


- Rightclick on some protocol value in the packet detail list and choose

"copy -> as filter". This will create a display filter with the selected

field in the copy buffer. You can use the field from the filter.



> > 2) We could add a command-line option to configure the columns to be

> > displayed - that would let you get rid of the time stamp column, and, in

> > combination with the "custom columns" feature, that would let you add

> > columns for fields such as packet lengths and the TTL.

>

> That would be just great!


This is already there, although it's a bit cryptic. You can use the

"-o <preference>:<value>" option of Tshark to change a preference.

Since the columns that are displayed are also a preference, you can

change them. For example:


tshark -o column.format:'"No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD", "len", "%L", "Protocol", "%p", "Info", "%i"' -r tmp.cap


would add the port numbers to the output.


Added to that that it's now possible to add any field to the -Ttext output

by using '"<title>", "%Cus:<fieldname>"' this gives you about all the

flexibility you want.


If you use some column setting quite a lot, you can chose to use the

"configuration profiles" option (-C). This option will make Tshark

look for it's preferences in a subdirectory of the preferences directory.

That way you can prepare a preference file with the column setting

and use that on the fly.


> Suggested solutions:

> 1.

> Add the option '-t n' as in "none"


You can omit the time column from the column preference, but it might

be a nice feature to have the commandline switch for it as well. You could

file this as an enhancement request on http://bugs.wireshark.org


> 2.

> -C do not show the first column with the frame number


I personally do not want to skip the frame number, it makes discussion

of finding very hard. But you can skip it with the column preference if

needed.


> 3.

> Use multiple -V's for verboseness:

> <none> = normal one-line-summary text output

> -V = view the full decoded packet (as normal)

> -VV = one-line-summary list but with some additional information on

> each line

> Normally I do *not* need the heavy duty verboseness of tcpdump -ev,

> like correct checksums, correct tcp sequence numbers, window scaling,

> internal packet timestamps, fragmentation offsets, etc. This kind of

> verboseness would be nice to have if you add yet an additional 'V':

> -VVV = show the default one-line-summary list but with lots of

> additional information on each line


Well, that can be solved with creating other configuration profiles with

column preferences that have all the fields you want to have added

for that profile :-)



> Oh, and speaking of improvements:

> When I use the option -c5, I expect to get exactly 5 packets. Currently

> I can get more than a screenful. This is just confusing. :-)


I think you run into a bug I ran into earlier. The -c option did not work

correctly when a display filter was used. Please use a recent development

build to see if my fix works for you as well...

(see: http://www.wireshark.org/download/automated/ )


> That covers the basic functions that today make me use tcpdump instead

> of tshark.


I always like to have multiple tools available, but I think tshark can

do most (if not all) of what you want quite nicely with all the features

it has at the moment.


Feel free to suggest other cool new features you can think of :-)


Cheers,

Sake




Так же в этом разделе:
← Содержание ...
 
MyTetra Share v.0.35
Яндекс индекс цитирования