[Linux] 使用 tshark 檢視 pcap 封包檔中的 HTTP 連線
之前拿到網路封包 pcap 檔時,通常是用 Wireshark 來觀察,
不過因為 Wireshark 是 GUI 程式,
不能透過 SSH 直接執行,所以通常得抓回 Mac/Linux 桌面再打開~
今天又拿到一個 pcap,檔案放在遠端的一台 CentOS 7 機器上,
本來也想抓回來再用 Wireshark 打開,
但我今天其實只是要看一下裡面的 HTTP 連線,
抓回來再用 Wireshark 開,有點勞師動眾…
後來想到了 tshark 這個 Wireshark 的文字版兄弟~
它基本上和 Wireshark 功能一樣,只是完全運作在文字模式,
所以透過 SSH 也可以正常執行~
1. 安裝 tshark
我們可以先用 yum 安裝 wireshark,就會將 tshark 也裝好:
sudo yum -y install wireshark
2. 用 tshark 讀取 pcap 檔
接著就可以讓 tshark 去讀 pcap 檔了~
我加上 -r 來讀取 pcap 檔,
並用 -Y http 參數,將顯示過濾器 (display filter) 設定成符合 HTTP 協定的才顯示:
[testuser@localhost]$ tshark -r test.pcap -Y http 14 7 1.1.2.3 -> 203.69.81.73 HTTP 263 GET /11/rdr/ENU/win/nooem/none/message.zip HTTP/1.1 16 7 203.69.81.73 -> 1.1.2.3 HTTP 289 HTTP/1.1 304 Not Modified 26 12 1.1.2.3 -> 152.195.11.6 HTTP 300 GET /msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?83ab110366cef925 HTTP/1.1 28 12 152.195.11.6 -> 1.1.2.3 HTTP 374 HTTP/1.1 304 Not Modified 258 20 1.1.2.3 -> 52.34.22.221 HTTP 321 GET / HTTP/1.1 264 20 52.34.22.221 -> 1.1.2.3 HTTP 534 HTTP/1.1 200 OK (text/html) 314 20 1.1.2.3 -> 35.160.174.4 HTTP 283 GET /favicon.ico HTTP/1.1 333 21 35.160.174.4 -> 1.1.2.3 HTTP 461 HTTP/1.1 404 Not Found (text/html)
基本上就可以看到如同 Wireshark 上的資訊,
如果想要看更細節的資料 (如每個 HTTP 連線的 request/response header),
可以加上 -O http 參數,來顯示與 HTTP 協定相關封包的詳細資訊:
[testuser@localhost]$ tshark -r test.pcap -Y http -O http Frame 14: 263 bytes on wire (2104 bits), 263 bytes captured (2104 bits) Ethernet II, Src: CadmusCo_00:01:02 (08:00:27:00:01:02), Dst: 0c:af:34:70:f7:94 (0c:af:34:70:f7:94) Internet Protocol Version 4, Src: 1.1.2.3 (1.1.2.3), Dst: 203.69.81.73 (203.69.81.73) Transmission Control Protocol, Src Port: 49708 (49708), Dst Port: http (80), Seq: 1, Ack: 1, Len: 209 Hypertext Transfer Protocol GET /11/rdr/ENU/win/nooem/none/message.zip HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET /11/rdr/ENU/win/nooem/none/message.zip HTTP/1.1\r\n] [Message: GET /11/rdr/ENU/win/nooem/none/message.zip HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: GET Request URI: /11/rdr/ENU/win/nooem/none/message.zip Request Version: HTTP/1.1 Accept: */*\r\n If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT\r\n User-Agent: IPM\r\n Host: acroipm.adobe.com\r\n Connection: Keep-Alive\r\n Cache-Control: no-cache\r\n \r\n [Full request URI: http://acroipm.adobe.com/11/rdr/ENU/win/nooem/none/message.zip] [HTTP request 1/1] Frame 16: 289 bytes on wire (2312 bits), 289 bytes captured (2312 bits) Ethernet II, Src: 0c:af:34:70:f7:94 (0c:af:34:70:f7:94), Dst: CadmusCo_00:01:02 (08:00:27:00:01:02) Internet Protocol Version 4, Src: 203.69.81.73 (203.69.81.73), Dst: 1.1.2.3 (1.1.2.3) Transmission Control Protocol, Src Port: http (80), Dst Port: 49708 (49708), Seq: 1, Ack: 210, Len: 235 Hypertext Transfer Protocol HTTP/1.1 304 Not Modified\r\n [Expert Info (Chat/Sequence): HTTP/1.1 304 Not Modified\r\n] [Message: HTTP/1.1 304 Not Modified\r\n] [Severity level: Chat] [Group: Sequence] Request Version: HTTP/1.1 Status Code: 304 Response Phrase: Not Modified Content-Type: application/zip\r\n Last-Modified: Wed, 08 Nov 2017 08:44:36 GMT\r\n Cache-Control: max-age=517\r\n Expires: Fri, 30 Aug 2019 03:57:39 GMT\r\n Date: Fri, 30 Aug 2019 03:49:02 GMT\r\n Connection: keep-alive\r\n \r\n [HTTP response 1/1] [Time since request: 0.006977000 seconds] [Request in frame: 14]
使用 tshark 可以很快速的檢視 pcap 的內容,
適時的使用可以增進不少效率喔~^^
參考資料:
tshark – The Wireshark Network Analyzer 3.0.3
Inspecting HTTP headers with tshark – brokkr.net
(本頁面已被瀏覽過 1,872 次)