.pcap文件是二进制格式的网络轨迹(Network
trace)文件,记录了网络通信过程的数据包信息。csv(comma separated
values)是一种用逗号','分隔的文本文件,类似于excel文件。
.pcap文件是二进制文件,需要从中提取信息并以csv的格式进行存储。可以使用tshark实现对.pcap文件进行分析。
例如,从.pcap文件中提取数据包的mac地址、ip地址、TCP/UDP等可以用以下命令。
tshark -r test.pcap -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst -e ip.proto -E header=y -E separator=, -E quote=d -E occurrence=f > test.csv
-r
指定要分析的.pcap文件
-T fields 说明要对.pcap文件重的fields进行提取
-e
filed_name
制定要提取的fields的名字,按照-e的先后顺序,不同的field按列顺序的排列在.csv文件中。
各种field名称可以从wireshark的网站上查询,主要有TCP协议的fileds,IP协议的fields,UDP协议的fields,HTTP协议。
-E
指定输出field的格式,包括如下格式:
- header=y|n If y, print a list of the field names given using -e as the first line of the output; the field name will be separated using the same character as the field values. Defaults to n.
- separator=/t|/s| Set the separator character to use for fields. If /t tab will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
- occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).
- aggregator=,|/s| Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
- quote=d|s|n Set the quote character to use to surround fields. d uses double-quotes, s single-quotes, n no quotes (the default).
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/bian-cheng-ri-ji/60964.html