본문 바로가기
  • Vetheuil in Summer
Tech/WireShark

WireShark [ 유용한 커맨드 ]

by 눈꽃산행 2021. 5. 21.

커맨드라인 주요도구 (트래픽 수집,분리,통합 )

 

c:\Program Files\Wireshark>dir *.exe

c:\Program Files\Wireshark 디렉터리

2021-04-22 오전 02:56 340,032 capinfos.exe
2021-04-22 오전 02:56 24,128 dftest.exe
2021-04-22 오전 02:56 421,952 dumpcap.exe
2021-04-22 오전 02:56 351,808 editcap.exe
2021-04-22 오전 02:56 327,744 mergecap.exe
2021-04-22 오전 02:56 23,616 mmdbresolve.exe
2021-04-22 오전 02:56 399,936 rawshark.exe
2021-04-22 오전 02:56 323,136 reordercap.exe
2021-04-22 오전 02:56 347,200 text2pcap.exe
2021-04-22 오전 02:56 583,232 tshark.exe
2021-04-22 오전 02:56 446,072 uninstall.exe
2021-04-22 오전 02:56 8,206,400 Wireshark.exe
12개 파일 11,795,256 바이트
0개 디렉터리 102,580,326,400 바이트 남음

c:\Program Files\Wireshark>

 

# 디바이스 확인
c:\Program Files\Wireshark>Wireshark -D
c:\Program Files\Wireshark>
1. \Device\NPF_{EDABF70B-D421-4D4B-8991-103323EED7CD} (?대뜑??
2. \Device\NPF_{14291723-89F2-4BE8-847A-8E0981CA851E} (?대뜑??2)

 

# 패킷 100개 자동 캡쳐
c:\Program Files\Wireshark>Wireshark -i 1 -k -c 100 -w c:\app\a2.pcapng

# 10초동안 자동 캡쳐
c:\Program Files\Wireshark>Wireshark -i 1 -k -a duration:10 -w c:\app\a2.pcapng

#5K Byte 자동 캡쳐
c:\Program Files\Wireshark>Wireshark -i 1 -k -a filesize:5 -w c:\app\a3.pcapng

#집합파일 생성 패킷 100개를 5개 파일로 캡쳐.생성
c:\Program Files\Wireshark>Wireshark -i 1 -k -b packets:100 -a files:5 -w c:\app\a3.pcapng

 

#패킷 분할
패킷수 분할
c:\Program Files\Wireshark> editcap -c 1000 c:\app\a1.pcapng c:\app\aset.pcapng
30초 분할
c:\Program Files\Wireshark> editcap -i 30 c:\app\a1.pcapng c:\app\atime.pcapng

#패킷 합체 (Merge)
c:\Program Files\Wireshark>mergecap -w c:\app\amerge.pcapng c:\app\a1.pcapng c:\app\a2.pcapng c:\app\a3.pcapng
c:\Program Files\Wireshark>mergecap -w c:\app\aset.pcapng c:\app\aset*.pcapng

 

# 패킷 캡쳐
>dumpcap -h
>dumpcap -D
c:\Program Files\Wireshark>dumpcap -i 1 -w c:\app\c1.pcapng

- 파일 사이즈 5KB 이면 종료 ( -a 옵션이 종료 )
c:\Program Files\Wireshark>dumpcap -i 1 -w c:\app\c2.pcapng -a filesize:5
c:\Program Files\Wireshark>tshark -i 1 -f "icmp" > c:\app\t1.pcapng -a packets:5

- 파일사이즈를 5KB로 자동 생성하며, 파일 갯수가 3개면 종료 ( -b 자동저장, -a 자동종료 )
c:\Program Files\Wireshark>dumpcap -i 1 -w c:\app\c2.pcapng -b filesize:5 -a files:3

- Duration ( 파일 5개로 덮어쓰기 )
dumpcap -i 2 -w c:\app\c4.pcapng -b duration:5 -b files:5 -a duration:60

dumpcap -i 1 -w c:\app\c3.pcapng -b esize:5 -a files:3

dumpcap -i 1 -w c:\app\c55.pcapng -a filesize:5 -f "icmp or udp dst port 53"

dumpcap -i 1 -w c:\app\c55.pcapng -a filesize:5 -f "icmp[0]=11 and icmp[1]=0"

 

TShark (수집 + 분석)
>tshark -h
>tshark -D
>tshark -i 2
>tshark -i 2 > c:\app\t1.txt
>tshark -i 2 -w c:\app\t1.pcapng -a packets:100
>tshark -i 2 -w c:\app\t2.pcapng -b filesize:5 -a files:10
>tshark -i 2 -w c:\app\t3.pcapng -f "ip dst 192.168.6.1"
>tshark -r c:\app\a1.pcapng -Y "http or ftp" -w c:\app\t4.pcapng
>tshark -r c:\app\a1.pcapng -Y "http.request.method=="GET"" -w c:\app\t4.pcapng
>tshark -r c:\app\a1.pcapng -Y "tcp.port==80 or udp.port==53" -w c:\app\t4.pcapng
>tshark -r c:\app\a1.pcapng -Y "tcp.analysis.flags" -w c:\app\tcp.pcapng
>tshark -i 2 -f "icmp" -T fields -e frame.number -e ip.src -e ip.dst -e ip.ttl -e tcp.window_size_value -E header=y -E separator=, > c:\app\icmp.csv

>tshark -i 2 -qz io,phs
>tshark -i 2 -f "host 192.168.6.100" -qz io,phs
>tshark -r c:\app\a1.pcapng -qz io,phs > c:\app\phs.txt
>tshark -r c:\app\a1.pcapng -qz hosts > c:\app\host.txt
>tshark -r c:\app\a1.pcapng -T fields -e http.host -e ip.dst -E separator=, > c:\app\host.txt

==============================================================
# tcpdump 참고

Take the following as an example that produces six capture files per minute indefinitely:
# tcpdump -i eth0 -G 10 -w dump-%S.pcap.
Note that only the second time variable %S needs to be specified in the template file name,
with a rotational time frame of ten seconds specified by -G.
When the capture time changes from minute to minute, tcpdump overwrites the previous second-marked file.

Now, a hourly rotational and daily cyclical capture could be achieved by:
# tcpdump -i eth0 -G 3600 -w dump-%H.pcap.
The same rationale applies here. tcpdump creates a new file every 3600 seconds,
naming it with the current hour. Upon changing days, the previous hour files are sequentially replaced.