首页 » 网络 » Tshark - WireShark命令行版本

tshark是WireShark的命令行版本,有类似tcpdump的输出。

用 tshark 抓取 HTTP 请求

过滤HTTP请求:

# tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R 'http.request.method == "GET" || http.request.method == "HEAD"'

输出:

Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 123.126.68.27 -> 173.255.196.50 HTTP GET /grep.html HTTP/1.1 
 12.066470 123.126.68.27 -> 173.255.196.50 HTTP GET /pro_lang.html HTTP/1.1 

每次输入太过麻烦,可把这个命令放入 ~/.bashrc 中:

0. 用 root 在 /etc/sudoers 中添加:

berlinix ALL=(ALL) NOPASSWD:/usr/sbin/tshark

1. 在~/.bashrc中添加:

myhttp()
{
    sudo tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R 'http.request.method == "GET" || http.request.method == "HEAD"'
}

2. 使~/.bashrc修改生效并测试:

$ . ~/.bashrc
$ myhttp 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  3.155748 125.39.16.85 -> 173.255.196.50 HTTP GET /linux_su.html HTTP/1.1 
...

分享

0