Terminal 格式化tshark输出_Terminal_Protocols_Tshark

Terminal 格式化tshark输出

terminal

Terminal 格式化tshark输出,terminal,protocols,tshark,Terminal,Protocols,Tshark,现在我正在使用 tshark -i wlan0 -c 10 -T fields -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport > test.txt 工作正常，输出如下： 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.2

现在我正在使用

tshark -i wlan0 -c 10 -T fields -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport > test.txt

工作正常，输出如下：

192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735 192.168.1.240 198.38.110.157 6 50735 80 198.38.110.157 192.168.1.240 6 80 50735

很酷，但是有没有人可以为每个协议都提供这样一个简单的堆栈？只是一个简单的制表符分隔字段，我在tshark手册页中似乎找不到该选项。

您可以尝试使用tshark的

-o

选项格式化tshark的输出

比如说,

shark.exe-o“gui.column.格式：\'Source\'、\%us\'、\'Destination\'、\%ud\'、\'src port\'、\%S\'、\'dest port\'、\%D\'-r sample\u 001.cap.pcapng

result:
10.191.144.161 → 10.210.62.164 57434 8888
10.191.144.161 → 10.210.62.164 57434 8888
10.210.62.164 → 10.191.144.161 8888 57434

（然后，您只需删除“→")

要查看可选择的输出字段的完整列表，请使用命令

tshark.exe-G column formats

：

c:\Program Files\Wireshark>tshark.exe -G column-formats
%q      802.1Q VLAN id
%Yt     Absolute date, as YYYY-MM-DD, and time
%YDOYt  Absolute date, as YYYY/DOY, and time
%At     Absolute time
%V      Cisco VSAN
%B      Cumulative Bytes
%Cus    Custom
%y      DCE/RPC call (cn_call_id / dg_seqnum)
%Tt     Delta time
%Gt     Delta time displayed
%rd     Dest addr (resolved)
%ud     Dest addr (unresolved)
%rD     Dest port (resolved)
%uD     Dest port (unresolved)
%d      Destination address
%D      Destination port
%a      Expert Info Severity
%I      FW-1 monitor if/direction
%F      Frequency/Channel
%hd     Hardware dest addr
%hs     Hardware src addr
%rhd    Hw dest addr (resolved)
%uhd    Hw dest addr (unresolved)
%rhs    Hw src addr (resolved)
%uhs    Hw src addr (unresolved)
%e      IEEE 802.11 RSSI
%x      IEEE 802.11 TX rate
%f      IP DSCP Value
%i      Information
%rnd    Net dest addr (resolved)
%und    Net dest addr (unresolved)
%rns    Net src addr (resolved)
%uns    Net src addr (unresolved)
%nd     Network dest addr
%ns     Network src addr
%m      Number
%L      Packet length (bytes)
%p      Protocol
%Rt     Relative time
%s      Source address
%S      Source port
%rs     Src addr (resolved)
%us     Src addr (unresolved)
%rS     Src port (resolved)
%uS     Src port (unresolved)
%E      TEI
%Yut    UTC date, as YYYY-MM-DD, and time
%YDOYut UTC date, as YYYY/DOY, and time
%Aut    UTC time
%t      Time (format as specified)

例如，要使用tshark打印Wireshark的默认列，请执行以下操作：

tshark.exe -o "gui.column.format:\"No.\",\"%m\",\"Time\",\"%t\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\",\"%i\""

c:\Program Files\Wireshark>

你说的“每个协议”是什么意思？一些协议都有源/目标端口。你可以对内引号或外引号使用单引号，以避免需要太多反斜杠。你从哪里获得此信息输出的？我看过文档，但看不到类似的内容