tsharkを使用して、PCAPファイルを読み取り、集約をスクリプト化することができます。これは、巨大なPCAPファイル(数GB単位)のためのオプションではありませんが、私のテストで働いていた以下:内部IPアドレス(場所のカップルで検閲)と
#!/bin/sh
PCAP="mypackets.pcap"
tshark -r "$PCAP" -T fields -e ip.addr udp |
sort |
uniq |
while read x; do
left=${x%%,*};
right=${x##*,};
echo;
echo "==================";
echo "$left -> $right";
tshark -r "$PCAP" -T text ip.src==$left and ip.dst==$right 2>/dev/null;
done
結果:
192.168.0.1 -> 192.168.0.19
5 0.905186262 192.168.0.1 -> 192.168.0.19 NBNS 92 Name query NBSTAT ...
6 0.905274977 192.168.0.19 -> 192.168.0.1 ICMP 120 Destination unreachable (Port unreachable)
773 54.218903171 192.168.0.1 -> 192.168.0.19 NBNS 92 Name query NBSTAT ...
774 54.218991396 192.168.0.19 -> 192.168.0.1 ICMP 120 Destination unreachable (Port unreachable)
==================
192.168.0.19 -> 192.168.0.19
6 0.905274977 192.168.0.19 -> 192.168.0.1 ICMP 120 Destination unreachable (Port unreachable)
774 54.218991396 192.168.0.19 -> 192.168.0.1 ICMP 120 Destination unreachable (Port unreachable)
==================
192.168.0.19 -> 8.8.8.8
7 7.527339007 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x3321 A
8 7.527426252 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xcbe7 AAAA
9 7.527479187 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xc470 A
60 7.865822939 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xe7f7 A
61 7.865862640 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xf994 AAAA
137 7.993523685 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x580c A
138 7.993563877 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x1da8 AAAA
149 8.050389092 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xf953 A
150 8.050429283 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xba7c AAAA
156 8.095814170 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xd808 A
157 8.095853871 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x27bf AAAA
160 8.134157723 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x5970 A
161 8.134196444 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xc00f AAAA
176 8.156413943 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xfe0c A
177 8.156432568 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x8fa1 AAAA
180 8.187659798 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0x9870 A
181 8.187698028 192.168.0.19 -> 8.8.8.8 DNS 79 Standard query 0xb453 AAAA
==================
8.8.8.8 -> 192.168.0.19
10 7.552742408 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x3321 A
11 7.555262701 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xc470 A
13 7.559084313 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xcbe7 AAAA
69 7.893370696 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xf994 AAAA
70 7.895752770 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xe7f7 A
139 8.016281317 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x580c A
140 8.017124846 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x1da8 AAAA
154 8.073028600 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xf953 A
155 8.078469630 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xba7c AAAA
158 8.121705259 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x27bf AAAA
159 8.123310463 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xd808 A
162 8.149581409 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x5970 A
163 8.150471991 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xc00f AAAA
178 8.180086664 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0xfe0c A
179 8.180913038 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0x8fa1 AAAA
212 8.216175579 8.8.8.8 -> 192.168.0.19 DNS 132 Standard query response 0xb453 AAAA
213 8.217023519 8.8.8.8 -> 192.168.0.19 DNS 95 Standard query response 0x9870 A
あなたは最後の呼び出しをtsharkに編集し、-T text
の代わりに-Tfields
といくつかの-e
オプションを追加して、必要なフィールドのみを取得することができます。たとえば、別のwhile
アグリゲーションを追加してパケット数をカウントできます(tsharkは常に1行にパケットを出力します)。 tsharkのはWireshark distributionの一部である
tsharkの-r yourfile.pcap -q -z convは、
UDP:
TShark Statistics