1. tshark的安装
CentOS6 YUM源内的wireshark安装后,不支持GeoIP,需要自己编译一下最新的版本。
yum install GeoIP GeoIP-devel geoipupdate -y
./configure --with-geoip=/usr/share/GeoIP/ --enable-tshark=yes
make rpm-package
wireshark自身Makefile带了各发型版的打包功能,所以直接make rpm-package就能make出rpm包
2. 使用范例
- 抓取DNS请求
sudo /usr/local/bin/tshark -i eth0 -o "ip.use_geoip:TRUE" -Y "udp.dstport == 53" -T fields -E separator='|' -e ip.src -e ip.geoip.src_country -e ip.geoip.src_asnum -e dns.flags -e dns.id -e dns.qry.name -e dns.qry.type -e dns.count.answers -e dns.count.answers -e dns.flags.rcode -e ip.len
抓到的内容如下:
211.138.19.28|China,China|AS24445 Henan Mobile Communications Co.,Ltd,AS24445 Henan Mobile Communications Co.,Ltd|0x00000010|0x0000355f|fxxxx.com|28||0||82
221.204.186.218|China,China|AS4837 CNCGROUP China169 Backbone,AS4837 CNCGROUP China169 Backbone|0x00000000|0x00004111|xxxx.com|1||0||75
123.157.135.3|China,China|AS4837 CNCGROUP China169 Backbone,AS4837 CNCGROUP China169 Backbone|0x00000000|0x00001108|xxxx.com|1||0||85
58.30.131.56|China,China|AS9811 srit corp.,beijing.,AS9811 srit corp.,beijing.|0x00000000|0x00005901|xxxxx.com|28||0||82
101.226.66.17|China,China|AS4812 China Telecom (Group),AS4812 China Telecom (Group)|0x00000010|0x00008d2a|xxxx.com|1||0||92
60.31.184.168|China,China|AS4837 CNCGROUP China169 Backbone,AS4837 CNCGROUP China169 Backbone|0x00000000|0x00005b22|xxxxx.com|1||0||79
60.31.184.168|China,China|AS4837 CNCGROUP China169 Backbone,AS4837 CNCGROUP China169 Backbone|0x00000000|0x0000da7e|lxxxx.com|1||0||74
74.125.176.202|United States,United States|AS15169 Google Inc.,AS15169 Google Inc.|0x00000000|0x0000ca93|xxxx.com|1||0||79
- 抓取响应内容
sudo /usr/local/bin/tshark -i eth0 -o "ip.use_geoip:TRUE" -Y "udp.srcport == 53" -T fields -E separator='|' -e ip.src -e ip.geoip.src_country -e ip.geoip.src_asnum -e dns.flags -e dns.id -e dns.qry.name -e dns.qry.type -e dns.count.answers -e dns.count.answers -e dns.flags.rcode -e ip.len
3. 参考文档
- 支持的DNS字段 https://www.wireshark.org/docs/dfref/d/dns.html