英文:
How can I configure tshark to parse all BitTorrent messages in the way that Wireshark does?
问题
如何使tshark执行更完整和信息丰富的对BitTorrent流量进行解析,类似Wireshark中的方式。以下是我所指的示例。
如果网页更改,我将明确说明我的意思。在Wireshark屏幕上,它会解析BitTorrent消息并将消息类型标记为“Interested (2)”,但在tshark中,它会更加不透明地标记为“2”。我正在使用诸如-Tjson或-Tek或-Tfields之类的标志,并参考此页面以获取字段(-e标志):https://www.wireshark.org/docs/dfref/b/bittorrent.html。但输出不像Wireshark GUI中那样信息丰富,也没有完全解析,并且没有使用字符串。
我如何使tshark输出与Wireshark输出相似的更具描述性的字符串?
或者,是否有一种自动化/编程方法来输出Wireshark的输出?我有太多文件需要分析,无法逐个加载到Wireshark中。
感谢您的帮助。请让我知道是否需要澄清我的问题。
英文:
How do I get tshark to do the more complete and informative parsing of BitTorrent traffic that appears in Wireshark. Here's an example of what I mean.
In case that webpage changes, I'll state explicitly what I mean. In the Wireshark screen, it will parse the BitTorrent messages and label the message type as "Interested (2)" but in tshark, it will state more opaquely "2". I'm using flags such as -Tjson or -Tek or -Tfields and referencing this page for fields (-e flag): https://www.wireshark.org/docs/dfref/b/bittorrent.html. But the output isn't as informative and not as completely parsed and using strings as it is in the Wireshark gui.
How can I get tshark to output the more descriptive strings that Wireshark outputs?
Alternatively, is there an automated/programatic way of outputting the Wireshark output? I have too many files to analyze to load them into Wireshark one by one.
Thank you for your help. Please let me know if I can clarify my question.
答案1
得分: 0
有两种我知道的方法可以帮助你实现你的目标,这两种方法都涉及指定要使用的列。
方法1:使用Wireshark配置一个包含你想要的列的配置文件,然后使用-T fields以及-e field来指定要显示的列。
- 添加一个新的Wireshark配置文件(编辑 -> 配置文件)并在输出中配置你想要的列。(注意:严格来说,你不需要创建一个新的配置文件;但是,这允许你仅在分析比特流量时使用此配置文件显示与比特流相关的列,并且当你不分析比特流量时,可以避免在默认或其他配置文件中添加比特流列。)
- 如果你想要所有这些列,然后只需运行
tshark选择该配置文件,例如:tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap。 - 如果你只想要其中一部分列,然后使用
-T fields和任何组合的-e field和"-e _ws.col.列名称"来显示你想要的列,例如,如果你将bittorrent.msg.type字段添加为列,并保留列名称为默认的*"Message Type",那么你可以使用类似以下方式:tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap -T fields -e frame.number -e "_ws.col.Message Type"
如果你只想要字符串而不是值,你甚至可以添加-e bittorrent.msg.type。
方法2:直接指定你想要的列,而不必首先将它们添加为Wireshark中的列。
首先,要了解tshark支持的内置列,你可以运行tshark -G column-formats,输出中提供了一个示例。
因此,要使用这种方法实现与之前相同的操作,对于Windows,你会使用:tshark -2 -Y "bittorrent" -r bittorrent.pcap -o "gui.column.format:\"No.\",\"%m\",\"Message Type\",\"%Cus:bittorrent.msg.type\"",而对于*nix,你会使用:tshark -2 -Y "bittorrent" -r bittorrent.pcap -o 'gui.column.format:"No.","%m","Message Type","%Cus:bittorrent.msg.type"'
(Windows和*nix之间唯一的区别是引号的使用。)
英文:
There are two methods I'm aware of that should help you accomplish your goal, both of which involve specifying the columns you want to use.
Method 1: Use Wireshark to configure a profile with the columns you want and then use -T fields along with -e field to specify the columns to display.
- Add a new Wireshark profile (Edit -> Configuration Profiles) and configure the columns you want in the output. (NOTE: Strictly speaking you don't need to create a new profile; however, it allows you to display bittorrent-related columns only when using this profile when analyzing bittorrent traffic, and it avoids polluting the Default or other profiles with bittorrent columns when you're not analyzing bittorrent traffic.)
- If you want all those columns, then just run
tsharkselecting that profile, e.g.,tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap. - If you want a subset of those columns, then use
-T fieldsand any combination of-e fieldand"-e _ws.col.Name Of Column"to display the columns you want., e.g. if you added thebittorrent.msg.typefield as a column and kept the column name as the default "Message Type", then you'd use something like this:tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap -T fields -e frame.number -e "_ws.col.Message Type"
You could even add -e bittorrent.msg.type too if you also want the values instead of just the strings.
Method 2: Directly specify the columns you want without necessarily having to add them as columns in Wireshark first.
First, to get an idea of the built-in columns that tshark supports, you can run tshark -G column-formats, and an example is provided in the output.
So, to accomplish the same thing as before but using this method, on Windows you'd use: tshark -2 -Y "bittorrent" -r bittorrent.pcap -o "gui.column.format:\"No.\",\"%m\",\"Message Type\",\"%Cus:bittorrent.msg.type\"", and on *nix you'd use: tshark -2 -Y "bittorrent" -r bittorrent.pcap -o 'gui.column.format:"No.","%m","Message Type","%Cus:bittorrent.msg.type"'
(The only difference between Windows and *nix is the quoting.)
答案2
得分: 0
在Wireshark界面中,它会解析BitTorrent消息并将消息类型标记为“Interested (2)”;但在tshark中,它会以更不透明的方式标记为“2”。我正在使用诸如-Tjson或-Tek或-Tfields之类的标志。
这就是问题所在 - 不幸的是,当转储单个字段值时,对于“枚举”字段,也就是其中给定的数值具有特定字符串表示值含义的字段,只会提供数值,目前无法请求字符串而不是数值。
如果你使用-T text,你将获得Wireshark风格的输出,但那是Wireshark风格的输出,不是为程序或脚本设计的东西,无法解析。
我尝试查找修复这个问题的增强请求,但在Wireshark的问题列表中没有找到任何相关信息。你可能想在该问题列表中提交这样的请求。
目前,Chris Maynard的方法是你最好的解决方法。
英文:
> In the Wireshark screen, it will parse the BitTorrent messages and label the message type as "Interested (2)" but in tshark, it will state more opaquely "2". I'm using flags such as -Tjson or -Tek or -Tfields
That's the problem - unfortunately, when dumping individual field values, for "enumerated" fields, meaning fields where given numerical values have particular strings giving the value's meaning, the numerical value is given, and there's currently no way to request the string rather than the numerical value.
If you use -T text, you'll get Wireshark-style output, but that's Wireshark-style output, not something at all designed for a program or script to parse.
I tried looking for an enhancement request to fix that, but didn't find anything in the Wireshark issues list. You might want to file such a request in that issues list.
For now, Chris Maynard's mechanism is your best workaround.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论