tcpdump 是否能显示我从 wireshark 获得的‘对话’？

Question

TShark 的较新版本应该支持“-z follow”：

   −z follow,prot,mode,filter[,range]
       Displays the contents of a TCP or UDP stream between two nodes.
       The data sent by the second node is prefixed with a tab to
       differentiate it from the data sent by the first node.

       prot specifies the transport protocol.  It can be one of:
           tcp   TCP
           udp   UDP
           ssl   SSL

       mode specifies the output mode.  It can be one of:
           ascii ASCII output with dots for non‐printable characters
           hex   Hexadecimal and ASCII data with offsets
           raw   Hexadecimal data

       Since the output in ascii mode may contain newlines, the length
       of each section of output plus a newline precedes each section
       of output.

       filter specifies the stream to be displayed.  UDP streams are
       selected with IP address plus port pairs.  TCP streams are
       selected with either the stream index or IP address plus port
       pairs.  For example:
           ip−addr0:port0,ip−addr1:port1
           tcp‐stream‐index

       range optionally specifies which "chunks" of the stream should
       be displayed.

       Example: −z "follow,tcp,hex,1" will display the contents of the
       first TCP stream in "hex" format.

     ===================================================================
     Follow: tcp,hex
     Filter: tcp.stream eq 1
     Node 0: 200.57.7.197:32891
     Node 1: 200.57.7.198:2906
     00000000  00 00 00 22 00 00 00 07  00 0a 85 02 07 e9 00 02  ...".... ........
     00000010  07 e9 06 0f 00 0d 00 04  00 00 00 01 00 03 00 06  ........ ........
     00000020  1f 00 06 04 00 00                     ......
         00000000  00 01 00 00                   ....
         00000026  00 02 00 00

       Example: −z
       "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
       display the contents of a TCP stream between 200.57.7.197 port
       32891 and 200.57.7.98 port 2906.

     ===================================================================
     Follow: tcp,ascii
     Filter: (ommitted for readability)
     Node 0: 200.57.7.197:32891
     Node 1: 200.57.7.198:2906
     38
     ...".....
     ................
         4
         ....

因此，虽然 tcpdump 不能为您做到这一点，但较新版本的 TShark 可以做到，并且 TShark 是一个 tty 模式（年轻人称之为“控制台模式”:-)）程序。

Answer 1

TShark 的较新版本应该支持“-z follow”：

   −z follow,prot,mode,filter[,range]
       Displays the contents of a TCP or UDP stream between two nodes.
       The data sent by the second node is prefixed with a tab to
       differentiate it from the data sent by the first node.

       prot specifies the transport protocol.  It can be one of:
           tcp   TCP
           udp   UDP
           ssl   SSL

       mode specifies the output mode.  It can be one of:
           ascii ASCII output with dots for non‐printable characters
           hex   Hexadecimal and ASCII data with offsets
           raw   Hexadecimal data

       Since the output in ascii mode may contain newlines, the length
       of each section of output plus a newline precedes each section
       of output.

       filter specifies the stream to be displayed.  UDP streams are
       selected with IP address plus port pairs.  TCP streams are
       selected with either the stream index or IP address plus port
       pairs.  For example:
           ip−addr0:port0,ip−addr1:port1
           tcp‐stream‐index

       range optionally specifies which "chunks" of the stream should
       be displayed.

       Example: −z "follow,tcp,hex,1" will display the contents of the
       first TCP stream in "hex" format.

     ===================================================================
     Follow: tcp,hex
     Filter: tcp.stream eq 1
     Node 0: 200.57.7.197:32891
     Node 1: 200.57.7.198:2906
     00000000  00 00 00 22 00 00 00 07  00 0a 85 02 07 e9 00 02  ...".... ........
     00000010  07 e9 06 0f 00 0d 00 04  00 00 00 01 00 03 00 06  ........ ........
     00000020  1f 00 06 04 00 00                     ......
         00000000  00 01 00 00                   ....
         00000026  00 02 00 00

       Example: −z
       "follow,tcp,ascii,200.57.7.197:32891,200.57.7.198:2906" will
       display the contents of a TCP stream between 200.57.7.197 port
       32891 and 200.57.7.98 port 2906.

     ===================================================================
     Follow: tcp,ascii
     Filter: (ommitted for readability)
     Node 0: 200.57.7.197:32891
     Node 1: 200.57.7.198:2906
     38
     ...".....
     ................
         4
         ....

因此，虽然 tcpdump 不能为您做到这一点，但较新版本的 TShark 可以做到，并且 TShark 是一个 tty 模式（年轻人称之为“控制台模式”:-)）程序。

tcpdump 是否能显示我从 wireshark 获得的‘对话’？

答案1

相关内容