6

I try to calculate GET Request from my server.

I use tshark.

I run followed command to filter incoming traffic and fetch only GET requests:

/usr/sbin/tshark   -b filesize:1024000  -b files:1  \
'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
-w samples.pcap -R 'http.request.method == "GET"'

As you see I defined to store filtered results to 1 file with max size 1G and name: samples.pcap.

The problem is, when i try to open pcap file i see that tshark stored all traffic there:

3245 172.692247  1.1.1.1 -> 2.2.2.2 HTTP [TCP Retransmission] Continuation or non-HTTP traffic
3246 172.730928  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic
3247 172.731944  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic
3248 172.791934  1.1.1.1 -> 2.2.2.2  HTTP GET /services/client/client.php?cnc=13 HTTP/1.1
3249 172.825303  1.1.1.1 -> 2.2.2.2 HTTP HTTP/1.1 200 OK [Unreassembled Packet [incorrect TCP checksum]]
3250 172.826329  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic
3251 172.826341  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic
3252 172.826347  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic
3253 172.826354  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic
3254 172.826359  1.1.1.1 -> 2.2.2.2 HTTP Continuation or non-HTTP traffic

I have really big traffic, during 10 min i get pcap file size 950M. And it takes about 4 min to parse it.

The interesting thing is when I try to run it without to store it to local file (but under /tmp):

/usr/sbin/tshark \
'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
-R 'http.request.method == "GET"':

3.776587 1.1.1.1 -> 2.2.2.2  HTTP GET /services/client/client.php?cnc=13 HTTP/1.1
4.775624 1.1.1.1 -> 2.2.2.2  HTTP GET /services/client/clsWebClient.php HTTP/1.1
8.804702 1.1.1.1 -> 2.2.2.2  HTTP GET /services/client/client.php?cnc=13 HTTP/1.1

It works, but in this case i have under /tmp several temp files with huge size 1G+.

Did i miss something?

Thank you

=======================================================

Edit

Lars asked to add -f:

sudo /usr/sbin/tshark   -T fields -e 'http.request.uri contains "cnc=13"'  \
         -b filesize:1024000  -b files:1  \
         -f 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'  \
         -w samples.pcap

Doesn't help, still samples.pcap stores all traffic:

 74   6.908388  172.20.0.23 -> 89.78.170.96 HTTP Continuation or non-HTTP traffic
 75   6.908394  172.20.0.23 -> 89.78.170.96 HTTP Continuation or non-HTTP traffic
4

2 回答 2

4

当您想要组合 -w 和 bpf 数据包过滤器(即,您放在 -f 上的内容)时,这似乎有效:

 tcpdump -nli en1 -w - 'tcp port 80' | tshark -i - -R'http.request.method == "GET"'

(用 tshark 替换初始 tcpdump 会导致我的本地系统出现此错误:tshark: Unrecognized libpcap format)

自 1.4.0 版本以来,在捕获(或从捕获中读取)并再次写出结果时,似乎不再支持保存读取过滤器 (-R) 的结果(请参阅:http://ask.wireshark .org/questions/10397/read-filters-arent-supported-when-capturing-and-saving-the-captured-packets)。大概 1.4.0 之前的版本将允许写入 pcap 并限制输出-b(尚未测试)。

如果您只想要 -R 的文本输出(而不是 pcap 输出)。我认为上述命令将是您的解决方案。

为了限制您的输出(即您提到您只想取样),您可以head -c <bytes>在处理管道中的任何位置使用:

tcpdump -nli en1 -w - 'tcp port 80' | \
  tshark -i - -R'http.request.method == "GET"' | \
  head -c 1024000 > output.txt

生成一个 1024000 字节的文本输出文件,名为 output.txt 或

tcpdump -nli en1 -w - 'tcp port 80' | \
  head -c 1024000 | \
  tshark -i - -R'http.request.method == "GET"' > output.txt

处理为 TCP 端口 80 预过滤的 102400 字节的 pcap 输入,并将文本输出放入名为 output.txt 的文件中

于 2013-04-25T13:05:51.987 回答
2

好吧,不要使用-w,它会保存原始数据,你应该使用重定向运算符“>”来指定目标目录。

于 2017-07-28T15:43:52.907 回答