在Wireshark的一个庞大功能中立即选择主要流量 [英] selecting major flows at once in a huge pcap in wireshark

问题描述

我有一个很大的pcap，流量超过1000 tcp.我想过滤大于100的数据包的主要流.如果我去对话并右键单击那些流，我可以过滤这些流，但是然后我必须做几次，因为我的pcap很大，所以它可能会超过100.有没有其他我可以使用的快速显示过滤器，它将使我得到的数据包数量> n(n是任何+ ve整数)的流.

i have a large pcap with more than 1000 tcp flows. i want to filter major flows say with packets greater than 100. if i go to conversations and right click on those flows, i can filter those flows, but then i have to do it several times and since i have huge pcap, it may exceed 100. is there any other quick display filter i can use which will give me flows having number of packets > n (n being any +ve integer).

说一些类似的过滤器:

flow.num_pkt > 100

可以给我所有这样的流量.

which can give me all such flows.

非常感谢

任何帮助将不胜感激.

推荐答案

Bro 是用于面向连接的分析.要查找每个流的数据包数量，只需在跟踪上运行Bro并从日志中提取值即可:

Bro is an apt tool for connection-oriented analysis. To find the number of packets per flow, you run simply run Bro on the trace and extract the value from the logs:

bro -r trace.pcap
bro-cut id.orig_h id.orig_p id.resp_h id.resp_p orig_pkts resp_pkts < conn.log \
    | awk '$5+$6 > 100 {print $1,$2,$3,$4,$5,$6}' \
    | sort -rn -k 5 \
    | head

这将提供以下输出:

192.168.1.105 49325 137.226.34.227 80 73568 146244
192.168.1.105 49547 198.189.255.74 80 16764 57098
192.168.1.105 49531 198.189.255.74 80 5186 14843
192.168.1.105 49255 198.189.255.73 80 4749 32164
192.168.1.104 1422 69.147.86.184 80 2657 2656
192.168.1.105 49251 198.189.255.74 80 2254 13854
192.168.1.1 626 224.0.0.1 626 2175 0
192.168.1.105 49513 198.189.255.82 80 2010 3852
192.168.1.103 2026 151.207.243.129 80 1953 2570
192.168.1.105 49330 143.166.11.10 64334 1514 3101

Bro附带的工具bro-cut提供了一种从日志中提取某些命名列的便捷方法.为此，您需要:

The tool bro-cut ships with Bro and provides a convenient way to extract certain named columns from the logs. For this task, you want:

• id.orig_h:连接发起方(源)的IP
• id.orig_p:连接发起方(源)的传输层端口
• id.resp_h:连接响应者的IP(目标)
• id.resp_p:连接响应器的传输层端口(源)
• orig_pkts:发起方发送的数据包数量
• resp_pkts:响应者发送的数据包数量

• id.orig_h: IP of the connection originator (source)
• id.orig_p: Transport-layer port of the connection originator (source)
• id.resp_h: IP of the connection responder (destination)
• id.resp_p: Transport-layer port of the connection responder (source)
• orig_pkts: Number of packets sent by the originator
• resp_pkts: Number of packets sent by the responder

请注意awk过滤器表达式:

awk '$5+$6 > 100 {print ...}'

它将输出限制为数据包总数大于100的那些连接.

It restricts the output to those connections that have a total number of packets greater than 100.

除非您拥有固定大小的数据包，否则我建议您也研究其他指标，例如数据包大小(IP或TCP有效负载).这些很容易通过orig_bytes和resp_bytes列显示在连接日志中.

Unless you have fixed-size packets, I encourage you to also investigate other metrics, such as packet size (IP or TCP payload). These are readily in the connection logs via the orig_bytes and resp_bytes columns.

这篇关于在Wireshark的一个庞大功能中立即选择主要流量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！