Wireshark/tshark 中的 2-pass 过滤器 [英] 2-pass filter in Wireshark/tshark
问题描述
tshark
中的 -Y、-2 和 -R 选项让我困惑了很长时间.
The option -Y, -2 and -R in tshark
confuse me a long time.
阅读手册后,我知道 -Y 用于单通滤波器,-2 用于 2 通滤波器(以防万一我们不能获取一些信息,直到第一遍过滤器结束)
After I read the manual, I know that -Y is used in single-pass filter and -2 in 2-pass filter (in case where we can not get some info until 1st pass filter is over)
但我还是不明白 -2 -Y 'blabla'
和 -2 -R 'balabala'
和 -2 有什么区别 -Y 'blalal' -R 'blala'
But I still can not understand what is the difference between -2 -Y 'blabla'
and -2 -R 'balabala'
and -2 -Y 'blalal' -R 'blala'
我还做了一个让我发疯的实验:
And I also did an experiment that drive me crazy:
tshark -n -r test.pcap -2 -R 'frame.number > 0'
1 0.000000 10.140.28.17 -> 10.74.68.58 TCP 80 62276 > 8989 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=330325315 TSecr=0 SACK_PERM=1
2 0.000056 10.74.68.58 -> 10.140.28.17 TCP 76 8989 > 62276 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2078759468 TSecr=330325315 WS=128
3 0.000678 10.140.28.17 -> 10.74.68.58 TCP 68 62276 > 8989 [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=330325316 TSecr=2078759468
4 0.000756 10.140.28.17 -> 10.74.68.58 HTTP 158 GET /index.html HTTP/1.1
5 0.000770 10.74.68.58 -> 10.140.28.17 TCP 68 8989 > 62276 [ACK] Seq=1 Ack=91 Win=29056 Len=0 TSval=2078759468 TSecr=330325316
但是当我执行 tshark -n -r test.pcap -2 -R 'frame.number >1'
,没有打印任何内容.如何解释?
But when I execute tshark -n -r test.pcap -2 -R 'frame.number > 1'
, there is nothing printed. How to explain this?
我的 tshark 版本是:TShark 1.10.6 (v1.10.6 from master-1.10)
My tshark version is: TShark 1.10.6 (v1.10.6 from master-1.10)
你能帮我解决这个问题吗?提前致谢!
Can you help me with this problem? Thank you in advance!
推荐答案
我在 http://ask.wireshark.org,但我也会在这里粘贴我的答案,以防有人在这里寻找答案而不是在那里寻找答案.
I answered this question on http://ask.wireshark.org, but I'll paste my answer here as well in case anyone looks here for an answer instead of there.
-R
指定一个 read 过滤器,因此只读取和处理文件中匹配的数据包;不匹配的数据包基本上被视为文件根本不包含它们.与 -Y
对比,它指定了一个 display 过滤器,所以只显示匹配的数据包,但仍然读取和处理所有数据包.
-R
specifies a read filter, so only matching packets from a file are read and processed; unmatched packets are essentially treated as if the file didn't contain them at all. Contrast this with -Y
, which specifies a display filter, so only matching packets are displayed, but all packets are still read and processed.
您在 frame.number
中看到的问题是一个已知错误,很久以前就确定不值得修复.请参阅Bug 380,"wireshark -R 不支持'frame.number' 作为读取过滤器.
The problem you're seeing with frame.number
is a known bug that was determined not worth fixing long ago. See Bug 380, "wireshark -R doesn't support 'frame.number' as a read filter ".
您还可以在此处了解 -R
与 -Y
背后的一些历史:
You can also follow along some of the history behind -R
vs. -Y
here: