[Wireshark] tcpdump 연계

[Wireshark] tcpdump 연계

tcpdump -i eth0 port 2233 and host 192.168.88.47 -U -w - | nc 192.168.88.222 12345

각 종 차트에 대해서 간랙하게 포인트만 정리한다.

Linux> https://forum.netgate.com/topic/96125/using-tcpdump-to-capture-traffic-remotely-but-save-output-to-a-local-file/2

방법> linux 서버의 X-WINDOW를 사용하였음.

- wireshark 설치

- nc 설치

예> 일반 유저사용시 dumpcap 에러가 나서 permission을 풀고하였음.

     nc -l -p 12345 | wireshark -ki -

tcpdump -i eth0 port 2233 -U -w - | nc 192.168.88.222 12345

tcpdump -i eth0 port 2233 and host 192.168.88.47 -U -w - | nc 192.168.88.222 12345

tcpdump -i eth0 port 2233 -U -w - | nc 122.129.242.61 12345

tcpdump -i eth0 '(port 2233) and (host 220.127.242.198 or host 14.53.220.73 or host 220.127.242.166 or host 175.194.113.123

 or host 222.120.199.227 or host 14.53.220.9 or host 175.194.113.184 or host 220.88.208.109)' -U -w - | nc 122.129.242.61 12345

      <Keep alive 제외>

      tcpdump -i eth0 '(port 2233) and (not udp[10:2] = 0x1607) and (not udp[10:2] = 0x1608) -U -w - 

| tee /storage/DUMP/filter_keep.pcap 

| nc 122.129.242.61 12345

WireShark Filter>

filter : frame contains 7c:4f:7d:00:0b:eb

Windows> 아래 링크를 따라서 해봤는데 잘 안되더라

방법> 

https://forum.peplink.com/t/how-to-enable-remote-packet-capture-with-wireshark/7685

netcat / wireshark 이용

nc111nt : passwrod : nc

예>

"D:\_Utils\nc111nt\nc.exe" -l -p 12345 | "C:\Program Files\Wireshark\Wireshark.exe" -ki -

저장 하면서 보기 

(https://stackoverflow.com/questions/25603831/how-can-i-have-tcpdump-write-to-file-and-standard-output-the-appropriate-data)

방법> 

tcpdump -w - | tee somefile | tcpdump -r -

• -w - tells tcpdump to write binary data to stdout
• tee writes that binary data to a file AND to its own stdout
• -r - tells the second tcpdump to get its data from its stdin

예>

tcpdump -i eth0 'port 2233 and not ( udp[10]=0x16 and udp[11]=0x07 ) and not ( udp[10]=0x16 and udp[11]=0x08 )' -w - | tee 0905_roam_no_hb.pcap | tcpdump -r - -XX |grep "00 16"