使用 tshark 嗅探数据包
我有 2 个服务器(serv1,serv2)进行通信,我正在尝试嗅探符合从 serv1 传输到 serv2 的某些条件的数据包。 Tshark 安装在我的桌面(desk1)上。我编写了以下脚本:
while true; do
tshark -a duration:10 -i eth0 -R "(sip.CSeq.method == "OPTIONS") && (sip.Status-Code) && ip.src eq serv1" -Tfields -e sip.response-time > response.time.`date +%F-%T`
done
该脚本在 serv1 上运行时似乎运行良好(因为 serv1 正在向 serv2 发送数据包)。但是,当我尝试在 desk1 上运行它时,它无法捕获任何数据包。它们都在同一个 LAN 上。我缺少什么?
I have 2 servers(serv1,serv2) that communicate and i'm trying to sniff packets matching certain criteria that gets transferred from serv1 to serv2. Tshark is installed on my Desktop(desk1). I have written the following script:
while true; do
tshark -a duration:10 -i eth0 -R "(sip.CSeq.method == "OPTIONS") && (sip.Status-Code) && ip.src eq serv1" -Tfields -e sip.response-time > response.time.`date +%F-%T`
done
This script seems to run fine when run on serv1(since serv1 is sending packets to serv2). However, when i try to run this on desk1, it cant capture any packets. They all are on the same LAN. What am i missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
假设 serv1 或 serv2 与 desk1 位于同一物理以太网交换机上,您可以使用称为 SPAN(交换机端口分析器)的功能来嗅探 serv1 和 serv2 之间的传输流量。
假设您的服务器位于 Cisco 交换机的 FastEthernet4/2 上,并且您的桌面位于 Cisco 交换机的 FastEthernet4/3 上...您应该 telnet 或 ssh 进入交换机并输入这些命令...
此功能不仅限于 Cisco 设备... Juniper /HP/Extreme等企业以太网交换机厂商也支持。
Assuming that either serv1 or serv2 are on the same physical ethernet switch as desk1, you can sniff transit traffic between serv1 and serv2 by using a feature called SPAN (Switch Port Analyzer).
Assume your server is on FastEtheret4/2 and your desktop is on FastEthernet4/3 of the Cisco Switch... you should telnet or ssh into the switch and enter these commands...
This feature is not limited to Cisco devices... Juniper / HP / Extreme and other Enterprise ethernet switch vendors also support it.
使用错误命名的 tcpdump 来捕获来自线路的所有流量怎么样?我建议做的只是捕获接口上的数据包。不要在捕获级别进行过滤。之后就可以过滤pcap文件了。像这样的东西
How about using the misnamed tcpdump which will capture all traffic from the wire. What I suggest doing is just capturing packets on the interface. Do not filter at the capture level. After you can filter the pcap file. Something like this
如果您的 LAN 是交换网络(大多数都是)或者您的桌面网卡不支持混杂模式,那么您将看不到任何数据包。验证这两件事。
If your LAN is a switched network (most are) or your desktop NIC doesn't support promiscuous mode, then you won't be able to see any of the packets. Verify both of those things.