Wireshark-网络抓包工具

<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="generator" content="Asciidoctor 2.0.17"> <title>wireshark(1)</title> <link rel="stylesheet" href="./ws.css"> </head> <body class="manpage"> <div id="header"> <h1>wireshark(1) Manual Page</h1> <h2 id="_name">NAME</h2> <div class="sectionbody"> <p>wireshark - Interactively dump and analyze network traffic</p> </div> </div> <div id="content"> <div class="sect1"> <h2 id="_synopsis">SYNOPSIS</h2> <div class="sectionbody"> <div class="paragraph"> <p><span class="nowrap"><strong>wireshark</strong></span> <span class="nowrap">[ <strong>-i</strong> &lt;capture interface&gt;|- ]</span> <span class="nowrap">[ <strong>-f</strong> &lt;capture filter&gt; ]</span> <span class="nowrap">[ <strong>-Y</strong> &lt;display filter&gt; ]</span> <span class="nowrap">[ <strong>-w</strong> &lt;outfile&gt; ]</span> <span class="nowrap">[ <strong>options</strong> ]</span> <span class="nowrap">[ &lt;infile&gt; ]</span></p> </div> </div> </div> <div class="sect1"> <h2 id="_description">DESCRIPTION</h2> <div class="sectionbody"> <div class="paragraph"> <p><strong>Wireshark</strong> is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. <strong>Wireshark</strong>'s native capture file formats are <strong>pcapng</strong> format and <strong>pcap</strong> format; it can read and write both formats.. <strong>pcap</strong> format is also the format used by <strong>tcpdump</strong> and various other tools; <strong>tcpdump</strong>, when using newer verions of the <strong>libpcap</strong> library, can also read some pcapng files, and, on newer versions of macOS, can read all pcapng files and can write them as well.</p> </div> <div class="paragraph"> <p><strong>Wireshark</strong> can also read / import the following file formats:</p> </div> <div class="ulist"> <ul> <li> <p>Oracle (previously Sun) <strong>snoop</strong> and <strong>atmsnoop</strong> captures</p> </li> <li> <p>Finisar (previously Shomiti) <strong>Surveyor</strong> captures</p> </li> <li> <p>Microsoft <strong>Network Monitor</strong> captures</p> </li> <li> <p>Novell <strong>LANalyzer</strong> captures</p> </li> <li> <p>AIX&#8217;s <strong>iptrace</strong> captures</p> </li> <li> <p>Cinco Networks <strong>NetXRay</strong> captures</p> </li> <li> <p>NETSCOUT (previously Network Associates/Network General) Windows-based <strong>Sniffer</strong> captures</p> </li> <li> <p>Network General/Network Associates DOS-based <strong>Sniffer</strong> captures (compressed or uncompressed)</p> </li> <li> <p>LiveAction (previously WildPackets/Savvius) <strong>*Peek</strong>/<strong>EtherHelp</strong>/<strong>PacketGrabber</strong> captures</p> </li> <li> <p><strong>RADCOM</strong>'s WAN/LAN analyzer captures</p> </li> <li> <p>Viavi (previously Network Instruments) <strong>Observer</strong> captures</p> </li> <li> <p><strong>Lucent/Ascend</strong> router debug output</p> </li> <li> <p>captures from HP-UX <strong>nettl</strong></p> </li> <li> <p><strong>Toshiba&#8217;s</strong> ISDN routers dump output</p> </li> <li> <p>the output from <strong>i4btrace</strong> from the ISDN4BSD project</p> </li> <li> <p>traces from the <strong>EyeSDN</strong> USB S0</p> </li> <li> <p>the <strong>IPLog</strong> format output from the Cisco Secure Intrusion Detection System</p> </li> <li> <p><strong>pppd logs</strong> (pppdump format)</p> </li> <li> <p>the output from VMS&#8217;s <strong>TCPIPtrace</strong>/<strong>TCPtrace</strong>/<strong>UCX$TRACE</strong> utilities</p> </li> <li> <p>the text output from the <strong>DBS Etherwatch</strong> VMS utility</p> </li> <li> <p>Visual Networks' <strong>Visual UpTime</strong> traffic capture</p> </li> <li> <p>the output from <strong>CoSine</strong> L2 debug</p> </li> <li> <p>the output from InfoVista (previously Accellent) <strong>5View</strong> LAN agents</p> </li> <li> <p>Endace Measurement Systems' ERF format captures</p> </li> <li> <p>Linux Bluez Bluetooth stack <strong>hcidump -w</strong> traces</p> </li> <li> <p>Catapult DCT2000 .out files</p> </li> <li> <p>Gammu generated text output from Nokia DCT3 phones in Netmonitor mode</p> </li> <li> <p>IBM Series (OS/400) Comm traces (ASCII &amp; UNICODE)</p> </li> <li> <p>Juniper Netscreen snoop files</p> </li> <li> <p>Symbian OS btsnoop files</p> </li> <li> <p>TamoSoft CommView files</p> </li> <li> <p>Tektronix K12xx 32bit .rf5 format files</p> </li> <li> <p>Tektronix K12 text file format captures</p> </li> <li> <p>Apple PacketLogger files</p> </li> <li> <p>Captures from Aethra Telecommunications' PC108 software for their test instruments</p> </li> <li> <p>Citrix NetScaler Trace files</p> </li> <li> <p>Android Logcat binary and text format logs</p> </li> <li> <p>Colasoft Capsa and PacketBuilder captures</p> </li> <li> <p>Micropross mplog files</p> </li> <li> <p>Unigraf DPA-400 DisplayPort AUX channel monitor traces</p> </li> <li> <p>802.15.4 traces from Daintree&#8217;s Sensor Network Analyzer</p> </li> <li> <p>MPEG-2 Transport Streams as defined in ISO/IEC 13818-1</p> </li> <li> <p>Log files from the <em>candump</em> utility</p> </li> <li> <p>Logs from the BUSMASTER tool</p> </li> <li> <p>Ixia IxVeriWave raw captures</p> </li> <li> <p>Rabbit Labs CAM Inspector files</p> </li> <li> <p><em>systemd</em> journal files</p> </li> <li> <p>3GPP TS 32.423 trace files</p> </li> </ul> </div> <div class="paragraph"> <p>There is no need to tell <strong>Wireshark</strong> what type of file you are reading; it will determine the file type by itself. <strong>Wireshark</strong> is also capable of reading any of these file formats if they are compressed using gzip. <strong>Wireshark</strong> recognizes this directly from the file; the '.gz' extension is not required for this purpose.</p> </div> <div class="paragraph"> <p>Like other protocol analyzers, <strong>Wireshark</strong>'s main window shows 3 views of a packet. It shows a summary line, briefly describing what the packet is. A packet details display is shown, allowing you to drill down to exact protocol or field that you interested in. Finally, a hex dump shows you exactly what the packet looks like when it goes over the wire.</p> </div> <div class="paragraph"> <p>In addition, <strong>Wireshark</strong> has some features that make it unique. It can assemble all the packets in a TCP conversation and show you the ASCII (or EBCDIC, or hex) data in that conversation. Display filters in <strong>Wireshark</strong> are very powerful; more fields are filterable in <strong>Wireshark</strong> than in other protocol analyzers, and the syntax you can use to create your filters is richer. As <strong>Wireshark</strong> progresses, expect more and more protocol fields to be allowed in display filters.</p> </div> <div class="paragraph"> <p>Packet capturing is performed with the pcap library. The capture filter syntax follows the rules of the pcap library. This syntax is different from the display filter syntax.</p> </div> <div class="paragraph"> <p>Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, <strong>Wireshark</strong> will compile, but will be unable to read compressed files.</p> </div> <div class="paragraph"> <p>The pathname of a capture file to be read can be specified with the <strong>-r</strong> option or can be specified as a command-line argument.</p> </div> </div> </div> <div class="sect1"> <h2 id="_options">OPTIONS</h2> <div class="sectionbody"> <div class="paragraph"> <p>Most users will want to start <strong>Wireshark</strong> without opti