-
基于
wireshark
的协议分析
ark
远程抓包
2010-03-10 15:34
基于
wireshark
的协议分析
ark
远程抓
包
远程抓包方案
主要参考文档:
/CaptureSetup
/CaptureSetup/Pipes
/articles/2007/01/24/how
-to-
monitor-packets-from-a-
remote-
interface/
使用
Wire
shark
时,我们一般加载已经保存的数据文件或者实时抓取网卡上的数
据包,进行数据分析。有时为了监控远程机器网络流量,我们需要远程抓包,并
对抓取的包进行实时分析。这时候,我们需要在远程捕获网络流量,并在本地启
动
p>
wireshark
进行数据分析。为实现这个目的,这时候我们就
面临一下几个问题:
1.
远程主机上
如何抓包:远程主机
OS
是
windo
ws
还是
linux
2.
本地主机和远程主机通过什么连接:
ssh
、
netcat
,还是其他协议
3.
远程主机数据如何传到本地:是传到
named pipe(
命名管道
)
还是
stdout
根据
wireshark
wiki
文档,我们知道目前有这三种解决方案:
?
/Pipes
- using a UNIX pipe
and use a different tool to capture from
下文主要讨论这种方式
?
/WinPcapRemote
- using
[
WinPcap
]'s remote capturing
feature (rpcapd) -
currently not
supported
在
windows
下安装
winpcap
后,
winp
cap
安装目录下就有
rpcapd
这
个命令
行工具,但
wireshark
目前不支持读取
rpcapd
的输出,可以用其他工具读
取
rpcapd
的输出。这种方式只限于
p>
windows
操作系统。
?
RMON
- use SNMP's RMON to capture - currently not
supported (
Packet Capture
Using RMON
explains why it doesn't work
well)
这种方式不清楚怎么用
测试一:
named pipe on local
machine (
本地
named
pipe
测试
)
利用管道,将
libpcap
数据文件作为输入,输出到
tshark
,开
始分析
local machine
:
192.168.1.86
hank@gts ~ $$mkfifo /tmp/pipe
hank@gts ~ $$./tshark -i /tmp/pipe &
hank@gts ~ $$cat /home/hank/net-data/ >
/tmp/pipe &
测试二:
SSH +
pipe
利用
ssh
登录远程主机,发送抓包命令,并将捕获的数据包发送到本地的
named pipe
,本地
tshark
监听该
named
pipe
,有数据即开始分析。
remote machine
:
192.168.1.82
local machine
:
192.168.1.86
开启一个终端,执行:
hank@gts ~ $$mkfifo /tmp/pipe
hank@gts ~ $$ssh root@192.168.1.82
开启另一个终端,执行:
hank@gts ~ $$ wireshark -k -i /tmp/pipe
在
/CaptureSetup/Pipes
< br>中,执行
ssh
登录时,没有将输出
重定向到
pipe
中去,于是我对该
wiki
做了修改,修改记录为:
CaptureSetup/Pipes (last edited
2009-05-14 08:02:36 by
hankchan
)
测试三:
netcat
这个测试见
《
How to
monitor packets from a remote interface in real
time
》
,该方
< br>式设计三台计算机,并且使用了
netcat
,本地接听
某个端口,远程主机将数据发
送到该端口。
remote machine
:
192.168.1.82
local machine
:
192.168.1.86
本地主机执行:
hank@gts
~/wireshark-dev/bin $$ nc -l -p 3000
远程主机执行:
[root@localhost ~]# cat /dev/urandom |
nc 192.168.1.86 3000
本地另开一个终端,执行:
gts
bin # ./tshark -i eth0 -R ==3000
综上,
SSH + pipe
作为远程抓包是十分理想的方案,前提是能
ssh
登陆远程主机,
并且远程主机上有抓包工具。
附英文原文如下:
Step 5:
Capture traffic using a remote machine
Make sure you've finished step 4
successfully!
In this
step
: Don't use your local machine to
capture traffic as in the previous
steps but use a remote machine to do
so.
Remote Capturing is currently very
limited:
?
/Pipes
- using a UNIX pipe
and use a different tool to capture
from
?
/WinPcapRemote
- using
[
WinPcap
]'s remote capturing
feature (rpcapd) -
currently not
supported
?
RMON
- use SNMP's RMON to
capture - currently not supported
(
Packet Capture Using
RMON
explains why it doesn't work
well)
Of course, you can use
Wireshark installed on a remote machine in
combination
with a remote control
software (e.g. VNC, Windows Remote Desktop, ...).
XXX - explain special capture filter
strings relevant to remote capturing!
Pipes
The
following will explain capturing using pipes a
bit.
Contents
?
?
?
Pipes
Named
pipes
Remote
Capture
3.
Special feeding application
4.
Stdin
Before
pipes, Wireshark could read the captured packets
to display either from a
file (which
had been previously created) or for a network
interface (in real time).
Since pipes
are supported, Wireshark can also read packets
from another
application, and shows
them in real time. This is useful if you want to
watch a
network in real time, and
Wireshark cannot capture from that network, e.g.
because it is not an Ethernet network,
or it is not on the local machine.
There are three main limitations that
you should be aware of:
1.
It is not currently known whether this
works on Windows. If you want to
use
this on Windows, give it a try and report your
results to the
development list (and/or
update this page). If you want to help testing,
you
should be able to compile Wireshark
from sources.
2.
This only
works with the de facto standard libpcap format
version 2.4, as
described in
Development/LibpcapFileFormat
. Some
other formats may work
in theory, but
this has not been tested.
3.
Capturing from a pipe is inconvenient,
because you have to set up the pipe
and
put a file header into the pipe before you can
start the capture. A few
patches have
been mailed to the development list that could
solve this, so
if you find the approach
inconvenient, try the patches.
-
-
-
-
-
-
-
-
-
上一篇:关于杜甫写春雨的诗句
下一篇:描写天气的好词佳句