티스토리 뷰

Study/Network

대용량 패킷 분석 #3 - tshark 통계 생성

pursh 2014. 2. 10. 14:27

tshark는 wireshark 커맨드라인 버전으로 생각하면 된다.

사이즈가 큰 패킷 덤프 파일은 wireshark로 분석하기에는 처리속도라는 어려움이 있다.

그 때는 tshark를 사용하면 속도 문제를 해결할 수 있다.

물론 익숙지 않는 사람들에게는 커맨드라인이라는 불편함이 따라온다.

 

우선 통계 생성을 해보자.

tshark에서는 -z 옵션을 통해서 통계를 생성한다.

-z 옵션을 사용할 때는 -q 도 같이 사용하는게 좋다.

-q를 사용하지 않을 때는 모든 패킷 리스트가 출력하며, -q를 사용하면 결과값만을 출력한다.

 

$ tshark -r test.pcap -qz ip_hosts,tree

===================================================================
 IP Addresses            value          rate         percent
-------------------------------------------------------------------
 IP Addresses          831697       0.149173               
  10.111.165.217          2992       0.000537           0.36%
  180.210.36.66         186291       0.033413          22.40%
  172.18.117.104        136719       0.024522          16.44%
  180.210.36.70         383105       0.068713          46.06%
  172.19.201.171           895       0.000161           0.11%
  172.17.169.67              6       0.000001           0.00%
  10.1.102.52               18       0.000003           0.00%
  180.210.36.68         259791       0.046596          31.24%
  210.218.0.74              72       0.000013           0.01%
  180.210.36.72             72       0.000013           0.01%
   ....

   ....

 

$ tshark -r test.pcap -qz io,phs

===================================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:831697 bytes:873284461
  ip                                     frames:831697 bytes:873284461
    tcp                                  frames:831625 bytes:873275440
      http                               frames:9337 bytes:4632048
        media                            frames:3844 bytes:2834737
          tcp.segments                   frames:3309 bytes:2546845
        data-text-lines                  frames:1123 bytes:679796
          tcp.segments                   frames:49 bytes:11697
        malformed                        frames:5 bytes:275
        tcp.segments                     frames:61 bytes:3330
    udp                                  frames:72 bytes:9021
      dns                                frames:72 bytes:9021
===================================================================

 

$ tshark -r test.pcap -qa http,tree

===================================================================
 HTTP/Packet Counter                 value              rate         percent
-------------------------------------------------------------------
 Total HTTP Packets                  9332       0.001674               
  HTTP Request Packets                4628       0.000830          49.59%
   GET                                 4140       0.000743          89.46%
   HEAD                                   6       0.000001           0.13%
   POST                                 482       0.000086          10.41%
  HTTP Response Packets               4595       0.000824          49.24%
   ???: broken                            0       0.000000           0.00%
   1xx: Informational                     0       0.000000           0.00%
   2xx: Success                        4568       0.000819          99.41%
    200 OK                              4568       0.000819         100.00%
   3xx: Redirection                       0       0.000000           0.00%
   4xx: Client Error                     26       0.000005           0.57%
    404 Not Found                         26       0.000005         100.00%
   5xx: Server Error                      1       0.000000           0.02%
    500 Internal Server Error              1       0.000000         100.00%
  Other HTTP Packets                   109       0.000020           1.17%

===================================================================

 

$ tshark -r test.pcap -qz http,stat, (입력할 때 맨 뒤에 ,를 꼭 넣는 것 주의!!)

===================================================================
HTTP Statistics
* HTTP Status Codes in reply packets
    HTTP 500 Internal Server Error
    HTTP 200 OK
    HTTP 404 Not Found
* List of HTTP Request methods
        HEAD  6
         GET  4140
        POST  482
===================================================================

 

http,stat, 경우에는 뒤에 필터를 더 주어도 된다.

예를 들면,

http,stat,"ip.addr==1.1.1.0/24" 이렇게 입력하면 1.1.1.0/24에 대한 http 통계값을 얻을 수 있다.

 

$ tshark -r test.pcap -qz io,stat,60

===================================================================
IO Statistics
Interval: 60.000 secs
Column #0:
                |   Column #0   
Time            |frames|  bytes 
000.000-060.000  140605 142211597
060.000-120.000      53      8699
120.000-180.000      16      2941
180.000-240.000       8      2041
240.000-300.000   12031  12911763
300.000-360.000   12657  12789234
360.000-420.000      10      2425
420.000-480.000    3979   3991364

.....

맨 뒤에 60은 60초 라는 의미로 60초단위로 해서 통계를 생성한다.

60 뒤에 filter를 추가할 수도 있다.

예를 들면,

-qz io,stat,60,"ip.addr==1.1.1.0/24" 해당 대역에 대한 통계를 생성한다.

 

특정 프로토콜이 언제 통신했는지 확인하고자 한다면 필터에 프로토콜 네임만 입력해도 될 것이다.

-qz io,stat,60,"dns"

 

 

아래 옵션을 추가로 더 확인해 보자

 

-z argument must be one of :
     afp,srt
     ancp,tree
     ansi_a,bsmap
     ansi_a,dtap
     ansi_map
     asap,stat
     bacapp_instanceid,tree
     bacapp_ip,tree
     bacapp_objectid,tree
     bacapp_service,tree
     calcappprotocol,stat
     camel,counter
     camel,srt
     collectd,tree
     componentstatusprotocol,stat
     conv,bluetooth
     conv,dccp
     conv,eth
     conv,fc
     conv,fddi
     conv,ip
     conv,ipv6
     conv,ipx
     conv,jxta
     conv,mptcp
     conv,ncp
     conv,rsvp
     conv,sctp
     conv,sll
     conv,tcp
     conv,tr
     conv,udp
     conv,usb
     conv,wlan
     conv,wpan
     conv,zbee_nwk
     credentials
     dcerpc,srt
     dests,tree
     dhcp,stat
     diameter,avp
     diameter,srt
     dns,tree
     endpoints,bluetooth
     endpoints,dccp
     endpoints,eth
     endpoints,fc
     endpoints,fddi
     endpoints,ip
     endpoints,ipv6
     endpoints,ipx
     endpoints,jxta
     endpoints,mptcp
     endpoints,ncp
     endpoints,rsvp
     endpoints,sctp
     endpoints,sll
     endpoints,tcp
     endpoints,tr
     endpoints,udp
     endpoints,usb
     endpoints,wlan
     endpoints,wpan
     endpoints,zbee_nwk
     enrp,stat
     expert
     f1ap,tree
     f5_tmm_dist,tree
     f5_virt_dist,tree
     fc,srt
     flow,any
     flow,icmp
     flow,icmpv6
     flow,lbm_uim
     flow,tcp
     follow,dccp
     follow,http
     follow,http2
     follow,quic
     follow,sip
     follow,tcp
     follow,tls
     follow,udp
     fractalgeneratorprotocol,stat
     gsm_a
     gsm_a,bssmap
     gsm_a,dtap_cc
     gsm_a,dtap_gmm
     gsm_a,dtap_mm
     gsm_a,dtap_rr
     gsm_a,dtap_sacch
     gsm_a,dtap_sm
     gsm_a,dtap_sms
     gsm_a,dtap_ss
     gsm_a,dtap_tp
     gsm_map,operation
     gtp,srt
     h225,counter
     h225_ras,rtd
     hart_ip,tree
     hosts
     hpfeeds,tree
     http,stat
     http,tree
     http2,tree
     http_req,tree
     http_seq,tree
     http_srv,tree
     icmp,srt
     icmpv6,srt
     io,phs
     io,stat
     ip_hosts,tree
     ip_srcdst,tree
     ipv6_dests,tree
     ipv6_hosts,tree
     ipv6_ptype,tree
     ipv6_srcdst,tree
     isup_msg,tree
     lbmr_queue_ads_queue,tree
     lbmr_queue_ads_source,tree
     lbmr_queue_queries_queue,tree
     lbmr_queue_queries_receiver,tree
     lbmr_topic_ads_source,tree
     lbmr_topic_ads_topic,tree
     lbmr_topic_ads_transport,tree
     lbmr_topic_queries_pattern,tree
     lbmr_topic_queries_pattern_receiver,tree
     lbmr_topic_queries_receiver,tree
     lbmr_topic_queries_topic,tree
     ldap,srt
     mac-lte,stat
     megaco,rtd
     mgcp,rtd
     mtp3,msus
     ncp,srt
     ngap,tree
     npm,stat
     osmux,tree
     pingpongprotocol,stat
     plen,tree
     proto,colinfo
     ptype,tree
     radius,rtd
     rlc-lte,stat
     rpc,programs
     rpc,srt
     rtp,streams
     rtsp,stat
     rtsp,tree
     sametime,tree
     scsi,srt
     sctp,stat
     sip,stat
     smb,sids
     smb,srt
     smb2,srt
     smpp_commands,tree
     snmp,srt
     ssprotocol,stat
     sv
     ucp_messages,tree
     wsp,stat

 

추가로 참고할 만한 사이트는

http://www.packetlevel.ch/html/tshark/tsharkfilt.html

저작자표시 비영리

'Study > Network' 카테고리의 다른 글

PCAP File Signature  (0) 2014.04.09
tshark 사용하기  (2) 2014.02.21
tshark man page  (0) 2014.02.10
대용량 패킷 분석 #2 - capinfos  (0) 2014.02.10
대용량 패킷 분석 #1 - tcpdstat  (0) 2014.02.10
공유하기 링크
댓글