Mais conteúdo relacionado Semelhante a OSTU - Sake Blok on TShark Statistics (20) OSTU - Sake Blok on TShark Statistics1. Welcome to this months training session from NetCC
Sake Blok on…
Tsharks -z statistics
February 2009
Network Analysis Community Center
www.netcc.nl
5. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
display conversations
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• Use -z conv,<type>,<filter>
– type is eth,tr,fc,fddi,ip,ipx,tcp or
udp
– filter is used to restrict statistics
$ tshark -r sharkfest-2.cap -q -z conv,ip,tcp.port==25 -z conv,ip,tcp.port==110
================================================================================
IPv4 Conversations
Filter:tcp.port==110
| <- || -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
194.134.35.141 <-> 192.168.1.11 385 27767 401 170073 786 197840
194.134.35.173 <-> 192.168.1.11 312 22421 326 139297 638 161718
194.134.35.133 <-> 192.168.1.11 279 19996 292 117737 571 137733
================================================================================
================================================================================
IPv4 Conversations
Filter:tcp.port==25
| <- || -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
194.134.35.236 <-> 192.168.1.11 467 130230 555 48856 1022 179086
194.134.35.134 <-> 192.168.1.11 399 107720 466 41195 865 148915
194.134.35.235 <-> 192.168.1.11 376 100302 420 35410 796 135712
================================================================================
$
5
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)
6. 0010000000101011001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
1101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010001000000111110000100000001000000011101000101101001010010010000001001110
0110100101100011011001010010000001110100011011110010000001101101011001010110010101110100001000000111100101101111011101010010000100100000001110100010110100101001001000000010
display io statistics
0000011111000010000000001010001000000111110000100000010100000110110001100101011000010111001101100101001000000111001101100101011011100110010000100000011011010110010100100000
0110000101101110001000000110010100101101011011010110000101101001011011000010000001100001011101000010000001111100001000000000101000100000011111000010000000100000001000000010
0000001000000010000000100000011100110110000101101011011001010100000001100101011101010111001001101111011011100110010101110100001011100110111001101100001000000010000000100000
0010000000100000001000000010000001111100001000000000101000100000001010110010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010
110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001011010010110100101101001010110010000000001010
• Use -z io,stat,<int>,<filt>,<filt>,…
– int is the interval in seconds
– filt is used for statistics selection
$ tshark -r sharkfest-2.cap -q -z io,stat,300,tcp.port==25,tcp.port==110,'not
(tcp.port==25 or tcp.port==110)'
===================================================================
IO Statistics
Interval: 300.000 secs
Column #0: tcp.port==25
Column #1: tcp.port==110
Column #2: not (tcp.port==25 or tcp.port==110)
| Column #0 | Column #1 | Column #2
Time |frames| bytes |frames| bytes |frames| bytes
000.000-300.000 561 103365 461 112938 29 2842
300.000-600.000 538 98409 379 93399 40 3920
600.000-900.000 826 122845 433 108430 40 3920
900.000-1200.000 514 94946 375 97153 40 3920
1200.000-1500.000 244 44148 347 85371 20 1960
===================================================================
$
6
Sake Blok on… Tsharks -z statistics
February 2009
Network Analysis Community Center (http://www.netcc.nl)