我想使用 rawshark 从管道中读取数据包并为我打印一些有用的信息。
这是场景。
1. 带有无线接口的远程机器在监控模式下使用 tcpdump 和管道到 netcat 进行捕获。
2. 另一台远程机器从机器 1 读取 netcat 流并将数据通过管道传输到 rawshark。
3. rawshark 必须以对我有用的格式输出解析的信息。
到目前为止,我尝试将以前捕获的数据(本地文件)传输到 rawshark,这很好(cat test.pcap | rawshark -s -r - -d encap:105)。
但是我找不到“-F”标志的正确值来使其显示包源mac地址和radiotap头信息,如信号强度。我正在尝试使用 -F wlan.sa -F radiotap.dbm_antsignal。
【问题讨论】:
设置选项 -d proto:radiotap(将 encap:105 替换为 proto:radiotap)
关于手册报告的 -F 选项:
-F <field to display>
Add the matching field to the output. Fields are any valid display filter field. More than one -F flag may be specified, and each field can match multiple times in a given packet. A single field may be specified per -F flag. If you want to apply a display filter, use the -R flag.
编辑:在这里找到 ftp://ftp-khujand.tj/Soft/wireshark-1.1.3.u3p/device/rawshark.html ,指向这里 http://www.cse.yorku.ca/tdb/_doc.php/userg/man/name/wireshark-filter.4/section/4 ,这些应该是适用的过滤器:
IEEE 802.11 Radiotap Capture header (radiotap)
radiotap.antenna Antenna
Unsigned 32-bit integer
Antenna number this frame was sent/received over (starting at 0)
radiotap.channel Channel
Unsigned 32-bit integer
802.11 channel number that this frame was sent/received on
radiotap.channel.freq Channel frequency
Unsigned 32-bit integer
Channel frequency in megahertz that this frame was sent/received on
radiotap.channel.type Channel type
Unsigned 16-bit integer
Channel type
radiotap.channel.type.2ghz 2 GHz spectrum
Boolean
Channel Type 2 GHz spectrum
radiotap.channel.type.5ghz 5 GHz spectrum
Boolean
Channel Type 5 GHz spectrum
radiotap.channel.type.cck Complementary Code Keying (CCK)
Boolean
Channel Type Complementary Code Keying (CCK) Modulation
radiotap.channel.type.dynamic Dynamic CCK-OFDM
Boolean
Channel Type Dynamic CCK-OFDM Channel
radiotap.channel.type.gfsk Gaussian Frequency Shift Keying (GFSK)
Boolean
Channel Type Gaussian Frequency Shift Keying (GFSK) Modulation
radiotap.channel.type.gsm GSM (900MHz)
Boolean
Channel Type GSM
radiotap.channel.type.half Half Rate Channel (10MHz Channel Width)
Boolean
Channel Type Half Rate
radiotap.channel.type.ofdm Orthogonal Frequency-Division Multiplexing (OFDM)
Boolean
Channel Type Orthogonal Frequency-Division Multiplexing (OFDM)
radiotap.channel.type.passive Passive
Boolean
Channel Type Passive
radiotap.channel.type.quarter Quarter Rate Channel (5MHz Channel Width)
Boolean
Channel Type Quarter Rate
radiotap.channel.type.sturbo Static Turbo
Boolean
Channel Type Status Turbo
radiotap.channel.type.turbo Turbo
Boolean
Channel Type Turbo
radiotap.channel.xtype.passive Passive
Boolean
Channel Type Passive
radiotap.datarate Data rate
Unsigned 32-bit integer
Speed this frame was sent/received at
radiotap.db_antnoise SSI Noise (dB)
Unsigned 32-bit integer
RF noise power at the antenna from a fixed, arbitrary value in decibels
radiotap.db_antsignal SSI Signal (dB)
Unsigned 32-bit integer
RF signal power at the antenna from a fixed, arbitrary value in decibels
radiotap.db_txattenuation Transmit attenuation (dB)
Unsigned 16-bit integer
Transmit power expressed as decibels from max power set at factory (0 is max power)
radiotap.dbm_antsignal SSI Signal (dBm)
Signed 32-bit integer
RF signal power at the antenna from a fixed, arbitrary value in decibels from one milliwatt
radiotap.fcs 802.11 FCS
Unsigned 32-bit integer
Frame check sequence of this frame
radiotap.fcs_bad Bad FCS
Boolean
Specifies if this frame has a bad frame check sequence
radiotap.fhss.hopset FHSS Hop Set
Unsigned 8-bit integer
Frequency Hopping Spread Spectrum hopset
radiotap.fhss.pattern FHSS Pattern
Unsigned 8-bit integer
Frequency Hopping Spread Spectrum hop pattern
radiotap.flags Flags
Unsigned 8-bit integer
radiotap.flags.badfcs Bad FCS
Boolean
Frame received with bad FCS
radiotap.flags.cfp CFP
Boolean
Sent/Received during CFP
radiotap.flags.datapad Data Pad
Boolean
Frame has padding between 802.11 header and payload
radiotap.flags.fcs FCS at end
Boolean
Frame includes FCS at end
radiotap.flags.frag Fragmentation
Boolean
Sent/Received with fragmentation
radiotap.flags.preamble Preamble
Boolean
Sent/Received with short preamble
radiotap.flags.shortgi Short GI
Boolean
Frame Sent/Received with HT short Guard Interval
radiotap.flags.wep WEP
Boolean
Sent/Received with WEP encryption
radiotap.length Header length
Unsigned 16-bit integer
Length of header including version, pad, length and data fields
radiotap.mactime MAC timestamp
Unsigned 64-bit integer
Value in microseconds of the MAC's Time Synchronization Function timer when the first bit of the MPDU arrived at the MAC.
radiotap.pad Header pad
Unsigned 8-bit integer
Padding
radiotap.present Present flags
Unsigned 32-bit integer
Bitmask indicating which fields are present
radiotap.present.antenna Antenna
Boolean
Specifies if the antenna number field is present
radiotap.present.channel Channel
Boolean
Specifies if the transmit/receive frequency field is present
radiotap.present.db_antnoise DB Antenna Noise
Boolean
Specifies if the RF signal power at antenna in dBm field is present
radiotap.present.db_antsignal DB Antenna Signal
Boolean
Specifies if the RF signal power at antenna in dB field is present
radiotap.present.db_tx_attenuation DB TX Attenuation
Boolean
Specifies if the transmit power from max power (in dB) field is present
radiotap.present.dbm_antnoise DBM Antenna Noise
Boolean
Specifies if the RF noise power at antenna field is present
radiotap.present.dbm_antsignal DBM Antenna Signal
Boolean
Specifies if the antenna signal strength in dBm is present
radiotap.present.dbm_tx_attenuation DBM TX Attenuation
Boolean
Specifies if the transmit power from max power (in dBm) field is present
radiotap.present.ext Ext
Boolean
Specifies if there are any extensions to the header present
radiotap.present.fcs FCS in header
Boolean
Specifies if the FCS field is present
radiotap.present.fhss FHSS
Boolean
Specifies if the hop set and pattern is present for frequency hopping radios
radiotap.present.flags Flags
Boolean
Specifies if the channel flags field is present
radiotap.present.lock_quality Lock Quality
Boolean
Specifies if the signal quality field is present
radiotap.present.rate Rate
Boolean
Specifies if the transmit/receive rate field is present
radiotap.present.rxflags RX flags
Boolean
Specifies if the RX flags field is present
radiotap.present.tsft TSFT
Boolean
Specifies if the Time Synchronization Function Timer field is present
radiotap.present.tx_attenuation TX Attenuation
Boolean
Specifies if the transmit power from max power field is present
radiotap.present.xchannel Channel+
Boolean
Specifies if the extended channel info field is present
radiotap.quality Signal Quality
Unsigned 16-bit integer
Signal quality (unitless measure)
radiotap.rxflags RX flags
Unsigned 16-bit integer
radiotap.rxflags.badplcp Bad PLCP
Boolean
Frame with bad PLCP
radiotap.txattenuation Transmit attenuation
Unsigned 16-bit integer
Transmit power expressed as unitless distance from max power set at factory (0 is max power)
radiotap.txpower Transmit power
Signed 32-bit integer
Transmit power in decibels per one milliwatt (dBm)
radiotap.version Header revision
Unsigned 8-bit integer
Version of radiotap header format
radiotap.xchannel Channel number
Unsigned 32-bit integer
radiotap.xchannel.flags Channel type
Unsigned 32-bit integer
radiotap.xchannel.freq Channel frequency
Unsigned 32-bit integer
radiotap.xchannel.type.2ghz 2 GHz spectrum
Boolean
Channel Type 2 GHz spectrum
radiotap.xchannel.type.5ghz 5 GHz spectrum
Boolean
Channel Type 5 GHz spectrum
radiotap.xchannel.type.cck Complementary Code Keying (CCK)
Boolean
Channel Type Complementary Code Keying (CCK) Modulation
radiotap.xchannel.type.dynamic Dynamic CCK-OFDM
Boolean
Channel Type Dynamic CCK-OFDM Channel
radiotap.xchannel.type.gfsk Gaussian Frequency Shift Keying (GFSK)
Boolean
Channel Type Gaussian Frequency Shift Keying (GFSK) Modulation
radiotap.xchannel.type.gsm GSM (900MHz)
Boolean
Channel Type GSM
radiotap.xchannel.type.half Half Rate Channel (10MHz Channel Width)
Boolean
Channel Type Half Rate
radiotap.xchannel.type.ht20 HT Channel (20MHz Channel Width)
Boolean
Channel Type HT/20
radiotap.xchannel.type.ht40d HT Channel (40MHz Channel Width with Extension channel below)
Boolean
Channel Type HT/40-
radiotap.xchannel.type.ht40u HT Channel (40MHz Channel Width with Extension channel above)
Boolean
Channel Type HT/40+
radiotap.xchannel.type.ofdm Orthogonal Frequency-Division Multiplexing (OFDM)
Boolean
Channel Type Orthogonal Frequency-Division Multiplexing (OFDM)
radiotap.xchannel.type.quarter Quarter Rate Channel (5MHz Channel Width)
Boolean
Channel Type Quarter Rate
radiotap.xchannel.type.sturbo Static Turbo
Boolean
Channel Type Status Turbo
radiotap.xchannel.type.turbo Turbo
Boolean
Channel Type Turbo
【讨论】: