流量分析处理

流量分析处理

Zeek

官网安装教程(Docker,或者Linux):https://docs.zeek.org/en/current/install.html

最终安装界面(选择添加软件源的方式): https://build.opensuse.org/package/show/security:zeek/zeek https://software.opensuse.org//download.html?project=security%3Azeek&package=zeek

Zeek手册:https://docs.zeek.org/en/v5.1.0/logs/conn.html

分析:

1
zeek -C -r new.pcap

Wireshark

过滤IP

1
2
3
4
ip.src == 113.54.243.163 #源
ip.dst == 113.54.243.163 #目的
ip.src == 113.54.243.163 #源 目的
ip.src_host: reverse resolved hostname of that IP address

过滤端口

1
2
3
4
tcp.port == 80
tcp.srcport == 80
tcp.dstport == 80
tcp.udpport == 80

过滤协议

1
2
arp
!arp

过滤MAC

1
2
3
eth.src
eth.dst
eth.addr

包长度过滤

1
2
3
4
udp.length 指udp本身固定长度8加上udp下面那块数据包之和
tcp.len 指的是ip数据包(tcp下面那块数据),不包括tcp本身
ip.len 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后
frame.len 整个数据包长度,从eth开始到最后

Pcap处理

统计数据包数目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
capinfos.exe "C:\Users\28185\Desktop\202310151400 (1).pcap" # 统计数据包数目
E:\Software\Wireshark>capinfos.exe "C:\Users\28185\Desktop\202310151400 (1).pcap"
File name: C:\Users\28185\Desktop\202310151400 (1).pcap
File type: Wireshark/tcpdump/... - pcap
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: 96 bytes
Packet size limit: inferred: 34 bytes - 287 bytes (range)
Number of packets: 132 M
File size: 9521 MB
Data size: 118 GB
Capture duration: 899.941805 seconds
First packet time: 2023-10-15 13:00:00.252265
Last packet time: 2023-10-15 13:15:00.194070
Data byte rate: 131 MBps
Data bit rate: 1053 Mbps
Average packet size: 891.26 bytes
Average packet rate: 147 kpackets/s
SHA256: 8463639978a0e2f63ab3084721b0e418e575494953779fe1ebaf3e3c9204f4da
RIPEMD160: 2cda1d6346c87ad6281f00b2632fdc2c0d587b70
SHA1: 3cb4d64432254e778f4265276d767dfc479c3a4a
Strict time order: False
Number of interfaces in file: 1
Interface #0 info:
Encapsulation = Ethernet (1 - ether)
Capture length = 96
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 132974450

分割Pcap文件

1
editcap.exe -c 66487225 "C:\Users\28185\Desktop\202310151400 (1).pcap" "C:\Users\28185\Desktop\prefix" # prefix为前缀, c为每个Pcap文件的数据报个数

参考

https://blog.csdn.net/wojiaopanpan/article/details/69944970

tcpdump

分割pcap文件

1
tcpdump -r original.pcap -w new.pcap -C 5

-c<数据包数目>:收到指定的数据包数目后,就停止进行倾倒操作;

https://wangchujiang.com/linux-command/c/tcpdump.html


流量分析处理
https://d4wnnn.github.io/2023/04/30/Academic/流量分析处理/
作者
D4wn
发布于
2023年4月30日
许可协议