流量分析处理
Zeek
官网安装教程(Docker,或者Linux):https://docs.zeek.org/en/current/install.html
最终安装界面(选择添加软件源的方式):
https://build.opensuse.org/package/show/security:zeek/zeek
https://software.opensuse.org//download.html?project=security%3Azeek&package=zeek
Zeek手册:https://docs.zeek.org/en/v5.1.0/logs/conn.html
分析:
Wireshark
过滤IP
1 2 3 4
| ip.src == 113.54.243.163 ip.dst == 113.54.243.163 ip.src == 113.54.243.163 ip.src_host: reverse resolved hostname of that IP address
|
过滤端口
1 2 3 4
| tcp.port == 80 tcp.srcport == 80 tcp.dstport == 80 tcp.udpport == 80
|
过滤协议
过滤MAC
1 2 3
| eth.src eth.dst eth.addr
|
包长度过滤
1 2 3 4
| udp.length 指udp本身固定长度8加上udp下面那块数据包之和 tcp.len 指的是ip数据包(tcp下面那块数据),不包括tcp本身 ip.len 除了以太网头固定长度14,其它都算是ip.len,即从ip本身到最后 frame.len 整个数据包长度,从eth开始到最后
|
Pcap处理
统计数据包数目
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| capinfos.exe "C:\Users\28185\Desktop\202310151400 (1).pcap" E:\Software\Wireshark>capinfos.exe "C:\Users\28185\Desktop\202310151400 (1).pcap" File name: C:\Users\28185\Desktop\202310151400 (1).pcap File type: Wireshark/tcpdump/... - pcap File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: 96 bytes Packet size limit: inferred: 34 bytes - 287 bytes (range) Number of packets: 132 M File size: 9521 MB Data size: 118 GB Capture duration: 899.941805 seconds First packet time: 2023-10-15 13:00:00.252265 Last packet time: 2023-10-15 13:15:00.194070 Data byte rate: 131 MBps Data bit rate: 1053 Mbps Average packet size: 891.26 bytes Average packet rate: 147 kpackets/s SHA256: 8463639978a0e2f63ab3084721b0e418e575494953779fe1ebaf3e3c9204f4da RIPEMD160: 2cda1d6346c87ad6281f00b2632fdc2c0d587b70 SHA1: 3cb4d64432254e778f4265276d767dfc479c3a4a Strict time order: False Number of interfaces in file: 1 Interface Encapsulation = Ethernet (1 - ether) Capture length = 96 Time precision = microseconds (6) Time ticks per second = 1000000 Number of stat entries = 0 Number of packets = 132974450
|
分割Pcap文件
1
| editcap.exe -c 66487225 "C:\Users\28185\Desktop\202310151400 (1).pcap" "C:\Users\28185\Desktop\prefix"
|
参考
https://blog.csdn.net/wojiaopanpan/article/details/69944970
tcpdump
分割pcap文件
1
| tcpdump -r original.pcap -w new.pcap -C 5
|
-c<数据包数目>:收到指定的数据包数目后,就停止进行倾倒操作;
https://wangchujiang.com/linux-command/c/tcpdump.html