免费注册 查看新帖 |

Chinaunix

广告
  平台 论坛 博客 文库
论坛 程序设计 Shell awk 输出问题
12
最近访问板块 发新帖
楼主: chaogle
打印 上一主题 下一主题

awk 输出问题 [复制链接]

rdcwayx

论坛徽章:
15
2015年辞旧岁徽章 日期:2015-03-03 16:54:15双鱼座 日期:2015-01-15 17:29:44午马 日期:2015-01-06 17:06:51子鼠 日期:2014-11-24 10:11:13寅虎 日期:2014-08-18 07:10:55酉鸡 日期:2014-04-02 12:24:51双子座 日期:2014-04-02 12:19:44天秤座 日期:2014-03-17 11:43:36亥猪 日期:2014-03-13 08:13:51未羊 日期:2014-03-11 12:42:03白羊座 日期:2013-11-20 10:15:18CU大牛徽章 日期:2013-04-17 11:48:45
11 [报告]
发表于 2012-05-11 19:15 |只看该作者
chaogle 发表于 2012-05-10 22:17
回复 4# jason680

谢谢大家的讨论,可能是这么解释(要是有明确文档出处就好了^_^)
其实这个问题是在观测tcpdump输出时想到的问题,抓包得到的都是0x-----的十六进制字段,想转换一下以作分析.

里面有给出tcpdump 参数用法,有些可以直接显示可读字符
http://danielmiessler.com/study/tcpdump/
http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/

而且我印象里,有现成的工具软件可以直接读tcpdump来分析的。你自己找找。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
winway1988

论坛徽章:
1
辰龙 日期:2014-05-22 11:38:58
12 [报告]
发表于 2012-05-12 10:52 |只看该作者
本帖最后由 winway1988 于 2012-05-12 10:53 编辑

回复 7# chaogle


    正常去分析数据包,要拿首部结构体去套,来分析字段值。
如果是想基于tcpdump或其他捕包软件的输出来分析信息,我一般这么做
tcpdump保存pcap文件,用wireshark打开(我用的是win下的),wireshark可以导出txt、xml等格式文件,这些文件包含数据包的信息
  1. <?xml version="1.0"?>
  2. <psml version="0" creator="wireshark/1.4.1">
  3. <structure>
  4. <section>No.</section>
  5. <section>Time</section>
  6. <section>Source</section>
  7. <section>Destination</section>
  8. <section>Protocol</section>
  9. <section>Info</section>
  10. </structure>

  12. <packet>
  13. <section>5</section>
  14. <section>0.922489</section>
  15. <section>101.44.1.35</section>
  16. <section>192.168.1.103</section>
  17. <section>TCP</section>
  18. <section>http &gt; quasar-server [FIN, ACK] Seq=1 Ack=1 Win=69 Len=0</section>
  19. </packet>
复制代码
  1. No.     Time        Source                Destination           Protocol Info
  2.      17 1.065012    192.168.1.103         101.44.1.35           HTTP     GET /forum.php?mod=ajax&action=forumchecknew&fid=24&time=1336789898&inajax=yes HTTP/1.1

  4. Frame 17: 170 bytes on wire (1360 bits), 170 bytes captured (1360 bits)
  5.     Arrival Time: May 12, 2012 10:44:40.839803000 中国标准时间
  6.     Epoch Time: 1336790680.839803000 seconds
  7.     [Time delta from previous captured frame: 0.000080000 seconds]
  8.     [Time delta from previous displayed frame: 0.000080000 seconds]
  9.     [Time since reference or first frame: 1.065012000 seconds]
  10.     Frame Number: 17
  11.     Frame Length: 170 bytes (1360 bits)
  12.     Capture Length: 170 bytes (1360 bits)
  13.     [Frame is marked: False]
  14.     [Frame is ignored: False]
  15.     [Protocols in frame: eth:ip:tcp:http]
  16. Ethernet II, Src: IntelCor_51:0c:9e (00:26:c7:51:0c:9e), Dst: Tp-LinkT_5c:11:04 (e0:05:c5:5c:11:04)
  17.     Destination: Tp-LinkT_5c:11:04 (e0:05:c5:5c:11:04)
  18.         Address: Tp-LinkT_5c:11:04 (e0:05:c5:5c:11:04)
  19.         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  20.         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
  21.     Source: IntelCor_51:0c:9e (00:26:c7:51:0c:9e)
  22.         Address: IntelCor_51:0c:9e (00:26:c7:51:0c:9e)
  23.         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
  24.         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
  25.     Type: IP (0x0800)
  26. Internet Protocol, Src: 192.168.1.103 (192.168.1.103), Dst: 101.44.1.35 (101.44.1.35)
  27.     Version: 4
  28.     Header length: 20 bytes
  29.     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  30.         0000 00.. = Differentiated Services Codepoint: Default (0x00)
  31.         .... ..0. = ECN-Capable Transport (ECT): 0
  32.         .... ...0 = ECN-CE: 0
  33.     Total Length: 156
  34.     Identification: 0x192d (6445)
  35.     Flags: 0x02 (Don't Fragment)
  36.         0... .... = Reserved bit: Not set
  37.         .1.. .... = Don't fragment: Set
  38.         ..0. .... = More fragments: Not set
  39.     Fragment offset: 0
  40.     Time to live: 64
  41.     Protocol: TCP (6)
  42.     Header checksum: 0xf8d0 [correct]
  43.         [Good: True]
  44.         [Bad: False]
  45.     Source: 192.168.1.103 (192.168.1.103)
  46.     Destination: 101.44.1.35 (101.44.1.35)
  47. Transmission Control Protocol, Src Port: int-rcv-cntrl (3603), Dst Port: http (80), Seq: 1441, Ack: 1, Len: 116
  48.     Source port: int-rcv-cntrl (3603)
  49.     Destination port: http (80)
  50.     [Stream index: 1]
  51.     Sequence number: 1441    (relative sequence number)
  52.     [Next sequence number: 1557    (relative sequence number)]
  53.     Acknowledgement number: 1    (relative ack number)
  54.     Header length: 20 bytes
  55.     Flags: 0x18 (PSH, ACK)
  56.         000. .... .... = Reserved: Not set
  57.         ...0 .... .... = Nonce: Not set
  58.         .... 0... .... = Congestion Window Reduced (CWR): Not set
  59.         .... .0.. .... = ECN-Echo: Not set
  60.         .... ..0. .... = Urgent: Not set
  61.         .... ...1 .... = Acknowledgement: Set
  62.         .... .... 1... = Push: Set
  63.         .... .... .0.. = Reset: Not set
  64.         .... .... ..0. = Syn: Not set
  65.         .... .... ...0 = Fin: Not set
  66.     Window size: 8192
  67.     Checksum: 0xd5ff [validation disabled]
  68.         [Good Checksum: False]
  69.         [Bad Checksum: False]
  70.     [SEQ/ACK analysis]
  71.         [Number of bytes in flight: 1556]
  72.     TCP segment data (116 bytes)
  73. [Reassembled TCP Segments (1556 bytes): #16(1440), #17(116), #18(116)]
  74.     [Frame: 16, payload: 0-1439 (1440 bytes)]
  75.     [Frame: 17, payload: 1440-1555 (116 bytes)]
  76.     [Frame: 18, payload: 1440-1555 (116 bytes)]
  77.         [Segment overlap: True]
  78.     [Reassembled TCP length: 1556]
  79. Hypertext Transfer Protocol
  80.     GET /forum.php?mod=ajax&action=forumchecknew&fid=24&time=1336789898&inajax=yes HTTP/1.1\r\n
  81.         [Expert Info (Chat/Sequence): GET /forum.php?mod=ajax&action=forumchecknew&fid=24&time=1336789898&inajax=yes HTTP/1.1\r\n]
  82.             [Message: GET /forum.php?mod=ajax&action=forumchecknew&fid=24&time=1336789898&inajax=yes HTTP/1.1\r\n]
  83.             [Severity level: Chat]
  84.             [Group: Sequence]
  85.         Request Method: GET
  86.         Request URI: /forum.php?mod=ajax&action=forumchecknew&fid=24&time=1336789898&inajax=yes
  87.         Request Version: HTTP/1.1
  88.     User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-cn) Presto/2.10.229 Version/11.64\r\n
  89.     Host: bbs.chinaunix.net\r\n
  90.     Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n
  91.     Accept-Language: zh-CN,zh;q=0.9,en;q=0.8\r\n
  92.     Accept-Encoding: gzip, deflate\r\n
  93.     Referer: http://bbs.chinaunix.net/forum-24-1.html\r\n
  94.     [truncated] Cookie: ndfU_2132_saltkey=0xs5msd7; ndfU_2132_lastvisit=1336782408; ndfU_2132_auth=64451xbWFQkoyofLMH%2BvnfnBqxa9iDYxL5ssC%2FqOWie8WC3nOEh6zmFxiXUyOkoAkaBEysFAmGa6KwpAyJOIst%2BdM20VQA; ndfU_2132_ulastactivity=bba7kG0LKSGfIjzBG4
  95.     Connection: Keep-Alive\r\n
  96.     X-Requested-With: XMLHttpRequest\r\n
  97.     \r\n
复制代码
这样就可以集中精力用awk、sed来从文本中提取信息了
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP