我正在无头服务器上编写一个python脚本,我希望看到脚本的数据包捕获输出。
我不能在服务器上运行ettercap或Wireshark,因为有太多的噪音(另外wireshark是一个GUI工具)。 但是,我有sudo访问权限。
有没有什么方法可以捕获由该脚本生成的数据包? 最好以可以加载到Wireshark的格式(不是必须的,但是如果需要,我可以在文本中跋涉)
是的,你可以用iptables和dumpcap。 概要:
# iptables -A OUTPUT -m owner --pid-owner 1000 -j CONNMARK --set-mark 1 # iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 # iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 # dumpcap -i nflog:30 -w pid-1000.pcap 这将捕获进程ID为1000的所有stream量。这些命令必须在主机上运行(这是PID信息可用的地方)。
Wireshark有一个命令行工具。 我在远程计算机上使用它,只有控制台访问,它工作得很好。 只需要几分钟的时间阅读参数,以了解如何使用它。
C:\Program Files (x86)\Wireshark>dumpcap.exe -h Dumpcap 1.10.3 (SVN Rev 53022 from /trunk-1.10) Capture network packets and dump them into a pcapng file. See http://www.wireshark.org for more information. Usage: dumpcap [options] ... Capture interface: -i <interface> name or idx of interface (def: first non-loopback), or for remote capturing, use one of these formats: rpcap://<host>/<interface> TCP@<host>:<port> -f <capture filter> packet filter in libpcap filter syntax -s <snaplen> packet snapshot length (def: 65535) -p don't capture in promiscuous mode -B <buffer size> size of kernel buffer in MB (def: 2MB) -y <link type> link layer type (def: first appropriate) -D print list of interfaces and exit -L print list of link-layer types of iface and exit -d print generated BPF code for capture filter -k set channel on wifi interface <freq>,[<type>] -S print statistics for each interface once per second -M for -D, -L, and -S, produce machine-readable output RPCAP options: -r don't ignore own RPCAP traffic in capture -u use UDP for RPCAP data transfer -A <user>:<password> use RPCAP password authentication -m <sampling type> use packet sampling count:NUM - capture one packet of every NUM timer:NUM - capture no more than 1 packet in NUM ms Stop conditions: -c <packet count> stop after n packets (def: infinite) -a <autostop cond.> ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB files:NUM - stop after NUM files Output (files): -w <filename> name of file to save (def: tempfile) -g enable group read access on the output file(s) -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files -n use pcapng format instead of pcap (default) -P use libpcap format instead of pcapng Miscellaneous: -N <packet_limit> maximum number of packets buffered within dumpcap -C <byte_limit> maximum number of bytes used for buffering packets wi thin dumpcap -t use a separate thread per interface -q don't report packet capture counts -v print version information and exit -h display this help and exit Example: dumpcap -i eth0 -a duration:60 -w output.pcapng "Capture packets from interface eth0 until 60s passed into output.pcapng" Use Ctrl-C to stop capturing at any time.
另一个select是通过SSH将dumpcap输出pipe理到本地机器上运行的wireshark中。
wireshark -k -i <(ssh -l USER REMOTEHOST "dumpcap -i lo -P -w - -f 'not tcp port 22'")
这将打开本地显示来自远程机器的stream量的wireshark实例。 您可能会想要修改filternot tcp port 22以防止通过networkingpipe道太多的stream量。