Re: formation TCPdump et WireShark

To: corbie@free.fr
Cc: debian-user-french@lists.debian.org
Subject: Re: formation TCPdump et WireShark
From: Stephane Bortzmeyer <stephane@sources.org>
Date: Sat, 2 Apr 2011 12:12:28 +0200
Message-id: <[🔎] 20110402101227.GA15238@sources.org>
In-reply-to: <[🔎] 201104011944.28233.corbie@free.fr>
References: <[🔎] 201104011855.37009.corbie@free.fr> <[🔎] 4D960C06.2040500@tootai.net> <[🔎] 201104011944.28233.corbie@free.fr>

On Fri, Apr 01, 2011 at 07:44:28PM +0200,
 corbie@free.fr <corbie@free.fr> wrote 
 a message of 44 lines which said:

> Je ne connaissais pas "tshark".

C'est bien dommage.

> WireShark : 
> http://fr.wikipedia.org/wiki/Fichier:Wireshark_screenshot.png
> 
> ça semble être en mode graphique :-)

tshark reprend les dissecteurs (les analyseurs de protocole) de
Wireshark et décode donc les mêmes protocoles. Étant en mode texte, il
facilite la communication des résultats des analyses avec des
collègues ou sur des listes de diffusion (avec Wireshark, c'est la
copie d'écran, méthode très Windowsienne).

Voici un exemple :

% tshark -c 1 -V -i eth1 host machine.example.net
...
Frame 1 (94 bytes on wire, 94 bytes captured)
    Arrival Time: Apr  2, 2011 12:10:25.319093000
...
    Frame Length: 94 bytes
    Capture Length: 94 bytes
    [Protocols in frame: eth:ipv6:tcp]
Ethernet II, Src: AsustekC_76:29:b6 (00:1e:8c:76:29:b6), Dst: FreeboxS_c3:83:23 (00:07:cb:c3                 :83:23)
    Destination: FreeboxS_c3:83:23 (00:07:cb:c3:83:23)
        Address: FreeboxS_c3:83:23 (00:07:cb:c3:83:23)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: AsustekC_76:29:b6 (00:1e:8c:76:29:b6)
        Address: AsustekC_76:29:b6 (00:1e:8c:76:29:b6)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 40
    Next header: TCP (0x06)
    Hop limit: 64
    Source: 2a01:e35:8bd9:8bb0:a0b5:bc12:40bf:935f (2a01:e35:8bd9:8bb0:a0b5:bc12:40bf:935f)
    Destination: 2001:660:3003:2::4:8 (2001:660:3003:2::4:8)
Transmission Control Protocol, Src Port: 51258 (51258), Dst Port: connect-server (3442), Seq                 : 0, Len: 0
    Source port: 51258 (51258)
    Destination port: connect-server (3442)
    [Stream index: 0]
    Sequence number: 0    (relative sequence number)
    Header length: 40 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgement: Not set
...

Pendant qu'on y est, ne pas rater pcapr, le Flickr des paquets
<http://www.bortzmeyer.org/pcapr.html>.

Reply to:

References:
- formation TCPdump et WireShark
  - From: corbie@free.fr
- Re: formation TCPdump et WireShark
  - From: daniel huhardeaux <no-spam@tootai.net>
- Re: formation TCPdump et WireShark
  - From: corbie@free.fr

Prev by Date: Re: HS latex et les autres was: pdflatex texlive n'aime pas le mot "fin"
Next by Date: Re: Utiliser IPMI
Previous by thread: Re: formation TCPdump et WireShark
Next by thread: Re: Debian 6 + php5.2
Index(es):
- Date
- Thread