리눅스 pcap 파일 보기

How can I read pcap files in a friendly format?
리눅스 pcap 파일 보기

1 방법[ | ]

Bash

Copy

tcpdump -qns 0 -X -r 파일명

Console

Copy

[root@zetawiki ~]# tcpdump -qns 0 -X -r tcpdump1.pcap
reading from file tcpdump1.pcap, link-type EN10MB (Ethernet)
07:23:18.977783 IP 145.14.193.125 > 192.168.0.186: ICMP time exceeded in-transit, length 36
	0x0000:  4500 0038 0000 0000 fb01 72c4 7d91 0ec1  E..8......r.}...
	0x0010:  c0a8 0006 0b00 f4ff 0000 0000 4500 001c  ............E...
	0x0020:  385e 0000 0101 a702 c0a8 0006 72c8 a70a  8^..........r...
	0x0030:  0800 90fd 0001 6701                      ......g.
07:23:18.992044 IP 192.168.0.188.ssh > 192.168.0.186.7929: tcp 132
	0x0000:  4510 00ac dcb3 4000 4006 dc29 c0a8 0008  E.....@.@..)....
	0x0010:  c0a8 0006 0016 1ef9 e662 5e6a d13a 94eb  .........b^j.:..
	0x0020:  5018 021c 81fd 0000 87e1 a5cc 9670 39b6  P............p9.
	0x0030:  0ab5 fa70 32c1 c261 f550 6c05 2153 b270  ...p2..a.Pl.!S.p
... (생략)

Bash

Copy

tcpdump -qns 0 -A -r 파일명

Console

Copy

[root@zetawiki ~]# tcpdump -qns 0 -A -r tcpdump1.pcap
reading from file tcpdump1.pcap, link-type EN10MB (Ethernet)
07:23:18.977783 IP 145.14.193.125 > 192.168.0.186: ICMP time exceeded in-transit, length 36
E..8......r.}...............E...8^..........r..
......g.
07:23:18.992044 IP 192.168.0.188.ssh > 192.168.0.186.7929: tcp 132
E.....@.@..).............b^j.:..P............p9.
..p2..a.Pl.!S.pE....#.o.......[.....%.1V.|Fhs`=.{...G...\......gf>.,.P..V.m.	/..?..2...<.'`.].T...P....f...@.L..Rcd...y... 
... (생략)

2 같이 보기[ | ]

리눅스 tcpdump 뜨기
와이어샤크 (윈도우용)

3 참고[ | ]

http://serverfault.com/questions/38626/how-can-i-read-pcap-files-in-a-friendly-format