使用Wireshark合并数据包,删除重复数据包,IP地址冲突检测
合并数据包
方法1
GUI方式
1. 打开Wireshark软件打开数据包 1.pcap
2. 点击文件—>合并(M) 选择要合并的数据包文件。例如2.pcap
3. 点击完成之后即可完成合并
如果想要继续合并 3.pcap,那么需要先保存之前合并的文件,才可用同样的方法合并后续的文件,以此类推。
如果您需要合并大量的数据包文件,请使用方法2。
方法2
Mergecap方式
进入到Wireshark安装目录
C:\Users\win7>cd C:\Program Files\Wireshark
将要合并的抓包文件放在安装目录下(使用绝对路径原理相同,只是这样方便说明)
合并抓包文件
aaa.pcap ——>合并后的输出文件名
*.pcap———> 目录下所有的pcap文件
C:\Program Files\Wireshark>mergecap -w aaa.pcap *.pcap
当然如果你并不想所有文件都合并,可以使用如下方式来完成
C:\Program Files\Wireshark>mergecap -w aaa.pcap 1.pcap 2.pcap
删除重复数据包
在实际抓包环境中可能会抓到很多重复的数据包,例如如下:
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.121.46? Tell 1.1.100.7
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.122.46? Tell 1.1.100.7
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.123.46? Tell 1.1.100.7
00:00:00:00:00:01 ff:ff:ff:ff:ff:ff ARP 64 Who has 1.1.124.46? Tell 1.1.100.7
可以通过如下方式来删除这些重复的数据包
步骤1,打开CMD,并且进入到Wireshark的安装目录下
C:\Users\win7>cd C:\Program Files\Wireshark
步骤2,把抓包文件放在Wireshark的安装目录下
如:C:\Program Files\Wireshark
步骤3,使用editcap -d的参数来删除重复的数据包,前面的文件名是数据包源文件名,后面的文件名是数据包输出的文件名
C:\Program Files\Wireshark>editcap -d input.pcap output.pcap
655 packets seen, 78 packets skipped with duplicate window of 5 packets.
IP地址冲突检测
例如,如下一组报文
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
aa:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.100 is at aa:00:00:00:00:01
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
aa:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.101 is at aa:00:00:00:00:02
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
aa:00:00:00:00:03 00:00:01:00:00:01 ARP 1.1.1.102 is at aa:00:00:00:00:03
00:00:00:00:00:01 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:01
如果想要检查IP地址冲突的情况可以在 过滤器中输入 arp.duplicate-address-frame 就可以列出地址冲突的列表,方便排查问题
输出结果如下:
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
00:00:00:00:00:02 00:00:01:00:00:01 ARP 1.1.1.1 is at 00:00:00:00:00:02
没有评论:
发表评论