一、wireshark的yum安装

# yum -y install epel-release

# yum -y install wireshark

版本太低了。

二、wireshark的编译安装

Index of /pub/wireshark/src/

http://ftp.uni-kl.de/pub/wireshark/src/

http://ftp.uni-kl.de/pub/wireshark/src/all-versions/

Centos yum源带的tshark版本特别低，我们需要更高版本的tshark。

# yum -y install cmake3 glib2-devel libpcap libpcap-devel libgcrypt-devel glib2-devel qt-devel qt5-qtbase-devel qt5-linguist qt5-qtmultimedia-devel qt5-qtsvg-devel libcap-devel libcap-ng-devel gnutls-devel krb5-devel libxml2-devel lua-devel lz4-devel snappy-devel spandsp-devel libssh2-devel bcg729-devel libmaxminddb-devel sbc-devel libsmi-devel libnl3-devel libnghttp2-devel libssh-devel libpcap-devel c-ares-devel redhat-rpm-config rpm-build gtk+-devel gtk3-devel desktop-file-utils portaudio-devel rubygem-asciidoctor docbook5-style-xsl docbook-style-xsl systemd-devel python34 cmake3 git gcc gcc-c++ flex bison doxygen gettext-devel libxslt cmake

# wget -c http://ftp.uni-kl.de/pub/wireshark/src/all-versions/wireshark-3.2.3.tar.xz

# tar -xvf wireshark-3.2.3.tar.xz

# cd wireshark-3.2.3

# cmake3 .

# make -i -j 16

# make install

# tshark -v

长期用来统计抓包中的各种响应时间，这个时候应用的日志已经不可信了。

按URL、时间梯度进行分组统计：

# tshark -r file.pcap -Y 'http.time>0 ' -T fields -e frame.number -e frame.time_epoch -e frame.time_delta_displayed -e ip.src -e ip.dst -e tcp.stream -e http.request.full_uri -e http.response_for.uri -e http.time | awk '{ print int($2/10), $8 }' | awk '{ sum[$1]+=$2; count[$1]+=1 ;} END { for (key in count) { printf "time= %s \t count=%s \t avg=%.6f \n", key, count[key], sum[key]/count[key] } }' | sort -k2n | gawk '{ print strftime("%c",$2*10), $0 }'