Difference between revisions of "Tools/Tshark"
< Tools
m (Tools/Tethereal moved to Tools/Tshark: Namensänderung) |
m (Reverted edits by Oxudocopaj (talk) to last revision by Pylon) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | = Why | + | = Why tshark rocks = |
* more functions than tcpdump | * more functions than tcpdump | ||
− | * shares features with | + | * shares features with Wireshark |
* lives in /usr/bin | * lives in /usr/bin | ||
* can capture to a ring buffer | * can capture to a ring buffer | ||
* capture and read filters | * capture and read filters | ||
− | == | + | == tshark command lines == |
=== statistics === | === statistics === | ||
− | + | tshark -qz io,stat,0.01,ip.addr==172.17.23.1 | |
− | + | tshark -qz conv,eth | |
− | + | tshark -qz proto,colinfo,nfs | |
− | + | tshark -qz sip,stat | |
− | + | tshark -o "smb.sid_name_snooping:TRUE" -qz smb,sids | |
=== ring buffer capture === | === ring buffer capture === | ||
− | + | tshark -b 5 -a filesize:9728 -w mm.cap | |
=== read filter (live capture, read capture file) === | === read filter (live capture, read capture file) === | ||
− | + | tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap | |
-R "not(ip.addr==172.17.23.5&&tcp.len==0)" | -R "not(ip.addr==172.17.23.5&&tcp.len==0)" | ||
-R 'pop.request || http.request.method==GET || http.request.method=="POST"' | -R 'pop.request || http.request.method==GET || http.request.method=="POST"' | ||
Line 27: | Line 27: | ||
=== decode ports as specific service === | === decode ports as specific service === | ||
− | + | tshark -d tcp.port==8888,http | |
[[Category:Tools]] [[Category:Hacks]] | [[Category:Tools]] [[Category:Hacks]] |
Latest revision as of 17:36, 24 November 2010
Contents
Why tshark rocks
- more functions than tcpdump
- shares features with Wireshark
- lives in /usr/bin
- can capture to a ring buffer
- capture and read filters
tshark command lines
statistics
tshark -qz io,stat,0.01,ip.addr==172.17.23.1 tshark -qz conv,eth tshark -qz proto,colinfo,nfs tshark -qz sip,stat tshark -o "smb.sid_name_snooping:TRUE" -qz smb,sids
ring buffer capture
tshark -b 5 -a filesize:9728 -w mm.cap
read filter (live capture, read capture file)
tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap -R "not(ip.addr==172.17.23.5&&tcp.len==0)" -R 'pop.request || http.request.method==GET || http.request.method=="POST"'
capture filter (live capture)
-f not host 172.17.23.255
decode ports as specific service
tshark -d tcp.port==8888,http