Difference between revisions of "Tools/Tshark"

From C4 Wiki
Jump to: navigation, search
m (Tools/Tethereal moved to Tools/Tshark: Namensänderung)
m (Reverted edits by Oxudocopaj (talk) to last revision by Pylon)
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Why tethereal rocks =
+
= Why tshark rocks =
 
* more functions than tcpdump
 
* more functions than tcpdump
* shares features with ethereal
+
* shares features with Wireshark
 
* lives in /usr/bin
 
* lives in /usr/bin
 
* can capture to a ring buffer
 
* can capture to a ring buffer
 
* capture and read filters
 
* capture and read filters
  
== tethereal command lines ==
+
== tshark command lines ==
  
 
=== statistics ===
 
=== statistics ===
  tethereal -qz io,stat,0.01,ip.addr==172.17.23.1
+
  tshark -qz io,stat,0.01,ip.addr==172.17.23.1
  tethereal -qz conv,eth
+
  tshark -qz conv,eth
  tethereal -qz proto,colinfo,nfs
+
  tshark -qz proto,colinfo,nfs
  tethereal -qz sip,stat
+
  tshark -qz sip,stat
  tethereal -o "smb.sid_name_snooping:TRUE" -qz smb,sids
+
  tshark -o "smb.sid_name_snooping:TRUE" -qz smb,sids
  
 
=== ring buffer capture ===
 
=== ring buffer capture ===
  tethereal -b 5 -a filesize:9728 -w mm.cap
+
  tshark -b 5 -a filesize:9728 -w mm.cap
  
 
=== read filter (live capture, read capture file) ===
 
=== read filter (live capture, read capture file) ===
  tethereal -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap
+
  tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap
 
   -R "not(ip.addr==172.17.23.5&&tcp.len==0)"
 
   -R "not(ip.addr==172.17.23.5&&tcp.len==0)"
 
   -R 'pop.request || http.request.method==GET || http.request.method=="POST"'
 
   -R 'pop.request || http.request.method==GET || http.request.method=="POST"'
Line 27: Line 27:
  
 
=== decode ports as specific service ===
 
=== decode ports as specific service ===
  tethereal -d tcp.port==8888,http
+
  tshark -d tcp.port==8888,http
  
 
[[Category:Tools]] [[Category:Hacks]]
 
[[Category:Tools]] [[Category:Hacks]]

Latest revision as of 17:36, 24 November 2010

Why tshark rocks

  • more functions than tcpdump
  • shares features with Wireshark
  • lives in /usr/bin
  • can capture to a ring buffer
  • capture and read filters

tshark command lines

statistics

tshark -qz io,stat,0.01,ip.addr==172.17.23.1
tshark -qz conv,eth
tshark -qz proto,colinfo,nfs
tshark -qz sip,stat
tshark -o "smb.sid_name_snooping:TRUE" -qz smb,sids

ring buffer capture

tshark -b 5 -a filesize:9728 -w mm.cap

read filter (live capture, read capture file)

tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap
  -R "not(ip.addr==172.17.23.5&&tcp.len==0)"
  -R 'pop.request || http.request.method==GET || http.request.method=="POST"'

capture filter (live capture)

-f not host 172.17.23.255

decode ports as specific service

tshark -d tcp.port==8888,http