Tools/Tshark
< Tools
Revision as of 19:48, 27 August 2006 by Pylon (talk | contribs) (Tools/Tethereal moved to Tools/Tshark: Namensänderung)
Contents
Why tethereal rocks
- more functions than tcpdump
- shares features with ethereal
- lives in /usr/bin
- can capture to a ring buffer
- capture and read filters
tethereal command lines
statistics
tethereal -qz io,stat,0.01,ip.addr==172.17.23.1 tethereal -qz conv,eth tethereal -qz proto,colinfo,nfs tethereal -qz sip,stat tethereal -o "smb.sid_name_snooping:TRUE" -qz smb,sids
ring buffer capture
tethereal -b 5 -a filesize:9728 -w mm.cap
read filter (live capture, read capture file)
tethereal -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap -R "not(ip.addr==172.17.23.5&&tcp.len==0)" -R 'pop.request || http.request.method==GET || http.request.method=="POST"'
capture filter (live capture)
-f not host 172.17.23.255
decode ports as specific service
tethereal -d tcp.port==8888,http