Difference between revisions of "Tools/Tshark"

From C4 Wiki
Jump to: navigation, search
 
m (Tools/Tethereal moved to Tools/Tshark: Namensänderung)
(No difference)

Revision as of 19:48, 27 August 2006

Why tethereal rocks

  • more functions than tcpdump
  • shares features with ethereal
  • lives in /usr/bin
  • can capture to a ring buffer
  • capture and read filters

tethereal command lines

statistics

tethereal -qz io,stat,0.01,ip.addr==172.17.23.1
tethereal -qz conv,eth
tethereal -qz proto,colinfo,nfs
tethereal -qz sip,stat
tethereal -o "smb.sid_name_snooping:TRUE" -qz smb,sids

ring buffer capture

tethereal -b 5 -a filesize:9728 -w mm.cap

read filter (live capture, read capture file)

tethereal -r mm.cap -R "tcp.port!=50050&&ip.addr==172.17.23.5" -w clean.cap
  -R "not(ip.addr==172.17.23.5&&tcp.len==0)"
  -R 'pop.request || http.request.method==GET || http.request.method=="POST"'

capture filter (live capture)

-f not host 172.17.23.255

decode ports as specific service

tethereal -d tcp.port==8888,http