From C4 Wiki
< Tools
Revision as of 17:36, 24 November 2010 by Tobias (talk | contribs) (Reverted edits by Oxudocopaj (talk) to last revision by Pylon)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Why tshark rocks

  • more functions than tcpdump
  • shares features with Wireshark
  • lives in /usr/bin
  • can capture to a ring buffer
  • capture and read filters

tshark command lines


tshark -qz io,stat,0.01,ip.addr==
tshark -qz conv,eth
tshark -qz proto,colinfo,nfs
tshark -qz sip,stat
tshark -o "smb.sid_name_snooping:TRUE" -qz smb,sids

ring buffer capture

tshark -b 5 -a filesize:9728 -w mm.cap

read filter (live capture, read capture file)

tshark -r mm.cap -R "tcp.port!=50050&&ip.addr==" -w clean.cap
  -R "not(ip.addr=="
  -R 'pop.request || http.request.method==GET || http.request.method=="POST"'

capture filter (live capture)

-f not host

decode ports as specific service

tshark -d tcp.port==8888,http