Jump to content

tshark


wildweaselmi
 Share

Recommended Posts

tshark [ -a ] ... [ -b ] ... [ -B ] [ -c ] [ -C ] [ -d ==, ] [ -D ] [ -e ] [ -E ] [ -f ] [ -F ] [ -h ] [ -i |- ] [ -I ] [ -K ] [ -l ] [ -L ] [ -n ] [ -N ] [ -o ] ... [ -p ] [ -q ] [ -r ] [ -R ] [ -s ] [ -S ] [ -t ad|a|r|d|dd|e ] [ -T pdml|psml|ps|text|fields ] [ -v ] [ -V ] [ -w |- ] [ -x ] [ -X ] [ -y ] [ -z ] [ ]



tshark -G [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs]



Identify which interfaces are available to capture


sudo tshark -D





Capture UDP Port Traffic

tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap[/code]
  • The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured.

  • The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.

  • The -w flag is used to specify a file where the captured traffic will be saved for later processing.






Here is a way to capture traffic with tshark and only get what the display filter is showing.

tshark -i 2 -f "port 110" -R "pop.request.parameter conatins "user"" > c:\port110.txt

*********************try "pop.request.command conatins "USER""*************



This will capture all port 110 traffic and filter out the "user" command line and save it to a txt file.



tshark -i 2 -f "port 25" -R "smtp.rsp.parameter contains "Sender"" > c:\port25.txt



This is an example of how to capture traffic on your outbound smtp server.



-i = interface

-f = capture filter

-R= display filter





tshark -i 1 -p -a filesize:1000 -w 1MBcapture.pcap


  • -i 1 ;captures from my built in NIC

  • -p ;captures in non promiscuous mode

  • -a filesize:1000 ;captures 1 MB

  • -w 1MBcapture.pcap ; names the file






So you can download the file change the ownership from root which is what tshark runs as

sudo chmod 777 1MBcapture.pcap

sudo chown dhosang 1MBcapture.pcap


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...