-
-
Save joaoceron/e09b5baa23c6d27dbfe8446f629f6da8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tshark -r input_file.pcap -2R "< Wireshark Filter >" -T fields -e < Wireshark Field > -e <Wireshark Field> | |
| ## By using combination of "-T fields" and "-e" options, tshark will only print the fields you're interested in. | |
| ip.src | |
| ip.dst | |
| tcp.srcport (udp.srcport) | |
| tcp.dstport (udp.dstport) | |
| ## I want to check the number of TCP streams in the packet. | |
| From Wireshark go to... | |
| Statics > Conversations | |
| The TCP tab will show you the number of the streams. | |
| ## Display timestamp in UTC format with tshark | |
| tshark -r sample.pcap -o gui.column.format:"utctime","%Yut" -Y "dns" -T fields -e _ws.col.utctime -e ip.src -e udp.srcport -e ip.dst -udp.dstport -e dns.qry.name -E separator=, | |
| for i in `seq 0 172`; do tshark -nr example.pcap -z follow,tcp,raw,$i; done | |
| ## Check the data passed via HTTP form | |
| urlencoded-form.value | |
| ## extract individual TCP streams and save as new pcap | |
| for i in `tshark -n -r huge.pcap -T fields -e tcp.stream |sort -n |uniq|less`; do tshark -nr huge.pcap -Y "tcp.stream==$i" -w $i.pcap; done & |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment