Skip to content

Instantly share code, notes, and snippets.

@typelogic

typelogic/tshark.md

Created August 9, 2019 17:06
Show Gist options
  • Save typelogic/987522fd15989f3dc2e8dc1c55eb2ba9 to your computer and use it in GitHub Desktop.
Save typelogic/987522fd15989f3dc2e8dc1c55eb2ba9 to your computer and use it in GitHub Desktop.
Download ZIP
tshark basics
Raw
tshark.md

parsing pcap capture file with tshark

tcpdump -r vagrant_up.pcap -w outfile.pcap "dst port 5150"
tshark -r vagrant_up.pcap -n -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport
tshark -r vagrant_up.pcap -T json > /tmp/output.json
jq '.|length' /tmp/output.json
jq '.[4000]' /tmp/output.json

follow a tcp communication between two nodes

tshark -r vagrant_up.pcap -z "follow,tcp,hex,192.168.3.200:46168,192.168.3.100:5150" > /tmp/o46168_f5150.follow

capture 100 packets with filter and in json format

tshark -i enp0s8 -c 100 -n -T json -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e data.data -e data.len -e udp 'src host (192.168.3.200 or 192.168.3.100)' | tee /tmp/capture100.json

statistics of 1000 packets across nodes

tshark -i enp0s8 -c 1000 -n -T json -e frame.number -e frame.time_epoch -e frame.time_delta -e ip.src -e tcp.srcport -e udp.srcport -e ip.dst -e tcp.dstport -e udp.dstport -e data.data -e data.len 'src host (192.168.3.200 or 192.168.3.100 or 192.168.3.123 or 192.168.3.2 or 192.168.3.45) and (tcp or udp)'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment