Documente Academic
Documente Profesional
Documente Cultură
Ads by Google
Filter
Tcpdump
Define TCP IP
IP Network
Carbon Capture
This page contains a collection of useful examples for using tshark, the network traffic capture and analysis tool.
The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be
captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured.
The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.
The -w flag is used to specify a file where the captured traffic will be saved for later processing.
This example displays only IP packets that are issued by or in destination to the IP address 192.168.0.1.
The filter expression can be a logical combination of other filter expressions. Here is a list of various display filters for your reference (do man
wireshark-filters for more details of display filters):
Ethernet address 00:08:15:00:08:15
eth.addr == 00:08:15:00:08:15
eth.type == 00806
Ethernet broadcast
eth.addr == ff:ff:ff:ff:ff:ff
No ARP
not arp
IP only
ip
IP address 192.168.0.1
ip.addr == 192.168.0.1
ipx
TC P only
tcp
UDP only
udp
UDP port isn't 53 (not DNS), don't use != for this! !(tcp.port == 53)
TC P or UDP port is 80 (HTTP)
tcp.port == 80 || udp.port == 80
HTTP
http
not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1
This is a simple example of the -z proto,colinfo usage. The command asks tshark to display the source port of all tcp packets in the file /tmp/capture.cap.
tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap
The example above asks tshark to display the content_type field and content_length field of all HTTP response packets carrying an image. The result is
something that looks like this :
439
452
479
499
506
514
519
523
561
805
12.717117 66.249.89.127 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 35
12.828186 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 477
13.046184 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 105
13.075361 203.190.124.6 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 35
13.177414 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 4039
13.190000 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (JPEG JFIF image) http.content_type == "image/jpeg" http.content_length == 11997
13.231228 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (JPEG JFIF image) http.content_type == "image/jpeg" http.content_length == 1033
13.273888 72.233.69.4 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (PNG) http.content_type == "image/png" http.content_length == 1974
728 19.096984 60.254.185.58 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 592
19.471444 60.254.185.58 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 259
This output shown above can be used for example to extract statistical information on image types and their sizes in a given HTTP traffic.
The command below counts the number of GIF images downloaded through HTTP.
tshark -R "http.response and http.content_type contains image" \
-z "proto,colinfo,http.content_length,http.content_length" \
-z "proto,colinfo,http.content_type,http.content_type" \
-r /tmp/capture.tmp | grep "image/gif" | wc -l
Links
Tshark byte matching for selective packet capture
Capture and Analysis of RADIUS traffic using tshark
Wireshark Display Filters [http://wiki.wireshark.org/DisplayFilters]
Wireshark Capture Filters [http://wiki.wireshark.org/CaptureFilters]
Network Servers
Network Troubleshooting
Comment
Subscribe
Anonymous Internet
Multiple Offshore World Services VPN, SSH, Hosting, Secure
eMail,VPS
www.trilightzone.org
Your Ad Here