# List out destinations observed for a given dest port Tshark -r $PCAP -T fields -e udp.dstport | sort | uniq -c Tshark -r $PCAP -T fields -e tcp.dstport | sort | uniq -c Tshark -r $PCAP -T fields -e ip.dst | sort | uniq -c # For tcp packet type, use tcp.flags (output is hex) # To add the time of the frame use -e frame.time_epoch Tshark -r $PCAP -T fields -e ip.dst -e tcp.dstport | sort | uniq -c # Just add an additional -e with the field: A Practical Demonstration of what IPB will allow.Some of these examples are lifted, almost directly, from my PAS project, others from my own notes Based On
If you're wanting to build a new command based on some field you can see in wireshark, the easiest way to find out the name to pass to tshark, is just to filter by it in wireshark and then pinch the name out of the filter field There's no way any list of examples could ever be exhaustive, but this list is intended to provide various examples containing some nuts and bolts which you can piece together to create useful commands (most examples exclude basics like -e ip.src for brevity's sake TShark uses the same underlying libraries as Wireshark, so you get the benefit of it's dissectors allowing you to easily filter by traffic type ( -Y "ssh"), or to build more advanced filters Ever since I discovered it, I've preferred tshark as a means of extracting information and stats from a packet capture, particularly when that information needs to be communicated onwards via email - it's far better to provide simple tabulated data than 40 odd screenshots trying to highlight what you mean.
0 kommentar(er)
