For When You Can't Have The Real Thing
[ start | index | login ]
start > tshark > Useful tshark Examples

Useful tshark Examples

Created by dave. Last edited by dave, 2 years and 240 days ago. Viewed 1,014 times. #7
[diff] [history] [edit] [rdf]
labels
attachments
(2021-02-26)

# tshark -r 1.cap -z endpoints,ipv4 -q
Running as user "root" and group "root". This could be dangerous.
================================================================================
IPv4 Endpoints
Filter:<No Filter>
                       |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.179.17.85              1643136     1247778822     1271632       1115559225      371504       132219597
174.92.31.70              963763     737414899     215602        77148154      748161       660266745
52.114.149.132            471569     467911328      41124        27184302      430445       440727026
[...]

Show ethernet/protocol tree

# tshark -r ./cap.dmp70 -q -z io,phs
Protocol Hierarchy Statistics
Filter:

eth frames:219785 bytes:146483507 ip frames:216317 bytes:146210431 udp frames:119835 bytes:66199619 data frames:112920 bytes:65155797 dns frames:1658 bytes:224462 stun frames:987 bytes:122018 [...]

DHCP stats

# tshark -r ./cap.dmp361 -z bootp,stat -q
DHCP (BOOTP) Statistics:
Filter for statistics:
DHCP Message Type |Packets |
DHCP Statistics
Discover                  |0 |
Offer                     |0 |
Request                   |15 |
Decline                   |0 |
ACK                       |15 |
NAK                       |0 |
Release                   |0 |
Inform                    |0 |
Force Renew               |0 |
Lease query               |0 |
Lease Unassigned          |0 |
Lease Unknown             |0 |
Lease Active              |0 |
Bulk Lease Query          |0 |
Lease Query Done          |0 |
Active LeaseQuery         |0 |
Lease Query Status        |0 |
TLS                       |0 |

Packet clock time instead of offset time

# tshark -t ad -r 2021-02-26-10:32-10:42.cap

List all seen IPv4 addresses

# mergecap -w - cap.dmp3[55-67] | tshark -r - -z endpoints,ipv4 -q

There are three filters:

NameFlag 
Capture Filters-f (tcpdump syntax)controls which packets are captured off of the wire
Read Filter-R (Wireshark display sintax)controls which packets in a capture file are considered for further processing, only makes sense if multipass processing is selected (flag -2)
Display Filter-Y (Wireshark display syntax)controls which packets are actually displayed; this filter does not affect any summary processing which may be done
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt