(2021-02-26)
# tshark -r 1.cap -z endpoints,ipv4 -q
Running as user "root" and group "root". This could be dangerous.
================================================================================
IPv4 Endpoints
Filter:<No Filter>
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.179.17.85 1643136 1247778822 1271632 1115559225 371504 132219597
174.92.31.70 963763 737414899 215602 77148154 748161 660266745
52.114.149.132 471569 467911328 41124 27184302 430445 440727026
[...]
Show ethernet/protocol tree
# tshark -r ./cap.dmp70 -q -z io,phs
Protocol Hierarchy Statistics
Filter:eth frames:219785 bytes:146483507
ip frames:216317 bytes:146210431
udp frames:119835 bytes:66199619
data frames:112920 bytes:65155797
dns frames:1658 bytes:224462
stun frames:987 bytes:122018
[...]
DHCP stats
# tshark -r ./cap.dmp361 -z bootp,stat -q
DHCP (BOOTP) Statistics:
Filter for statistics:
DHCP Message Type |Packets |
DHCP Statistics
Discover |0 |
Offer |0 |
Request |15 |
Decline |0 |
ACK |15 |
NAK |0 |
Release |0 |
Inform |0 |
Force Renew |0 |
Lease query |0 |
Lease Unassigned |0 |
Lease Unknown |0 |
Lease Active |0 |
Bulk Lease Query |0 |
Lease Query Done |0 |
Active LeaseQuery |0 |
Lease Query Status |0 |
TLS |0 |
Packet clock time instead of offset time
# tshark -t ad -r 2021-02-26-10:32-10:42.cap
List all seen IPv4 addresses
# mergecap -w - cap.dmp3[55-67] | tshark -r - -z endpoints,ipv4 -q
There are three filters:
Name | Flag | |
---|
Capture Filters | -f (tcpdump syntax) | controls which packets are captured off of the wire |
Read Filter | -R (Wireshark display sintax) | controls which packets in a capture file are considered for further processing, only makes sense if multipass processing is selected (flag -2) |
Display Filter | -Y (Wireshark display syntax) | controls which packets are actually displayed; this filter does not affect any summary processing which may be done |