![]() If you have a pcap file that you wish to process, you can use the “-r” command. If you will be printing the output to the screen, I like to pipe the output through “head” (show only a specified number of lines of output) or “less” (show one full page of output at a time) so that it’s easier to read. For example in the first screen capture, I used “head -20” to print the first 20 lines of output.įiltering Traffic With Tshark Capture Filters For example: tshark -r interesting-packets.pcap | headīy default “head” will show the first 10 lines of output but you can modify this as needed, feeding it the number of lines you want to see as a command line switch. When we review a pcap file, there is usually a specific characteristic we are looking for. For example, we may wish to examine all traffic associated with a specific IP address or service. Capture filters permit us to start honing in on an interesting pattern. If you are a Wireshark user, capture filters work a bit differently with tshark versus Wireshark. Tshark actually uses the Wireshark Display Filter syntax for both capture and display. The syntax for tshark capture filters is: This is pretty cool as it provides a lot more functionality.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |