5.3.2.Cli command

• 1.tshark commands:

• 2.list all interface

    tshark -D

  

• 3.listen specific interface

    tshark -i <interface>

  

• 4.listen specific interface and write to file

    tshark -i en0 -w /tmp/testCap.pcap

  

• 5.listen specific interface with time limitation

    tshark -i en0 -a duration:10

  

• 6.Listen specific interface and write to files with specific filesize

  • 1.-i: 指定要被監聽的interface

  • 2.-f: capture filter

  • 3.-b: 指定什麼condition下要產生另一個file

  • 4.-a: 指定什麼condition下要停止監聽

  • 5.-w: 產生檔案

  • 6.80:HTTP/ 443:HTTPS/ 53:DNS

              tshark -i en0 -f "port 80 or port 443 or port 53" -b filesize:5 -a filesize:3 -w /tmp/UPDATE.pcap

  • mac安裝watch

              brew install watch

  • 用watch監看檔案變化

              watch -n 1 "ls -l"

    

• 7.Read record from files

  • ex1.

         tshark -r /tmp/testCap.pcap -T fields -e ip

    

  • ex2.

         tshark -r /tmp/testCap.pcap -T fields -e ip.src | uniq

    

• 8.Read record from files, format to csv

  • 1.-r: 指定要讀取的pcap檔案

  • 2.-T: 指定欄位

  • 3.-e: 指定要取出什麼資料

  • 4.-E

  • 5.-w: 產生檔案

  • ex1.

      tshark -r /tmp/samplecapture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f > /tmp/sample.csv