# 5.3.2.Cli command * 1.tshark commands: ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9IsnhHQywRLQ4e%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.02.09.png?generation=1586302894375527\&alt=media) ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9Kqf4JyqB6P9wa%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.02.17.png?generation=1586302894553594\&alt=media) * 2.list all interface ``` tshark -D ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9MwxwU8I6UM0BL%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.02.59.png?generation=1586302894175044\&alt=media) * 3.listen specific interface ``` tshark -i ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9Ob3rmFNJ4LLOo%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.03.06.png?generation=1586302894907217\&alt=media) * 4.listen specific interface and write to file ``` tshark -i en0 -w /tmp/testCap.pcap ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9Q77c_jsB5tXqZ%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.03.14.png?generation=1586302894502670\&alt=media) * 5.listen specific interface with time limitation ``` tshark -i en0 -a duration:10 ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9S4-8L1IGPgZml%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.04.47.png?generation=1586302894743376\&alt=media) * 6.Listen specific interface and write to files with specific filesize * 1.-i: 指定要被監聽的interface * 2.-f: capture filter * 3.-b: 指定什麼condition下要產生另一個file * 4.-a: 指定什麼condition下要停止監聽 * 5.-w: 產生檔案 * 6.80:HTTP/ 443:HTTPS/ 53:DNS ``` tshark -i en0 -f "port 80 or port 443 or port 53" -b filesize:5 -a filesize:3 -w /tmp/UPDATE.pcap ``` * mac安裝watch ``` brew install watch ``` * 用watch監看檔案變化 ``` watch -n 1 "ls -l" ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9UOH18x2M1W5tg%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.04.55.png?generation=1586302894015074\&alt=media) * 7.Read record from files * ex1. ``` tshark -r /tmp/testCap.pcap -T fields -e ip ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9W1CO9ciKSq-K5%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.05.03.png?generation=1586302894114020\&alt=media) * ex2. ``` tshark -r /tmp/testCap.pcap -T fields -e ip.src | uniq ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9Y3T8jpkx-Nb46%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.05.11.png?generation=1586302894041723\&alt=media) * 8.Read record from files, format to csv * 1.-r: 指定要讀取的pcap檔案 * 2.-T: 指定欄位 * 3.-e: 指定要取出什麼資料 * 4.-E * 5.-w: 產生檔案 * ex1. ``` tshark -r /tmp/samplecapture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f > /tmp/sample.csv ``` ![](https://3840825399-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M4M0G8PXRnA3yHgZCAL%2F-M4M0Gn8DmjJ2aT88bjY%2F-M4M0I9_-4tURxFYx2wB%2F%E8%9E%A2%E5%B9%95%E5%BF%AB%E7%85%A7%202017-06-13%20%E4%B8%8B%E5%8D%887.05.19.png?generation=1586302894548746\&alt=media)