5.3.2.Cli command
1.tshark commands:
2.list all interface
tshark -D
3.listen specific interface
tshark -i <interface>
4.listen specific interface and write to file
tshark -i en0 -w /tmp/testCap.pcap
5.listen specific interface with time limitation
tshark -i en0 -a duration:10
6.Listen specific interface and write to files with specific filesize
1.-i: 指定要被監聽的interface
2.-f: capture filter
3.-b: 指定什麼condition下要產生另一個file
4.-a: 指定什麼condition下要停止監聽
5.-w: 產生檔案
6.80:HTTP/ 443:HTTPS/ 53:DNS
tshark -i en0 -f "port 80 or port 443 or port 53" -b filesize:5 -a filesize:3 -w /tmp/UPDATE.pcap
mac安裝watch
brew install watch
用watch監看檔案變化
watch -n 1 "ls -l"
7.Read record from files
ex1.
tshark -r /tmp/testCap.pcap -T fields -e ip
ex2.
tshark -r /tmp/testCap.pcap -T fields -e ip.src | uniq
8.Read record from files, format to csv
1.-r: 指定要讀取的pcap檔案
2.-T: 指定欄位
3.-e: 指定要取出什麼資料
4.-E
5.-w: 產生檔案
ex1.
tshark -r /tmp/samplecapture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f > /tmp/sample.csv

Last updated
Was this helpful?