5.3.2.Cli command

  • 1.tshark commands:

  • 2.list all interface

      tshark -D

  • 3.listen specific interface

      tshark -i <interface>

  • 4.listen specific interface and write to file

      tshark -i en0 -w /tmp/testCap.pcap

  • 5.listen specific interface with time limitation

      tshark -i en0 -a duration:10

  • 6.Listen specific interface and write to files with specific filesize

    • 1.-i: 指定要被監聽的interface

    • 2.-f: capture filter

    • 3.-b: 指定什麼condition下要產生另一個file

    • 4.-a: 指定什麼condition下要停止監聽

    • 5.-w: 產生檔案

    • 6.80:HTTP/ 443:HTTPS/ 53:DNS

                tshark -i en0 -f "port 80 or port 443 or port 53" -b filesize:5 -a filesize:3 -w /tmp/UPDATE.pcap

    • mac安裝watch

                brew install watch

    • 用watch監看檔案變化

                watch -n 1 "ls -l"

  • 7.Read record from files

    • ex1.

           tshark -r /tmp/testCap.pcap -T fields -e ip

    • ex2.

           tshark -r /tmp/testCap.pcap -T fields -e ip.src | uniq

  • 8.Read record from files, format to csv

    • 1.-r: 指定要讀取的pcap檔案

    • 2.-T: 指定欄位

    • 3.-e: 指定要取出什麼資料

    • 4.-E

    • 5.-w: 產生檔案

    • ex1. 

        tshark -r /tmp/samplecapture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f > /tmp/sample.csv
Previous5.3.1.Capture filterNext5.3.3.Monitor mode

Last updated