Highest Voted 'tshark' Questions - Super User Stack Exchange

3

votes

1 answer

Filter tcp packet payload length in tcpdump

The greater filter filters packets by their total length. Is it possible to filter by the payload's length? I know this is possible as a display filter, but I was wondering if it's possible to do this in a capture filter.

tcpdump tshark

asked May 09 '20 at 16:26

Simon Shkolnik

143
1
5

2

votes

2 answers

extract the top 5 TCP or UDP flows from tshark sorted in descending by Total bytes

As the question heading states, given a packet capture I want to extract the top 5 flows for TCP (or UDP) sorted based on total bytes in the descending order. I have come up with this so far tshark -r test.pcap -q -z conv,tcp | sed "1,5d" | head -n…

linux wireshark tshark

asked May 30 '23 at 17:03

Trevor Philip

23
3

2

votes

0 answers

Realtime filtering of a capture in a different process

Posted this on network engineering earlier: https://networkengineering.stackexchange.com/questions/67433/realtime-filtering-of-a-recording-in-a-different-process I have a network recording setup which outputs the capture in ERF format. While I…

wireshark tail tshark

asked Apr 23 '20 at 12:34

flyingcheetah

21
1

2

votes

0 answers

Automated webpage browsing

I want to find a way to open https websites in my browser (or any other script-based way??) while running tshark or wireshark. My goal is to collect the ssl dialogues and then via tshark I can export the ssl parameters to a csv format for further…

automation wireshark browsing tshark

asked Jun 27 '18 at 11:14

Jimakos

131
2

1

vote

1 answer

stopping ssh process that is sent to background without corrupting stdout

My script aims to extract a text log file using tail -f and a wireshark trace using tshark. But I don't know if these are the best options for my goal. My script has to ssh into a machine (which I call server) and then from that machine it ssh into…

bash ssh script tail tshark

asked Mar 01 '23 at 12:09

Fixenet

13
2

1

vote

1 answer

Extract Data from pcap file

Is there any way to extract this data (red box on below image) and save it in a text file in Linux command line? I tried searching on web but couldn't get anything related to my issue. I want to drop these packets on Iptables using their HEX.

linux wireshark tcpdump tshark

asked May 26 '22 at 14:23

ph3ro

143
6

1

vote

1 answer

Search for a string in packet bytes of a pcap file using tshark

I am able to search for a string in the in packet bytes of a pcap capture using Wireshark. Is there similar functionality available in tshark ? I already have the pcap files. But I need to go through them quickly to find the matching strings in the…

wireshark tshark

asked Feb 18 '22 at 07:09

Saqib Ali

143
1
6

1

vote

1 answer

Wireshark / tshark print MAC address list of BLE Advertising Report

I have started sudo hcitool lescan --passive --duplicate and sudo tcpdump -i bluetooth0 -w cap.pcap Now viewing this in Wireshark I get a lot of LE Advertising Repots However in the colums I can't select MAC address and also in the statistics menu…

bluetooth wireshark tshark

asked Nov 19 '20 at 00:44

Hannes

269
2
7

1

vote

1 answer

Ignore outbound conversations in Wireshark/tcpdump

I'm collecting pcap data on servers, and I'd like to only collect packets corresponding to inbound connections. Note that I am not looking to filter to inbound packets, but remove both outbound and inbound packets that correspond to conversations…

wireshark tcpdump tshark

asked Oct 16 '20 at 01:11

Eric Pauley

623
2
6
14

1

vote

1 answer

tshark - identify network traffic based on ssh user

I am using tshark to capture network traffic on an ubuntu system. I would like to know if there is a way to modify network traffic using iptables or some other method to add additional fields or metadata based on the ssh user generating the data…

proxy iptables tshark

asked Sep 25 '19 at 19:54

Onitsoga

11
3

1

vote

2 answers

tshark -ek creates duplicate keys that elasticsearch 6.0 does not accept

I try to enter a pcap file into elasticsearch. So I first convert the pcap file to json like this: tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json Then I want to load it up to elasticsearch like this: curl -H "Content-Type:…

wireshark elasticsearch tshark

asked Nov 22 '17 at 08:19

frank

111
3

0

votes

0 answers

Why is the output of tshark `http.file_data` different from the Content Length?

I've got a PCAP file that has 3,445 HTTP "206 Partial Content" packets for the application/pdf media type. Each of these requests is for the same file, different Content-Ranges are being requested each time as a covert means of data…

wireshark tshark pcap

asked Apr 16 '23 at 23:40

ajmeese7

101
4

0

votes

1 answer

Tshark can not be initiated under WSL (Windows Subsystem Linux) ((socket: Adress Family not supported by protocoll))

I'm visiting a computer network course. For learning purposes I'd like to run tshark in my WSL-Debian under Windows. I succesfully installed it using: sudo apt-get install tshark My Version using tshark -v --> TShark (Wireshark) 3.4.10 (Git v3.4.10…

debian windows-subsystem-for-linux wireshark tshark

asked Feb 24 '22 at 06:09

oulimouli

3
3

0

votes

1 answer

Wireshark - exports what it recognises as a jpeg but the jpeg doesn't open

I have a JPEG GET request in my PCAP as below but when I export it, it's not a valid JPEG file Any advice as to what I'm doing wrong?

wireshark pcap tshark

asked Mar 14 '21 at 14:16

pee2pee

483
1
5
14

0

votes

1 answer

tshark how to count the number of returned packets

I am using tshark and i need to findout how many of my 10,0000 packets contain a HTTP URI Therefore, i have written the line of code that goes as followes: tshark -r tsharklab.pcap -Y "http.request.uri" However, when it is run, it provides all of…

wireless-networking pcap tshark

asked Oct 20 '20 at 14:54

JamesMcC

3
2

Questions tagged [tshark]