With a bit of Google searching, you can find a ton of useful write-ups on using each of these tools. Linux has a wide range of text manipulation tools such as cut, sort, uniq and grep.
Which tools I should use to manipulate the data depends on the goal I’m trying to achieve. The line will include the source and destination IP address separated by a comma. This will result in a text file where each line contains information extracted from a single packet. You can also use greater than ( > ), less than ( = ) or less than or equal to ( analyze.txt Note that in the last example I use “!=” which means not equal to. In the first two examples, I use the operator “=” to identify that the value must be a match. Use the Wireshark Display Filter syntax page I referenced above to identify the proper format to use. Note that in the second example I have to use the protocol number (17) instead of the protocol name (UDP). The syntax for tshark capture filters is: This is pretty cool as it provides a lot more functionality. Tshark actually uses the Wireshark Display Filter syntax for both capture and display. If you are a Wireshark user, capture filters work a bit differently with tshark versus Wireshark. Capture filters permit us to start honing in on an interesting pattern. For example, we may wish to examine all traffic associated with a specific IP address or service. When we review a pcap file, there is usually a specific characteristic we are looking for. For example in the first screen capture, I used “head -20” to print the first 20 lines of output.įiltering Traffic With Tshark Capture Filters For example: tshark -r interesting-packets.pcap | headīy default “head” will show the first 10 lines of output but you can modify this as needed, feeding it the number of lines you want to see as a command line switch. If you will be printing the output to the screen, I like to pipe the output through “head” (show only a specified number of lines of output) or “less” (show one full page of output at a time) so that it’s easier to read. If you have a pcap file that you wish to process, you can use the “-r” command. Let’s break down some of the components of this command.īy default, tshark will listen on the local interface in order to grab packets off the wire. For reference, here’s the screen capture that started the conversation: I’ll also dive into how these fields can be extracted and manipulated. I had a number of questions around how this works, so I wanted to post a more in-depth blog entry that discusses tshark’s ability to display specific header fields. In a previous blog entry, I referenced using tshark to extract IP header information so that it could be sorted and analyzed.
0 kommentar(er)
