Last active
March 23, 2021 02:47
-
-
Save Tony3-sec/9b7d4437206d812fe8dd9007ad9917ac to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tshark -r input_file.pcap -2R "< Wireshark Filter >" -T fields -e < Wireshark Field > -e <Wireshark Field> | |
| ## By using combination of "-T fields" and "-e" options, tshark will only print the fields you're interested in. | |
| ip.src | |
| ip.dst | |
| tcp.srcport (udp.srcport) | |
| tcp.dstport (udp.dstport) | |
| ## I want to check the number of TCP streams in the packet. | |
| From Wireshark go to... | |
| Statics > Conversations | |
| The TCP tab will show you the number of the streams. | |
| ## Display timestamp in UTC format with tshark | |
| tshark -r sample.pcap -o gui.column.format:"utctime","%Yut" -Y "dns" -T fields -e _ws.col.utctime -e ip.src -e udp.srcport -e ip.dst -udp.dstport -e dns.qry.name -E separator=, | |
| for i in `seq 0 172`; do tshark -nr example.pcap -z follow,tcp,raw,$i; done | |
| ## Check the data passed via HTTP form | |
| urlencoded-form.value | |
| ## extract individual TCP streams and save as new pcap | |
| for i in `tshark -n -r huge.pcap -T fields -e tcp.stream |sort -n |uniq|less`; do tshark -nr huge.pcap -Y "tcp.stream==$i" -w $i.pcap; done & |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment