Well I've been playing around with Tshark so I decided I should make a quick post on using basic filters because it's a great feature and really makes Tshark worth using. For those who don't know what Tshark is, it's the terminal based version of Wireshark.
Getting down to it, if we want to only monitor activity on a certain port, IRC for example, we would issue the following command.
tshark -f "tcp port 6667" -i eth0
If we wanted to log the packets we could do this;
tshark -f "tcp port 6667" -w /home/tlog -i eth0
This would log the packets but it wouldn't allow us to see the packets in real time, so to override that we can add a "-S". You can also just use -f "port 6667" if you want both UDP and TCP packets. You can also increase the information that's displayed by increasing the verbosity with "-V"
tshark -f "port 6667" -w /home/tlog -S -V -i eth0
If perhaps we were looking to filter out specific websites we could use the following;
tshark -f "src www.hakhub.blogspot.com" -w /home/tlog -S -V -i eth0
You could also specify a port like this;
tshark -f "src www.hakhub.blogspot.com and port 80" -w /home/tlog -S -V -i eth0
And this is where I'll end this example of the tshark capture filter usage, there's also a read filter which you can find more information about here - http://www.wireshark.org/docs/man-pages/wireshark-filter.html
No comments:
Post a Comment