Highest Voted 'tshark' Questions

3

votes

1 answer

Filter tcp packet payload length in tcpdump

The greater filter filters packets by their total length. Is it possible to filter by the payload's length? I know this is possible as a display filter, but I was wondering if it's possible to do this in a capture filter.

tcpdump tshark

asked May 09 '20 at 16:26

Simon Shkolnik

143

2

votes

2 answers

extract the top 5 TCP or UDP flows from tshark sorted in descending by Total bytes

As the question heading states, given a packet capture I want to extract the top 5 flows for TCP (or UDP) sorted based on total bytes in the descending order. I have come up with this so far tshark -r test.pcap -q -z conv,tcp | sed "1,5d" | head -n…

wireshark tshark

asked May 30 '23 at 17:03

Trevor Philip

43
1
4

2

votes

0 answers

Realtime filtering of a capture in a different process

Posted this on network engineering earlier: https://networkengineering.stackexchange.com/questions/67433/realtime-filtering-of-a-recording-in-a-different-process I have a network recording setup which outputs the capture in ERF format. While I…

wireshark tail tshark

asked Apr 23 '20 at 12:34

flyingcheetah

21

2

votes

0 answers

Automated webpage browsing

I want to find a way to open https websites in my browser (or any other script-based way??) while running tshark or wireshark. My goal is to collect the ssl dialogues and then via tshark I can export the ssl parameters to a csv format for further…

automation wireshark browsing tshark

asked Jun 27 '18 at 11:14

Jimakos

131

1

vote

1 answer

stopping ssh process that is sent to background without corrupting stdout

My script aims to extract a text log file using tail -f and a wireshark trace using tshark. But I don't know if these are the best options for my goal. My script has to ssh into a machine (which I call server) and then from that machine it ssh into…

bash tail tshark

asked Mar 01 '23 at 12:09

Fixenet

13

1

vote

1 answer

Extract Data from pcap file

Is there any way to extract this data (red box on below image) and save it in a text file in Linux command line? I tried searching on web but couldn't get anything related to my issue. I want to drop these packets on Iptables using their HEX.

wireshark tcpdump tshark

asked May 26 '22 at 14:23

ph3ro

143

1

vote

2 answers

Search for a string in packet bytes of a pcap file using tshark

I am able to search for a string in the in packet bytes of a pcap capture using Wireshark. Is there similar functionality available in tshark ? I already have the pcap files. But I need to go through them quickly to find the matching strings in the…

wireshark tshark

asked Feb 18 '22 at 07:09

Saqib Ali

143

1

vote

1 answer

Wireshark / tshark print MAC address list of BLE Advertising Report

I have started sudo hcitool lescan --passive --duplicate and sudo tcpdump -i bluetooth0 -w cap.pcap Now viewing this in Wireshark I get a lot of LE Advertising Repots However in the colums I can't select MAC address and also in the statistics menu…

bluetooth wireshark tshark

asked Nov 19 '20 at 00:44

Hannes

317

1

vote

1 answer

Ignore outbound conversations in Wireshark/tcpdump

I'm collecting pcap data on servers, and I'd like to only collect packets corresponding to inbound connections. Note that I am not looking to filter to inbound packets, but remove both outbound and inbound packets that correspond to conversations…

wireshark tcpdump tshark

asked Oct 16 '20 at 01:11

Eric Pauley

633

1

vote

1 answer

tshark - identify network traffic based on ssh user

I am using tshark to capture network traffic on an ubuntu system. I would like to know if there is a way to modify network traffic using iptables or some other method to add additional fields or metadata based on the ssh user generating the data…

proxy iptables tshark

asked Sep 25 '19 at 19:54

Onitsoga

11

1

vote

2 answers

tshark -ek creates duplicate keys that elasticsearch 6.0 does not accept

I try to enter a pcap file into elasticsearch. So I first convert the pcap file to json like this: tshark -T ek -j "http tcp ip" -x -r file.pcap > file.json Then I want to load it up to elasticsearch like this: curl -H "Content-Type:…

wireshark elasticsearch tshark

asked Nov 22 '17 at 08:19

frank

111

0

votes

1 answer

Missing timestamp with tshark -O

When I tell tshark to decode a specifc protocol it will omit the timestamp of the packets. For example, this line decodes all SSH packets in detail, but it won't show the timestamp when each packet was received: tshark -O ssh I tried with the option…

tshark

asked Jun 05 '25 at 07:24

LatinSuD

1,296

0

votes

1 answer

Use tshark and return binary of packet in the STDOUT

As part of a project, I need to retrieve network packets on a network interface using -i. tshark -i eth0 I need to retrieve the binary format of the packages, however I would like if possible not to save it in a pcap file using -w. tshark -i eth0 -w…

pcap tshark

asked Jun 24 '24 at 14:44

Youen lb

0

votes

1 answer

Tshark can not be initiated under WSL (Windows Subsystem Linux) ((socket: Adress Family not supported by protocoll))

I'm visiting a computer network course. For learning purposes I'd like to run tshark in my WSL-Debian under Windows. I succesfully installed it using: sudo apt-get install tshark My Version using tshark -v --> TShark (Wireshark) 3.4.10 (Git v3.4.10…

windows-subsystem-for-linux wireshark tshark

asked Feb 24 '22 at 06:09

oulimouli

3

0

votes

1 answer

Wireshark - exports what it recognises as a jpeg but the jpeg doesn't open

I have a JPEG GET request in my PCAP as below but when I export it, it's not a valid JPEG file Any advice as to what I'm doing wrong?

wireshark pcap tshark

asked Mar 14 '21 at 14:16

pee2pee

493

Questions tagged [tshark]