diff options
author | Johannes Stoelp <johannes.stoelp@gmail.com> | 2024-01-09 22:30:30 +0100 |
---|---|---|
committer | Johannes Stoelp <johannes.stoelp@gmail.com> | 2024-01-09 22:30:30 +0100 |
commit | 9679f071a80dddfa3dc33b084826ff8a16725ba4 (patch) | |
tree | cf1018919f7a7f1e1fb8f7d78cab9495563e49e0 | |
parent | ed7a928403a2bb5a83a159cfe55da733d7f16cda (diff) | |
download | notes-9679f071a80dddfa3dc33b084826ff8a16725ba4.tar.gz notes-9679f071a80dddfa3dc33b084826ff8a16725ba4.zip |
tshark: add simple capture + filter example
-rw-r--r-- | src/SUMMARY.md | 1 | ||||
-rw-r--r-- | src/network/README.md | 1 | ||||
-rw-r--r-- | src/network/tshark.md | 40 |
3 files changed, 42 insertions, 0 deletions
diff --git a/src/SUMMARY.md b/src/SUMMARY.md index e77c09e..a6e1a07 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -66,6 +66,7 @@ - [Network](./network/README.md) - [tcpdump](./network/tcpdump.md) + - [tshark](./network/tshark.md) - [firewall-cmd](./network/firewall-cmd.md) - [nftables](./network/nftables.md) diff --git a/src/network/README.md b/src/network/README.md index 3f1af28..a42da17 100644 --- a/src/network/README.md +++ b/src/network/README.md @@ -1,5 +1,6 @@ # Network - [tcpdump](./tcpdump.md) +- [tshark](./tshark.md) - [firewall-cmd](./firewall-cmd.md) - [nftables](./nftables.md) diff --git a/src/network/tshark.md b/src/network/tshark.md new file mode 100644 index 0000000..a4a666a --- /dev/null +++ b/src/network/tshark.md @@ -0,0 +1,40 @@ +# tshark (1) + +```text +tshark [opts] -i <if> + --color Colorize output. + -w <file|-> Write pcap trace to file or stdout (-). + -r <file> Read & parse pcap file. + -f <filter> Apply capture filter (see pcap-filter(7) or tcpdump). + Only applicable during capturing. + -Y <filter> Apply display filter. + Only applicable during viewing capture. + -c <count> Stop capturing after COUNT packets (INF by default). +``` + +Some useful display filters. +```text +ip.addr != 192.168.1.0/24 Filter out whole ip subnet (source + destination). +ip.dst == 192.168.1.42 Filter for destination ip address. +tcp.dstport == 80 Filter for tcp destinatio port. +!wg Filter out all wireguard traffic. + +tcp/udp/ssh/wg/... Filter for protocol. + +"and/or/not/!" and "()" can be used to build filter expressions. +``` +> Use `tshak -G` to list all fields that can be used in display filters. + +# Examples + +## Capture and filter packet to file +```bash +# Capture TCP traffic with port 80 on interface eth0 to file. +sudo tshark -i eht0 -f 'tcp and port 80' -w tx.pcap + +# View captured packets. +sudo tshark -r tx.pcap + +# View captured packets and apply additionaly display filters. +sudo tshark -r tx.pcap -Y 'ip.addr != 192.168.1.42' +``` |