aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJohannes Stoelp <johannes.stoelp@gmail.com>2024-01-09 22:30:30 +0100
committerJohannes Stoelp <johannes.stoelp@gmail.com>2024-01-09 22:30:30 +0100
commit9679f071a80dddfa3dc33b084826ff8a16725ba4 (patch)
treecf1018919f7a7f1e1fb8f7d78cab9495563e49e0
parented7a928403a2bb5a83a159cfe55da733d7f16cda (diff)
downloadnotes-9679f071a80dddfa3dc33b084826ff8a16725ba4.tar.gz
notes-9679f071a80dddfa3dc33b084826ff8a16725ba4.zip
tshark: add simple capture + filter example
-rw-r--r--src/SUMMARY.md1
-rw-r--r--src/network/README.md1
-rw-r--r--src/network/tshark.md40
3 files changed, 42 insertions, 0 deletions
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index e77c09e..a6e1a07 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -66,6 +66,7 @@
- [Network](./network/README.md)
- [tcpdump](./network/tcpdump.md)
+ - [tshark](./network/tshark.md)
- [firewall-cmd](./network/firewall-cmd.md)
- [nftables](./network/nftables.md)
diff --git a/src/network/README.md b/src/network/README.md
index 3f1af28..a42da17 100644
--- a/src/network/README.md
+++ b/src/network/README.md
@@ -1,5 +1,6 @@
# Network
- [tcpdump](./tcpdump.md)
+- [tshark](./tshark.md)
- [firewall-cmd](./firewall-cmd.md)
- [nftables](./nftables.md)
diff --git a/src/network/tshark.md b/src/network/tshark.md
new file mode 100644
index 0000000..a4a666a
--- /dev/null
+++ b/src/network/tshark.md
@@ -0,0 +1,40 @@
+# tshark (1)
+
+```text
+tshark [opts] -i <if>
+ --color Colorize output.
+ -w <file|-> Write pcap trace to file or stdout (-).
+ -r <file> Read & parse pcap file.
+ -f <filter> Apply capture filter (see pcap-filter(7) or tcpdump).
+ Only applicable during capturing.
+ -Y <filter> Apply display filter.
+ Only applicable during viewing capture.
+ -c <count> Stop capturing after COUNT packets (INF by default).
+```
+
+Some useful display filters.
+```text
+ip.addr != 192.168.1.0/24 Filter out whole ip subnet (source + destination).
+ip.dst == 192.168.1.42 Filter for destination ip address.
+tcp.dstport == 80 Filter for tcp destinatio port.
+!wg Filter out all wireguard traffic.
+
+tcp/udp/ssh/wg/... Filter for protocol.
+
+"and/or/not/!" and "()" can be used to build filter expressions.
+```
+> Use `tshak -G` to list all fields that can be used in display filters.
+
+# Examples
+
+## Capture and filter packet to file
+```bash
+# Capture TCP traffic with port 80 on interface eth0 to file.
+sudo tshark -i eht0 -f 'tcp and port 80' -w tx.pcap
+
+# View captured packets.
+sudo tshark -r tx.pcap
+
+# View captured packets and apply additionaly display filters.
+sudo tshark -r tx.pcap -Y 'ip.addr != 192.168.1.42'
+```