aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/network
diff options
context:
space:
mode:
Diffstat (limited to 'src/network')
-rw-r--r--src/network/README.md1
-rw-r--r--src/network/tshark.md40
2 files changed, 41 insertions, 0 deletions
diff --git a/src/network/README.md b/src/network/README.md
index 3f1af28..a42da17 100644
--- a/src/network/README.md
+++ b/src/network/README.md
@@ -1,5 +1,6 @@
# Network
- [tcpdump](./tcpdump.md)
+- [tshark](./tshark.md)
- [firewall-cmd](./firewall-cmd.md)
- [nftables](./nftables.md)
diff --git a/src/network/tshark.md b/src/network/tshark.md
new file mode 100644
index 0000000..a4a666a
--- /dev/null
+++ b/src/network/tshark.md
@@ -0,0 +1,40 @@
+# tshark (1)
+
+```text
+tshark [opts] -i <if>
+ --color Colorize output.
+ -w <file|-> Write pcap trace to file or stdout (-).
+ -r <file> Read & parse pcap file.
+ -f <filter> Apply capture filter (see pcap-filter(7) or tcpdump).
+ Only applicable during capturing.
+ -Y <filter> Apply display filter.
+ Only applicable during viewing capture.
+ -c <count> Stop capturing after COUNT packets (INF by default).
+```
+
+Some useful display filters.
+```text
+ip.addr != 192.168.1.0/24 Filter out whole ip subnet (source + destination).
+ip.dst == 192.168.1.42 Filter for destination ip address.
+tcp.dstport == 80 Filter for tcp destinatio port.
+!wg Filter out all wireguard traffic.
+
+tcp/udp/ssh/wg/... Filter for protocol.
+
+"and/or/not/!" and "()" can be used to build filter expressions.
+```
+> Use `tshak -G` to list all fields that can be used in display filters.
+
+# Examples
+
+## Capture and filter packet to file
+```bash
+# Capture TCP traffic with port 80 on interface eth0 to file.
+sudo tshark -i eht0 -f 'tcp and port 80' -w tx.pcap
+
+# View captured packets.
+sudo tshark -r tx.pcap
+
+# View captured packets and apply additionaly display filters.
+sudo tshark -r tx.pcap -Y 'ip.addr != 192.168.1.42'
+```