diff options
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/README.md | 1 | ||||
-rw-r--r-- | src/network/tshark.md | 40 |
2 files changed, 41 insertions, 0 deletions
diff --git a/src/network/README.md b/src/network/README.md index 3f1af28..a42da17 100644 --- a/src/network/README.md +++ b/src/network/README.md @@ -1,5 +1,6 @@ # Network - [tcpdump](./tcpdump.md) +- [tshark](./tshark.md) - [firewall-cmd](./firewall-cmd.md) - [nftables](./nftables.md) diff --git a/src/network/tshark.md b/src/network/tshark.md new file mode 100644 index 0000000..a4a666a --- /dev/null +++ b/src/network/tshark.md @@ -0,0 +1,40 @@ +# tshark (1) + +```text +tshark [opts] -i <if> + --color Colorize output. + -w <file|-> Write pcap trace to file or stdout (-). + -r <file> Read & parse pcap file. + -f <filter> Apply capture filter (see pcap-filter(7) or tcpdump). + Only applicable during capturing. + -Y <filter> Apply display filter. + Only applicable during viewing capture. + -c <count> Stop capturing after COUNT packets (INF by default). +``` + +Some useful display filters. +```text +ip.addr != 192.168.1.0/24 Filter out whole ip subnet (source + destination). +ip.dst == 192.168.1.42 Filter for destination ip address. +tcp.dstport == 80 Filter for tcp destinatio port. +!wg Filter out all wireguard traffic. + +tcp/udp/ssh/wg/... Filter for protocol. + +"and/or/not/!" and "()" can be used to build filter expressions. +``` +> Use `tshak -G` to list all fields that can be used in display filters. + +# Examples + +## Capture and filter packet to file +```bash +# Capture TCP traffic with port 80 on interface eth0 to file. +sudo tshark -i eht0 -f 'tcp and port 80' -w tx.pcap + +# View captured packets. +sudo tshark -r tx.pcap + +# View captured packets and apply additionaly display filters. +sudo tshark -r tx.pcap -Y 'ip.addr != 192.168.1.42' +``` |