From 9679f071a80dddfa3dc33b084826ff8a16725ba4 Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Tue, 9 Jan 2024 22:30:30 +0100 Subject: tshark: add simple capture + filter example --- src/SUMMARY.md | 1 + src/network/README.md | 1 + src/network/tshark.md | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 src/network/tshark.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index e77c09e..a6e1a07 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -66,6 +66,7 @@ - [Network](./network/README.md) - [tcpdump](./network/tcpdump.md) + - [tshark](./network/tshark.md) - [firewall-cmd](./network/firewall-cmd.md) - [nftables](./network/nftables.md) diff --git a/src/network/README.md b/src/network/README.md index 3f1af28..a42da17 100644 --- a/src/network/README.md +++ b/src/network/README.md @@ -1,5 +1,6 @@ # Network - [tcpdump](./tcpdump.md) +- [tshark](./tshark.md) - [firewall-cmd](./firewall-cmd.md) - [nftables](./nftables.md) diff --git a/src/network/tshark.md b/src/network/tshark.md new file mode 100644 index 0000000..a4a666a --- /dev/null +++ b/src/network/tshark.md @@ -0,0 +1,40 @@ +# tshark (1) + +```text +tshark [opts] -i + --color Colorize output. + -w Write pcap trace to file or stdout (-). + -r Read & parse pcap file. + -f Apply capture filter (see pcap-filter(7) or tcpdump). + Only applicable during capturing. + -Y Apply display filter. + Only applicable during viewing capture. + -c Stop capturing after COUNT packets (INF by default). +``` + +Some useful display filters. +```text +ip.addr != 192.168.1.0/24 Filter out whole ip subnet (source + destination). +ip.dst == 192.168.1.42 Filter for destination ip address. +tcp.dstport == 80 Filter for tcp destinatio port. +!wg Filter out all wireguard traffic. + +tcp/udp/ssh/wg/... Filter for protocol. + +"and/or/not/!" and "()" can be used to build filter expressions. +``` +> Use `tshak -G` to list all fields that can be used in display filters. + +# Examples + +## Capture and filter packet to file +```bash +# Capture TCP traffic with port 80 on interface eth0 to file. +sudo tshark -i eht0 -f 'tcp and port 80' -w tx.pcap + +# View captured packets. +sudo tshark -r tx.pcap + +# View captured packets and apply additionaly display filters. +sudo tshark -r tx.pcap -Y 'ip.addr != 192.168.1.42' +``` -- cgit v1.2.3