Hey guys, Im not new to tshark but I'm trying to make my life quite a bit easier with command lines and Im having quite a bit of difficulty. I can convert .pcap's to .txt's just fine, but the summary information isn't enough. What I was hoping to get is [SEQ/ACK Analysis] that are located in the TCP files and the [Domain Name System Query] information in the DNS files. Is it possible to convert a pcap to a txt file and retain this information? Thanks Guys, Z |
The more I dig into tshark, the more I realize how little I know. I am providing the following examples to help people that come across this that are at the same skill level that I was when I first asked this. The man page is great for when you have a handle on things, but impossible to read until then. Basics:
More Complicated:
For reference on syntax, please refer to the "Man Page": http://www.wireshark.org/docs/man-pages/tshark.html For reference on all possible field options "-e": http://www.wireshark.org/docs/dfref/ For reference on possible filters -Y or -R: The easiest of I have found is too just go into wireshark and create the filter string as needed. I hope this is as useful as it was too me once I finally figured it out. Enjoy : ) |
Does If not, feel free to experiment with the various tshark options, such as Can you give me a couple commands of each one? Im still trying to get a hang of the snytax. Say my pcap file is C:\this.pcap, what would a few commands be to start playing with the fields? This website http://www.wireshark.org/docs/man-pages/tshark.html seems only useful to someone that has the basics of the cmd line down already.
(24 Oct '13, 15:16)
Nefarii
The man page provides an example:
Here's another one for some TCP-related stuff you might be interested in:
(24 Oct '13, 15:37)
cmaynard ♦♦
How do you use the -V option?
(25 Oct '13, 09:18)
Nefarii
It's that simple. But I doubt it's what you're after.
(25 Oct '13, 09:27)
cmaynard ♦♦
lol sorry I should of been more specific, how do you use the -v option while outputting a file? right now the best I can gather is tshark -i - < C:\this.pcap > -V C:\this.txt or tshark -r C:\this.pcap -V -w C:\this.txt neither of which seems to work
(25 Oct '13, 09:59)
Nefarii
The file specified with the
If you're on Windows, then
(25 Oct '13, 10:15)
cmaynard ♦♦
showing 5 of 6
show 1 more comments
|