Tshark
Page content
Tshark Basic Commands
tbd
Capture DNS on wg0 Interface, v4 & v6
tshark -nn -i wg0 -e ip.src -e ip6.src -e dns.qry.name -E separator=";" -T fields port 53
Ringbuffer
Capture Files, Rotate every 10MB, keep last 25 files
doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25
Ringbuffer with Autostop -> Time
Capture Files, Rotate every 10MB, keep last 25 files, Stop after 1h
doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a duration:3600
Ringbuffer with Autostop -> Packets
Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets
doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a packets:100000
Ringbuffer with Autostop -> Packets
Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets
doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a packets:100000
Capture 128 Byte (Header)
don’t capture the full Frames if we just need header information
doas tshark -n -i em0 -w sniff -s 128
Extract Data
extract Data from certain Timeframe
editcap -A "2021-05-01 11:00:00" -B "2021-05-01 12:00:00" big_capture.pcap onehour.pcap
Convert pcapng to pcap
editcap sniff.pcap -F pcap sniff2.pcap
Split by 1000 Packets
mkdir tmp; editcap -c 1000 sniff1.pcap -F pcap tmp/sniff2.pcap
Convert and get 100 Packets
editcap -F pcap -r sniff1.pcap sniff3.pcap 1-100
pcap-cli
Generate Json Output from Capture https://pypi.org/project/pypcapkit/
pcapkit-cli sniff3.pcap -j
Capture ICMPv6 except Echo Request and Echo Replay
tshark -n -i em1 -Y "(icmpv6) && !(icmpv6.type == 128) && !(icmpv6.type == 129)"
Any Comments ?
sha256: 11b75c45a5ca14968596894002dff698fd664b01dc4ffc23bda2cdf0403b04d2