Tshark

Page content

Tshark Basic Commands

tbd

Ringbuffer

Capture Files, Rotate every 10MB, keep last 25 files

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25

Ringbuffer with Autostop -> Time

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 1h

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a duration:3600

Ringbuffer with Autostop -> Packets

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a packets:100000

Ringbuffer with Autostop -> Packets

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a packets:100000

Capture 128 Byte (Header)

don’t capture the full Frames if we just need header information

doas tshark -n -i em0 -w sniff -s 128

Extract Data

extract Data from certain Timeframe

editcap -A "2021-05-01 11:00:00" -B "2021-05-01 12:00:00" big_capture.pcap onehour.pcap

Convert pcapng to pcap

editcap sniff.pcap -F pcap sniff2.pcap

Split by 1000 Packets

mkdir tmp; editcap -c 1000 sniff1.pcap -F pcap tmp/sniff2.pcap

Convert and get 100 Packets

editcap -F pcap -r sniff1.pcap sniff3.pcap 1-100

pcap-cli

Generate Json Output from Capture https://pypi.org/project/pypcapkit/

pcapkit-cli sniff3.pcap -j

sha256: d340a8a3a4bd5ba847670b233429b115f3e760b2ac84967c297f738cd8623d38