Tshark

Page content

Tshark Basic Commands

tbd

Capture DNS on wg0 Interface, v4 & v6

tshark -nn -i wg0 -e ip.src -e ip6.src -e dns.qry.name -E separator=";" -T fields port 53

Ringbuffer

Capture Files, Rotate every 10MB, keep last 25 files

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25

Ringbuffer with Autostop -> Time

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 1h

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a duration:3600

Ringbuffer with Autostop -> Packets

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a packets:100000

Ringbuffer with Autostop -> Packets

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a packets:100000

Capture 128 Byte (Header)

don’t capture the full Frames if we just need header information

doas tshark -n -i em0 -w sniff -s 128

Extract Data

extract Data from certain Timeframe

editcap -A "2021-05-01 11:00:00" -B "2021-05-01 12:00:00" big_capture.pcap onehour.pcap

Convert pcapng to pcap

editcap sniff.pcap -F pcap sniff2.pcap

Split by 1000 Packets

mkdir tmp; editcap -c 1000 sniff1.pcap -F pcap tmp/sniff2.pcap

Convert and get 100 Packets

editcap -F pcap -r sniff1.pcap sniff3.pcap 1-100

pcap-cli

Generate Json Output from Capture https://pypi.org/project/pypcapkit/

pcapkit-cli sniff3.pcap -j

Capture ICMPv6 except Echo Request and Echo Replay

tshark -n -i em1 -Y "(icmpv6) && !(icmpv6.type == 128) && !(icmpv6.type == 129)"

Any Comments ?

sha256: 11b75c45a5ca14968596894002dff698fd664b01dc4ffc23bda2cdf0403b04d2