[1. What is the tshark command](What is the #tshark command) 2. Preferences [3. Execute](# Execute) [4. How to filter pcap files](# How to filter pcap files) [5. Option](# Option) [6. Reference](# Reference)
It is possible to execute Wireshark with CLI. Since it is a CLI, it will be quite easy for CLI craftsmen to handle pcap data such as parallel processing, writing in shell scripts, cron, grep, etc.!
In this article, I'm trying it on MacOS. First, make tshark available on your Mac. It can be done from either GUI or CLI.
** When installing with GUI (from the Web) ** You can install it from the following. https://www.wireshark.org/download.html
** When installing with CLI (terminal) **
Installation
brew install wireshark
Let's do it right away! This time we will look at the data called test.pcap.
Run
tshark -r test.pcap
You should now be able to confirm the contents of the data. By the way, the order of data and the displayed items are in the default state, but you can specify the data you want to check and the display order. Even if you change the display of columns with Wireshark in the GUI, it will be affected by the result of the tshark command.
This time, filter with the following conditions and try again.
conditions
() Filters that can be used with normal WireShark (GUI)
・ Focus on smb2 protocol communication
smb2.tree && tcp.dstport==445
-Remove extra communication where the file name or account name is missing.
smb2.filename != "" && smb2.acct != ""
display
() How to write columns that can be used with normal WireShark (GUI)
·account name
smb2.acct
・ Folder path (shared path)
smb2.tree
-Operation file name
smb2.filename
・ The name of the terminal you are accessing
smb2.host
Run
tshark -r test.pcap -T fields -e smb2.acct -e smb2.tree -e smb2.filename -e smb2.host -Y 'smb2.tree && tcp.dstport==445 && smb2.filename != "" && smb2.acct != ""'
Of course, it is also possible to convert to data that can be easily handled using pipes and redirects as shown below.
reference
tshark -r test.pcap <optional system>| grep -i test
tshark -r test.pcap <optional system>> test.csv
option | Contents |
---|---|
-i <interface> | Specify the interface to capture |
-f <capture filter> | libpcap filter Specify a filter by syntax |
-s <snaplen> | Specify snapshot length (default: 65535) |
-p | Do not use promiscuous mode |
-y <link type> | Specify link layer type (default: first appropriate) |
-D | Show interface list |
-L | Show interface link layer type list |
-c <packet count> | Stop at the specified number of packets (default):infinite) |
-a <autostop cond.> | ・ Duration:NUM Stops after the number of seconds specified by NUM has elapsed ・ Filesize:NUM Size specified by NUM(KB)Stop when the saved file reaches ・ Files:NUM Stop when the number of saved files specified by NUM is reached |
-b <ringbuffer opt.> | ・ Duration:NUM Save to the next file after the number of seconds specified by NUM has elapsed ・ Filesize:NUM Size specified by NUM(KB)When the save file reaches, save to the next file ・ Files:NUM Replace files when the number of saved files specified by NUM is reached |
-r <infile> | Read from packet file |
R <read filter> | Specify Wireshark display filter |
-n | Disable all name resolution(Default:Effectiveness) |
-N <name resolve flags> | Enable specific name resolution |
-d <layer_type>==<selector>,<decode_as_protocol> | Associate a specific port with a specific protocol tcp.port==8888,For http "Tcp port 8888 is http" |
-C <config profile> | Specify the configuration file |
-F <output file type> | Specify output file type |
-V | Add packet tree to display |
-S | [-w]Show packets even if the option is enabled |
-x | Added hex, ASCII dump display |
-e <field> | Specify the field you want to output |
How to install Homebrew tshark option memo
Recommended Posts