![]() tshark -r /tmp/traffic.pcapīy default name resolution is performed, you may use -n and disable this for a best performance in some cases. Note also that you don't need superuser rights to read from files. To analyze the packets from the previously saved traffic.pcap file, use the -r option, this will read packets from the instead of a network interface. Now that you can capture the packets over the network, you may want to save them for later inspection, this can be done with the -w option. Once you find out which interface to use, call Tshark with the -i option and an interface name or number reported by the -D option. To get a list of available interfaces use the -D tshark -D ![]() There may be more than one interface on your machine and you may need to specify which one you want use. In our first run on Tshark try to call it with no parameters, this will start capturing packets on the default network interface. ![]() Tshark is a great fit for remote packet capture, on devices such as gateways, you just need to login ssh and use as you would do on localhost. This makes it great when you need to do some scripting, such as cron scheduled captures, send the data to sed, awk, perl, mail, database or so. Tshark is a terminal application capable of doing virtually anything you do with Wireshark, but with no need for clicks or screens. Tshark works like tcpdump, ngrep and others, however as it provides the protocol decoding features of Wireshark, you will be much more confortable reading its output as it makes network analysis on terminal more human.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |