TShark Cli question

Question

I am looking over a CTF writeup and I have a problem in reproducing a single command:

tshark -r challenge.pcapng usb.bDescriptorType and usb.urb_type==67 -T fields -e usb.bus_id -e usb.device_address -e usb.idVendor -e usb.idProduct

Is it correct, or how should I use the -T parameter?

What do you want to outcome to be? – schroeder May 08 '16 at 23:09 — schroeder, May 08 '16 at 23:09

score 1 · Accepted Answer · answered May 09 '16 at 06:56

Is it correct?

No.

usb.bDescriptorType and usb.urb_type==67 is a display/read filter, so you have to use a -Y flag with it, and put it in quotes:

tshark -r challenge.pcapng -Y "usb.bDescriptorType and usb.urb_type==67" -T fields -e usb.bus_id -e usb.device_address -e usb.idVendor -e usb.idProduct

TShark Cli question

1 Answers1