Highest Voted 'tshark' Questions - Server Fault Stack Exchange

42

votes

7 answers

Monitoring HTTP traffic using tcpdump

To monitor HTTP traffic between a server and a web server, I'm currently using tcpdump. This works fine, but I'd like to get rid of some superfluous data in the output (I know about tcpflow and wireshark, but they're not readily available in my…

tcpdump tshark

asked Nov 14 '09 at 18:58

otto.poellath

545
1
5
9

21

votes

4 answers

Monitor number of bytes transferred to/from IP address on port

Can anyone recommend a linux command line tool to monitor the number of bytes transferred between the local server and a specified IP address/port. The equivalent tcpdump command would be: tcpdump -s 0 -i any -w mycapture.trc port 80 host…

linux tcpdump packet-capture packet-analyzer tshark

asked Oct 28 '10 at 17:55

Mike

825
2
8
10

11

votes

2 answers

How to send captured packets to a different destination?

I have some data packets captured using tcpdump in a pcap file. Now I want to send those packets to a another destination. how I can achieve this?

linux-networking wireshark tcpdump tshark

asked Dec 19 '15 at 05:26

Lakal Malimage

466
1
4
10

8

votes

2 answers

Sniff SSL handshake using tshark

How do I get a dump of a SSL handshake in a human readable format using tshark? I need to provide this to a vendor for debugging a failed SSL handshake problem. This needs to be done in tshark, not wireshark as it's being done on a remote server…

ssl packet-sniffer tshark

asked Aug 02 '12 at 23:34

goji

245
1
3
9

7

votes

4 answers

Capturing multicast data with Wireshark with IGMP Snooping Enabled at the switch

I am trying to capture multicast traffic via Wireshark (actually TShark), however the switch has IGMP snooping enabled and will only send Multicast traffic on the ports that have an active IGMP subscription. I am currently getting around this by…

wireshark multicast tshark igmp

asked Aug 16 '11 at 22:00

Chuu

213
1
2
6

5

votes

1 answer

How to filter ANY dns requests with tshark

Does anyone know how I might be able to filter DNS requests in tshark which ask for the ANY record? So far I am able to filter DNS queries with: tshark -r capture.cap -T fields -e ip.src -e ip.dst -e dns.qry.name -R "dns.flags.response eq 0" How…

domain-name-system pcap tshark

asked Jul 30 '14 at 12:41

user2284355

455
2
10
23

5

votes

2 answers

using wireshark/tshark in command line to ignore ssh connections

I'm trying to debug some by looking at the packets and I would like to avoid getting all the SSH traffic to the server. Is there a way to ignore? I tried to do something like tshark -f "port !22" but it stopped listening after the command. [root@vpn…

linux networking wireshark packet-capture tshark

asked Jan 07 '13 at 21:01

Tiffany Walker

6,541
13
53
77

4

votes

1 answer

How to print SSL packet details with tshark?

I collected a brief exchange between an SSL client and server (openssl's s_client and s_server, to be exact), and want to view the ssl portions of the pcap file with tshark. I don't need to decrypt the encrypted portions, but at least would like to…

ubuntu ssl tshark

asked Jul 02 '18 at 15:10

vasilyrud

191
2
9

4

votes

0 answers

RTP analysis - Discerning ptime (packetization time) for a given VoIP packet capture

I would like some help on the subject of an automated way of discerning the average packetization time (ptime) of a VoIP call's packet capture. The reason I am not depending on the value in the SDP is because some PBXs that I work with, send their…

voip wireshark sip tshark rtp

asked Aug 11 '14 at 05:04

bomp

141
2

4

votes

2 answers

Compressing the output of tshark when in multiple files mode

I'm running tshark to dump wireless traffic. I am currently running in multiple files mode, splitting output into 50MB chunks. Is there any way to also have these 50MB chunks compressed with something like gzip or lzma? I'm aware that in single file…

packet-capture pcap tshark

asked Jul 14 '14 at 08:59

Daniel Murphy

41
1
3

4

votes

1 answer

How to make tshark to output valid pcap file used for other max GUI pcap viewer

sudo tshark -i en0 -x -w icmp_sample.pcap This command output a pcap file, but the it doesn't seem to be valid, Because CocoaPacket Analyzer can't open it Any idea?

pcap tshark

asked Oct 16 '12 at 11:39

mko

141
1
4

4

votes

1 answer

Script to find the address udp packets are being sent to?

Here is the scenario. I have an IP address 1.2.3.4 port 2000 sending udp packets to one unknown IP. I would like to find the unknown IP so I can block it with iptables. Is there a way to do it with a script? Right now I am doing it manually by…

udp packet-capture tshark

asked Apr 10 '12 at 20:33

Bob

185
2
2
8

3

votes

1 answer

How to dump VXLAN/VLAN ID in packet capture?

Is there anyway to use tcpdump or any other linux tool to know VXLAN ID/VLAN ID while capturing packet on interfaces?

linux tcpdump tshark

asked Jul 08 '16 at 10:59

nebi

139
1
5

3

votes

1 answer

How to block own rpcap traffic where tshark is running?

Platform :- Fedora 13 32-bit machine RemoteMachine$ ./rpcapd -n ClientMachine$ tshark -w "filename" -i "any interface name" As soon as capture starts without any capture filter, thousands of packets get captured. Rpcapd binds to 2002 port by default…

wireshark tshark

asked Nov 07 '13 at 19:08

Pankaj Goyal

131
3

3

votes

2 answers

Reducing a pcap file down to all operations on a specific NFS file

I have an 80GB packet capture (libpcap) and I want to filter it down to everything involving all operations on a particular NFS file/filehandle. How can I accomplish this? I know the following facts about what I want to capture (in tshark display…

pcap tshark

asked Apr 22 '13 at 19:00

MikeyB

38,725
10
102
186

Questions tagged [tshark]