You can define the output of tshark : And here a Samples:ĭisplay only the Source and the Destination IP sudo tshark -o column.format:'"Source", "%s","Destination", "%d"' -TtextRunning as user "root" and group "root". (a value other than 0x0000 would be considered abnormal) (a bit value of 0 indicates this is a request packet) smb.cmd (0x72 is an SMB Negotiate Protocol command) Tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host 192.168.1.1 and tcp=0x12 The -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr. (coma sep) tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip Display Target IP and Mac Address (coma sep) tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ipSoure and Target IP tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ipSource and Target IPv6 tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ipSource IP and DNS Query tshark -i eth0 -nn -e ip.src -e -E separator=" " -T fields port 53įor a test, if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet. Tshark -r sample1.cap -R http.request -T fields -e http.host -e | sed -e 's/?.*$//' | sed -e 's#^\(.*\)\t\(.*\)$# | sort | uniq -c | sort -rn | headDisplay Source IP and MAC Address. Tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -e Display Top 10 URLs Use the options -T, -E and -e (see man pages for infos) For creating a " " separated file with "source IP" "destination IP" and "Destination Port" from all with SYN initiated connections, you can use following sample:
0 kommentar(er)
