May 18, 201214 yr tshark [ -a ] ... [ -b ] ... [ -B ] [ -c ] [ -C ] [ -d ==, ] [ -D ] [ -e ] [ -E ] [ -f ] [ -F ] [ -h ] [ -i |- ] [ -I ] [ -K ] [ -l ] [ -L ] [ -n ] [ -N ] [ -o ] ... [ -p ] [ -q ] [ -r ] [ -R ] [ -s ] [ -S ] [ -t ad|a|r|d|dd|e ] [ -T pdml|psml|ps|text|fields ] [ -v ] [ -V ] [ -w |- ] [ -x ] [ -X ] [ -y ] [ -z ] [ ] tshark -G [fields|fields2|fields3|protocols|values|decodes|defaultprefs|currentprefs] Identify which interfaces are available to capture sudo tshark -D Capture UDP Port Traffic tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap[/code] The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured. The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is. The -w flag is used to specify a file where the captured traffic will be saved for later processing. Here is a way to capture traffic with tshark and only get what the display filter is showing.tshark -i 2 -f "port 110" -R "pop.request.parameter conatins "user"" > c:\port110.txt*********************try "pop.request.command conatins "USER""*************This will capture all port 110 traffic and filter out the "user" command line and save it to a txt file.tshark -i 2 -f "port 25" -R "smtp.rsp.parameter contains "Sender"" > c:\port25.txtThis is an example of how to capture traffic on your outbound smtp server.-i = interface-f = capture filter-R= display filter tshark -i 1 -p -a filesize:1000 -w 1MBcapture.pcap -i 1 ;captures from my built in NIC -p ;captures in non promiscuous mode -a filesize:1000 ;captures 1 MB -w 1MBcapture.pcap ; names the file So you can download the file change the ownership from root which is what tshark runs as sudo chmod 777 1MBcapture.pcap sudo chown dhosang 1MBcapture.pcap
Create an account or sign in to comment