Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [tshark]

41 questions
8
votes
1 answer

Find username and password in pcap file

I am completing an assignment where I am given a pcap file to extract data from. The question is, Find username and password in pcap file. This is what I have so far. $ tshark -r assign1.pcap -R 'smtp' -2 | awk '{if($9=="334") print $10}' | base64…
DisplayName9
  • 83
  • 1
  • 5
5
votes
1 answer

How to filter DNS queries by dns.qry.name in tshark?

This will print the host names of DNS queries: tshark -n -T fields -e dns.qry.name src port 53 How can I filter by the value of dns.qry.name (or get some reasonable proxy of that)? I've tried variations of tshark -n -T fields -e dns.qry.name src…
l0b0
  • 50,672
  • 41
  • 197
  • 360
4
votes
3 answers

Can't process stdout with pipe as it comes

I'm running tshark on a fifo, and the following is a bare example of a loop that prints the output of tshark as it comes: tshark -i $fifo | while read line; do echo $line done The problem appears when I add filters to tshark. This example…
admirabilis
  • 4,642
  • 9
  • 41
  • 57
4
votes
2 answers

Find the top 5 (according to number of packets sent) source IP addresses

I am doing an assignment, I'm asked to answer certain questions based on pcap file that I'm given. One of the question is to find the top 5 (according to number of packets sent) source IP addresses. I have come up with the below command: $ tshark -r…
Hashmatullah Noorzai
  • 151
  • 6
4
votes
2 answers

How to gradually encrypt the tshark output file along the capture?

In order to secure a packet capture, which method would you use to make all (or close to all) past captured packet utterly unaccessible unless a given password is given. My habbits are to mount an ecrypt partition mount -t ecryptfs /srv /srv to…
user196279
  • 71
  • 4
4
votes
3 answers

awk filtering live capture with file as pattern list

What I'm trying to do is quite simple. I'm generating output from tshark and redirecting it to awk with a pipe |. Since tshark gets live data, I want that awk search in every output for a pattern (some MAC addresses that I already have) in the first…
DMurta
  • 143
  • 5
3
votes
1 answer

“tshark: There are no interfaces on which a capture can be done” in Amazon Linux AMI

My goal is to capture packets with tshark in Amazon Linux AMI. While typing tshark in the command line there's an error: "tshark: There are no interfaces on which a capture can be done" How to implement the solution from Wireshark setup Linux for…
rok
  • 369
  • 1
  • 4
  • 11
3
votes
4 answers

Installing latest wireshark impossible?

It looks like installing a later version of wireshark is near impossible on redhat 6. I've searched the web extensively and can't find any questions where someone has said their issue was resolved. Don't care how I do it. Here's what I have…
MikeKulls
  • 164
  • 1
  • 10
2
votes
1 answer

System clock not synchronized with NTP server using systemd-timesyncd

I followed this answer here, but it seems that my system clock doesn't synchronize with NTP server: $ cat /etc/debian_version 10.9 $ egrep -v "^$|^#" /etc/systemd/timesyncd.conf [Time] NTP=x.y.z.t1 FallbackNTP=x.y.z.t2 $ sudo timedatectl set-ntp…
SebMa
  • 1,941
  • 4
  • 22
  • 37
2
votes
1 answer

Capture DNS traffic to and from a network namespace using tshark

How can I capture traffic specifically from a network interface inside a network namespace using tshark? In my case, the network interface tun0 is moved into the network namespace called vpn. Normally running tshark -f "port 53" clutters the output…
EarthIsHome
  • 225
  • 2
  • 8
2
votes
2 answers

How to display the interface name with tshark

I am using tshark to diagnose an asymetric route problem. I am filtering the traffic so only src/dest to a specific ip is being captured, but I would like to display a field that shows which interface the traffic is going in/out on so I can see the…
Bryon
  • 279
  • 1
  • 2
  • 15
2
votes
0 answers

internet access with ping has 100% loss

LAST BREAKTHROUGH -> see the tshark results below for some clue Hi, at home I have the following setup: Internet - NAS (Ubuntu 16.04.4 LTS) - LAN (Asus N56U WiFi) - family users. NAS connects using pppoe (ppp0, cable) to Internet while having eth0…
Adrian
  • 659
  • 1
  • 7
  • 29
2
votes
1 answer

Redirecting output of running process via SSH in background

Here is my general question: How do you log into a remote server, kick off a continuously running process, redirect the standard output of that process to a file on the local machine, and have all of this run in the background (on the local…
igal
  • 9,666
  • 1
  • 42
  • 58
2
votes
0 answers

How to filter pcap files using tshark

I have to extract data transfered (download, upload) for some specific sites using tshark. Let say, I want to find data downloaded from www.google.com. What fields should I specify in tshark fields option. Currently, I am using following command to…
Hafiz Muhammad Shafiq
  • 603
  • 2
  • 9
  • 19
1
vote
1 answer

tshark command for finding MAC of a specified network

What tshark command could start listening to a specific network and see who (MAC-wise) is connecting to it? I already have the network card in monitor mode at the correct channel. WireShark can already perform this task, but I'd prefer something…
jenold conele
  • 11
  • 2
1
2 3