Tshark -r samples.cap -Ttext > outfile.txt Tshark -i eth0 -c 100 -f "udp dst port 137" -T fields -t ad -e frame.date -e frame.time -e ip.src -e ip.dst -e nbns.id -e -e Some other Sampels: (found around the world):
((smb.cmd = 0x72) & ( = 0)) & !( = 0)ĭisplay only the Source and the Destination sudo tshark -o column.format:'"Source", "%s","Destination", "%d"' -Ttext (a value other than 0x0000 would be considered abnormal) (a bit value of 0 indicates this is a request packet) smb.cmd (0x72 is an SMB Negotiate Protocol command) Tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host 192.168.1.1 and tcp=0x12 The -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr. Tshark -i eth0 -nn -e ip.src -e -E separator=" " -T fields port 53įor a test, if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet. Tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ip Tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip Tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip
Tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ipĭisplay Target IP and Mac Address (coma sep) T fields -e http.host -e |ĭisplay Source IP and MAC Address.
Tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -e Tshark -nn -r capturefile.dmp -T fields -E separator=' ' -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport '( = 1 and = 0)' Use the options -T, -E and -e (see man pages for infos) For creating a " " separated file with "source IP" "destination IP" and "Destination Port" from all with SYN initiated connections, you can use following sample:
0 kommentar(er)
