Date: Fri, 29 Mar 2024 02:30:57 +0000 (UTC) Message-ID: <871671788.6032.1711679457385@fra-prod-wiki01.geant.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6031_1956720548.1711679457384" ------=_Part_6031_1956720548.1711679457384 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
TSHARK is used to dump and analyze network traffic and comes included wi= th Wireshark=C2=AE. Wireshark's most powerful feature is its vast array of = display filters (over 216000 fields in 2000 protocols as of version 2.4.5)<= /p>
How to capture network traffic with TSHARK
$tshark =E2=80=93D will give you a list of interfaces, you can capture n= etwork traffic using tshark =E2=80=93i for example;
$tshark =E2=80=93I =E2=80=9Ceth0=E2=80=9D
Network interface names should match one of the names listed in "tshark = -D" (described above); a number, as reported by "tshark -D", can also be us= ed. If you're using UNIX, "netstat -i" or "ifconfig -a" might also work to = list interface names, although not all versions of UNIX support the -a opti= on to ifconfig. If no interface is specified, TShark searches the list of i= nterfaces, choosing the first non-loopback interface if there are any non-l= oopback interfaces, and choosing the first loopback interface if there are = no non-loopback interfaces. If there are no interfaces at all, TShark repor= ts an error and doesn't start the capture. Pipe names should be either the = name of a FIFO (named pipe) or ``-'' to read data from the standard input. = Data read from pipes must be in standard pcap format. This option can occur= multiple times. When capturing from multiple interfaces, the capture file = will be saved in pcap-ng format. Note: the Win32 version of TShark doesn't = support capturing from pipes!To see the full collection of styles in this t= emplate, display the =E2=80=9CStyles task pane=E2=80=9D by clicking i= n the lower-right corner of the Style Gallery above.
Reading network captures with TSHARK =E2=80=93r
The =E2=80=93r option will allow you to read packets contained within a = .pcap .cap .pcapng file respectively.
Read packet data from infile, can be any supported capture file format (= including gzipped files). It is possible to use named pipes or stdin (-) he= re but only with certain (not compressed) capture file formats (in particul= ar: those that can be read without seeking backwards).
Examples
NOTE: -w provides raw packet data, not text. If you want text output= you need to redirect stdout (e.g. using '>'), don't use the -w option f= or this.