Commands tagged tshark (10)

  • This captures traffic on a remote machine with tshark, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window. This can be worked-around by passing -c # to tshark to only capture a certain # of packets, or redirecting the data through a named pipe rather than piping directly from ssh to wireshark. I recommend filtering as much as you can in the tshark command to conserve bandwidth. tshark can be replaced with tcpdump thusly: ssh root@example.com tcpdump -w - 'port !22' | wireshark -k -i -


    31
    ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -
    markdrago · 2009-12-17 23:03:24 53

  • 7
    tshark -i any -T fields -R mysql.query -e mysql.query
    vladimirsazhin · 2010-11-11 17:06:29 34

  • 3
    mkfifo /tmp/fifo; ssh-keygen; ssh-copyid root@remotehostaddress; sudo ssh root@remotehost "tshark -i eth1 -f 'not tcp port 22' -w -" > /tmp/fifo &; sudo wireshark -k -i /tmp/fifo;
    Code_Bleu · 2010-01-05 14:40:06 4
  • dsniff is general purpose password sniffer, it handles *lots* of different protocols, but it also handles tcp-style expressions for limiting analyzed traffic - so I can limit it to work on pop3 only. Show Sample Output


    2
    dsniff -i any 'tcp port pop3'
    depesz · 2010-11-18 09:43:40 3
  • trace http requests on the specified interface. uses the amazing tshark tool (http://www.wireshark.org/docs/man-pages/tshark.html) Show Sample Output


    1
    tshark -i en1 -z proto,colinfo,http.request.uri,http.request.uri -R http.request.uri
    lele · 2011-04-05 14:18:35 4
  • The command is useful for monitoring the use of the boxes and their connection IP. Result file "sniff" is readable with GUI program "wireshark" or through CLI with the command: tcpdump -f "sniff" -XX Show Sample Output


    0
    tcpdump -i eth0 "tcp port pop3 and ip[40] = 85 and ip[41] = 83" -s 1500 -n -w "sniff"
    ironmarc · 2010-11-18 09:03:08 3
  • if you have a capture file *.eth, and ajp protocol is in use on port 9009, you can paste the above command. You can change the fiile and port name Show Sample Output


    0
    tshark -r *.eth -S -R "ajp13" -d tcp.port==9009,ajp13 -s 0 -l -V | awk '/Apache JServ/ {p=1} /^ *$/ {p=0;printf "\n"} (p){printf "%s\n", $0} /^(Frame|Internet Pro|Transmission Control)/ {print $0}'
    tsureshkumar · 2013-01-10 21:12:51 5
  • Replace servername with your user. And make sure you have generated / copied your rsa_pub key to the remote server, or you will be asked for a password which will stuff up the output to wireshark.


    0
    wireshark -k -i <(ssh -l root servername "dumpcap -P -w - -f 'not tcp port 22'")
    lmitchell · 2015-08-10 05:22:36 8
  • #_connects src_IP dst_IP When_It_Happened_Secs Show Sample Output


    -1
    tshark -qr [cap] -z conv,tcp | awk '{printf("%s:%s:%s\n",$1,$3,$10)}' | awk -F: '{printf("%s %s %s\n",$1,$3,substr($5,1,length($5)-10))}' | sort | uniq -c | sort -nr
    knassery · 2012-10-16 06:39:01 5
  • This allows you to display the wireshark program running on remote pc to your local pc.


    -8
    sudo ssh -Y remoteuser@remotehost sudo wireshark
    Code_Bleu · 2010-01-05 14:35:20 4

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Reboot machine when everything is hanging
If the machine is hanging and the only help would be the power button, this key-combination will help to reboot your machine (more or less) gracefully. R - gives back control of the keyboard S - issues a sync E - sends all processes but init the term singal I - sends all processes but init the kill signal U - mounts all filesystem ro to prevent a fsck at reboot B - reboots the system Save your file before trying this out, this will reboot your machine without warning! http://en.wikipedia.org/wiki/Magic_SysRq_key

Change wallpaper for xfce4 >= 4.6.0
Simply changes the wallpaper of xfce4 from the command line. Not for multiple displays.

rsync directory tree including only files that match a certain find result.
'-mtime -10' syncs only files newer 10 days (-mtime is just one example, use whatever find expressions you need) printf %P: File's name with the name of the command line argument under which it was found removed. this way, you can use any src directory, no need to cd into your src directory first. using \\0 in printf and a corresponding --from0 in rsync ensures that even filenames with newline characters work (thanks syssyphus for #3808). both, #1481 and #3808 just work if you either copy the current directory (.) , or the filesystem root (/), otherwise the output from find and the source dir from rsync just don't match. #7685 works with an arbitrary source directory.

Display IPs accessing your Apache webserver.

locate bin, src, and man file for a command

Decrypt exported android wallet keys for import into desktop client (LTC,FTC,BTC)

show installed but unused linux headers, image, or modules
will show: installed linux headers, image, or modules: /^ii/!d avoiding current kernel: /'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d only application names: s/^[^ ]* [^ ]* \([^ ]*\).*/\1/ avoiding stuff without a version number: /[0-9]/!d

Capture SMTP / POP3 Email

set wallpaper on windowmaker in one line
set directly the wallpaper on windowmaker , use this command with display of imagemagick :)

Rename files in batch


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: