Commands tagged tshark (10)

  • This captures traffic on a remote machine with tshark, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window. This can be worked-around by passing -c # to tshark to only capture a certain # of packets, or redirecting the data through a named pipe rather than piping directly from ssh to wireshark. I recommend filtering as much as you can in the tshark command to conserve bandwidth. tshark can be replaced with tcpdump thusly: ssh root@example.com tcpdump -w - 'port !22' | wireshark -k -i -


    31
    ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -
    markdrago · 2009-12-17 23:03:24 2

  • 7
    tshark -i any -T fields -R mysql.query -e mysql.query
    vladimirsazhin · 2010-11-11 17:06:29 0

  • 3
    mkfifo /tmp/fifo; ssh-keygen; ssh-copyid root@remotehostaddress; sudo ssh root@remotehost "tshark -i eth1 -f 'not tcp port 22' -w -" > /tmp/fifo &; sudo wireshark -k -i /tmp/fifo;
    Code_Bleu · 2010-01-05 14:40:06 0
  • dsniff is general purpose password sniffer, it handles *lots* of different protocols, but it also handles tcp-style expressions for limiting analyzed traffic - so I can limit it to work on pop3 only. Show Sample Output


    2
    dsniff -i any 'tcp port pop3'
    depesz · 2010-11-18 09:43:40 0
  • trace http requests on the specified interface. uses the amazing tshark tool (http://www.wireshark.org/docs/man-pages/tshark.html) Show Sample Output


    1
    tshark -i en1 -z proto,colinfo,http.request.uri,http.request.uri -R http.request.uri
    lele · 2011-04-05 14:18:35 0
  • The command is useful for monitoring the use of the boxes and their connection IP. Result file "sniff" is readable with GUI program "wireshark" or through CLI with the command: tcpdump -f "sniff" -XX Show Sample Output


    0
    tcpdump -i eth0 "tcp port pop3 and ip[40] = 85 and ip[41] = 83" -s 1500 -n -w "sniff"
    ironmarc · 2010-11-18 09:03:08 0
  • if you have a capture file *.eth, and ajp protocol is in use on port 9009, you can paste the above command. You can change the fiile and port name Show Sample Output


    0
    tshark -r *.eth -S -R "ajp13" -d tcp.port==9009,ajp13 -s 0 -l -V | awk '/Apache JServ/ {p=1} /^ *$/ {p=0;printf "\n"} (p){printf "%s\n", $0} /^(Frame|Internet Pro|Transmission Control)/ {print $0}'
    tsureshkumar · 2013-01-10 21:12:51 0
  • Replace servername with your user. And make sure you have generated / copied your rsa_pub key to the remote server, or you will be asked for a password which will stuff up the output to wireshark.


    0
    wireshark -k -i <(ssh -l root servername "dumpcap -P -w - -f 'not tcp port 22'")
    lmitchell · 2015-08-10 05:22:36 0
  • #_connects src_IP dst_IP When_It_Happened_Secs Show Sample Output


    -1
    tshark -qr [cap] -z conv,tcp | awk '{printf("%s:%s:%s\n",$1,$3,$10)}' | awk -F: '{printf("%s %s %s\n",$1,$3,substr($5,1,length($5)-10))}' | sort | uniq -c | sort -nr
    knassery · 2012-10-16 06:39:01 0
  • This allows you to display the wireshark program running on remote pc to your local pc.


    -8
    sudo ssh -Y remoteuser@remotehost sudo wireshark
    Code_Bleu · 2010-01-05 14:35:20 0

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Set laptop display brightness
Run as root. Path may vary depending on laptop model and video card (this was tested on an Acer laptop with ATI HD3200 video). $ cat /proc/acpi/video/VGA/LCD/brightness to discover the possible values for your display.

Convert seconds to [DD:][HH:]MM:SS
Converts any number of seconds into days, hours, minutes and seconds. sec2dhms() { declare -i SS="$1" D=$(( SS / 86400 )) H=$(( SS % 86400 / 3600 )) M=$(( SS % 3600 / 60 )) S=$(( SS % 60 )) [ "$D" -gt 0 ] && echo -n "${D}:" [ "$H" -gt 0 ] && printf "%02g:" "$H" printf "%02g:%02g\n" "$M" "$S" }

Which processes are listening on a specific port (e.g. port 80)
swap out "80" for your port of interest. Can use port number or named ports e.g. "http"

Install pip with Proxy
Installs pip packages defining a proxy

Comma insertions
Insert a comma where necessary when counting large numbers. I needed to separate huge amounts of packets and after 12+ hours of looking in a terminal, I wanted it in readable form.

Edit a google doc with vim
Google just released a new commend line tool offering all sorts of new services from the commend line. One of them is uploading a youtube video but there are plenty more google services to interact with. Download it here: http://code.google.com/p/googlecl/ Manual: http://code.google.com/p/googlecl/wiki/Manual This specific command courtesy of lifehacker:http://lifehacker.com/5568817/ Though all can be found in manual page linked above.

Install pip with Proxy
Installs pip packages defining a proxy

Be notified about overheating of your CPU and/or motherboard
You'll be notified if your core 1 temperature exceeds 50 degrees, you can change the monitored device by editing the "Core 1" or change the critical temperature by editing the "-gt 50" part. Note: you must have lm-sensors installed and configured in order to get this command working.

Print average GPU core temperature

Search commandlinefu and view syntax-highlighted results in vim
Here is the full function (got trunctated), which is much better and works for multiple queries. function cmdfu () { local t=~/cmdfu; until [[ -z $1 ]]; do echo -e "\n# $1 {{{1" >> $t; curl -s "commandlinefu.com/commands/matching/$1/`echo -n $1|base64`/plaintext" | sed '1,2d;s/^#.*/& {{{2/g' | tee -a $t > $t.c; sed -i "s/^# $1 {/# $1 - `grep -c '^#' $t.c` {/" $t; shift; done; vim -u /dev/null -c "set ft=sh fdm=marker fdl=1 noswf" -M $t; rm $t $t.c } Searches commandlinefu for single/multiple queries and displays syntax-highlighted, folded, and numbered results in vim.


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: