Commands tagged tshark (10)

  • analyze traffic remotely over ssh w/ wireshark

    This captures traffic on a remote machine with tshark, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window. This can be worked-around by passing -c # to tshark to only capture a certain # of packets, or redirecting the data through a named pipe rather than piping directly from ssh to wireshark. I recommend filtering as much as you can in the tshark command to conserve bandwidth. tshark can be replaced with tcpdump thusly: ssh root@example.com tcpdump -w - 'port !22' | wireshark -k -i -


    32
    ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -
    markdrago · 2009-12-17 23:03:24 54
  • capture mysql queries sent to server


    7
    tshark -i any -T fields -R mysql.query -e mysql.query
    vladimirsazhin · 2010-11-11 17:06:29 34
  • analyze traffic remotely over ssh w/ wireshark

    Please check out my blog article on this for more detail. http://jdubb.net/blog/2009/08/07/monitor-wireshark-capture-real-time-on-remote-host-via-ssh/


    3
    mkfifo /tmp/fifo; ssh-keygen; ssh-copyid root@remotehostaddress; sudo ssh root@remotehost "tshark -i eth1 -f 'not tcp port 22' -w -" > /tmp/fifo &; sudo wireshark -k -i /tmp/fifo;
    Code_Bleu · 2010-01-05 14:40:06 4
  • Sniff ONLY POP3 authentication by intercepting the USER command

    dsniff is general purpose password sniffer, it handles *lots* of different protocols, but it also handles tcp-style expressions for limiting analyzed traffic - so I can limit it to work on pop3 only. Show Sample Output


    2
    dsniff -i any 'tcp port pop3'
    depesz · 2010-11-18 09:43:40 3
  • trace http requests with tshark

    trace http requests on the specified interface. uses the amazing tshark tool (http://www.wireshark.org/docs/man-pages/tshark.html) Show Sample Output


    1
    tshark -i en1 -z proto,colinfo,http.request.uri,http.request.uri -R http.request.uri
    lele · 2011-04-05 14:18:35 4
  • Sniff ONLY POP3 authentication by intercepting the USER command

    The command is useful for monitoring the use of the boxes and their connection IP. Result file "sniff" is readable with GUI program "wireshark" or through CLI with the command: tcpdump -f "sniff" -XX Show Sample Output


    0
    tcpdump -i eth0 "tcp port pop3 and ip[40] = 85 and ip[41] = 83" -s 1500 -n -w "sniff"
    ironmarc · 2010-11-18 09:03:08 3
  • read ajp13 packet contents on terminal using tshark 1.4.15

    if you have a capture file *.eth, and ajp protocol is in use on port 9009, you can paste the above command. You can change the fiile and port name Show Sample Output


    0
    tshark -r *.eth -S -R "ajp13" -d tcp.port==9009,ajp13 -s 0 -l -V | awk '/Apache JServ/ {p=1} /^ *$/ {p=0;printf "\n"} (p){printf "%s\n", $0} /^(Frame|Internet Pro|Transmission Control)/ {print $0}'
    tsureshkumar · 2013-01-10 21:12:51 5
  • analyze traffic remotely over ssh w/ wireshark

    Replace servername with your user. And make sure you have generated / copied your rsa_pub key to the remote server, or you will be asked for a password which will stuff up the output to wireshark.


    0
    wireshark -k -i <(ssh -l root servername "dumpcap -P -w - -f 'not tcp port 22'")
    lmitchell · 2015-08-10 05:22:36 8
  • Tshark to Generate Top Talkers by #TCP conv started per second.

    #_connects src_IP dst_IP When_It_Happened_Secs Show Sample Output


    -1
    tshark -qr [cap] -z conv,tcp | awk '{printf("%s:%s:%s\n",$1,$3,$10)}' | awk -F: '{printf("%s %s %s\n",$1,$3,substr($5,1,length($5)-10))}' | sort | uniq -c | sort -nr
    knassery · 2012-10-16 06:39:01 5
  • analyze traffic remotely over ssh w/ wireshark

    This allows you to display the wireshark program running on remote pc to your local pc.


    -8
    sudo ssh -Y remoteuser@remotehost sudo wireshark
    Code_Bleu · 2010-01-05 14:35:20 4

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Check These Out

Copy the full path of a file to the clipboard (requires xclip or similar)
Handy for those times you need to paste a file path in an IDE or some other app. sudo apt-get install xclip Then, for convenience, alias xclip to 'xclip -selection c' so you can just do something like realpath . | xclip

Unix alias for date command that lets you create timestamps in ISO 8601 format
I often need to add a timestamp to a file, but I never seem to remember the exact format string that has to be passed to the date command to get a compact datetime string like 20090220T231410 (i.e yyyymmddThhmmss, the ISO 8601 format popular outside the US)

Change the ownership of all files owned by one user.
Finds all files in /home owned by UID 1056 and changes to 2056.

Which processes are listening on a specific port (e.g. port 80)
swap out "80" for your port of interest. Can use port number or named ports e.g. "http"

Extract title from HTML files
previous version leaves lots of blank lines

Dump a configuration file without comments or whitespace...
A short, *easy-er* to remember command for stripping whitespace and comments from a config file, (or any file for that matter). Remember regex as: slash, space, star. pound, slash, bar. pointy-hat, dollar. (or "caret, dollar" if you must) :-P

ping MAC ADDRESS
# first install arp-scan if not have it arp-scan 10.1.1.0/24 .... show ip+mac in localnet awk '/00:1b:11:dc:a9:65/ {print $1}' .... get ip associated with MAC ` backtick make do command substitution passing ip to command ping

create SQL-statements from textfile with awk
inputfile.txt is a space-separated textfile, 1st column contains the items (id) I want to put into my SQL statement. 39 = charactercode for single tick ' $1 = first column If inputfile.txt is a CSV-file separated by "," use FS= to define your own field-separator: $ awk 'BEGIN {FS=","; }{printf "select * from table where id = %c%s%c;\n",39,$1,39; }' inputfile.txt

Patator: A Hydra brute force alternative

list block devices
Shows all block devices in a tree with descruptions of what they are.

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: