Commands tagged tshark (10)

  • This captures traffic on a remote machine with tshark, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window. This can be worked-around by passing -c # to tshark to only capture a certain # of packets, or redirecting the data through a named pipe rather than piping directly from ssh to wireshark. I recommend filtering as much as you can in the tshark command to conserve bandwidth. tshark can be replaced with tcpdump thusly: ssh root@example.com tcpdump -w - 'port !22' | wireshark -k -i -


    31
    ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i -
    markdrago · 2009-12-17 23:03:24 54

  • 7
    tshark -i any -T fields -R mysql.query -e mysql.query
    vladimirsazhin · 2010-11-11 17:06:29 34

  • 3
    mkfifo /tmp/fifo; ssh-keygen; ssh-copyid root@remotehostaddress; sudo ssh root@remotehost "tshark -i eth1 -f 'not tcp port 22' -w -" > /tmp/fifo &; sudo wireshark -k -i /tmp/fifo;
    Code_Bleu · 2010-01-05 14:40:06 4
  • dsniff is general purpose password sniffer, it handles *lots* of different protocols, but it also handles tcp-style expressions for limiting analyzed traffic - so I can limit it to work on pop3 only. Show Sample Output


    2
    dsniff -i any 'tcp port pop3'
    depesz · 2010-11-18 09:43:40 3
  • trace http requests on the specified interface. uses the amazing tshark tool (http://www.wireshark.org/docs/man-pages/tshark.html) Show Sample Output


    1
    tshark -i en1 -z proto,colinfo,http.request.uri,http.request.uri -R http.request.uri
    lele · 2011-04-05 14:18:35 4
  • The command is useful for monitoring the use of the boxes and their connection IP. Result file "sniff" is readable with GUI program "wireshark" or through CLI with the command: tcpdump -f "sniff" -XX Show Sample Output


    0
    tcpdump -i eth0 "tcp port pop3 and ip[40] = 85 and ip[41] = 83" -s 1500 -n -w "sniff"
    ironmarc · 2010-11-18 09:03:08 3
  • if you have a capture file *.eth, and ajp protocol is in use on port 9009, you can paste the above command. You can change the fiile and port name Show Sample Output


    0
    tshark -r *.eth -S -R "ajp13" -d tcp.port==9009,ajp13 -s 0 -l -V | awk '/Apache JServ/ {p=1} /^ *$/ {p=0;printf "\n"} (p){printf "%s\n", $0} /^(Frame|Internet Pro|Transmission Control)/ {print $0}'
    tsureshkumar · 2013-01-10 21:12:51 5
  • Replace servername with your user. And make sure you have generated / copied your rsa_pub key to the remote server, or you will be asked for a password which will stuff up the output to wireshark.


    0
    wireshark -k -i <(ssh -l root servername "dumpcap -P -w - -f 'not tcp port 22'")
    lmitchell · 2015-08-10 05:22:36 8
  • #_connects src_IP dst_IP When_It_Happened_Secs Show Sample Output


    -1
    tshark -qr [cap] -z conv,tcp | awk '{printf("%s:%s:%s\n",$1,$3,$10)}' | awk -F: '{printf("%s %s %s\n",$1,$3,substr($5,1,length($5)-10))}' | sort | uniq -c | sort -nr
    knassery · 2012-10-16 06:39:01 5
  • This allows you to display the wireshark program running on remote pc to your local pc.


    -8
    sudo ssh -Y remoteuser@remotehost sudo wireshark
    Code_Bleu · 2010-01-05 14:35:20 4

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Google voice recognition "API"
The FLAC audio must be encoded at 16000Hz sampling rate (SoX is your friend). Outputs a short JSON string, the actual speech is in the hypotheses->utterance, the accuracy is stored in hypotheses->confidence (ranging from 0 to 1). Google also accepts audio in some special speex format (audio/x-speex-with-header-byte), which is much smaller in comparison with losless FLAC, but I haven't been able to encode such a sample.

remove newlines from specific lines in a file using sed

Run a command as root, with a delay
$ sleep 1h ; sudo command or $ sudo sleep 1h ; sudo command won't work, because by the time the delay is up, sudo will want your password again.

check open ports without netstat or lsof

Recursively create a TAGS file for an entire source tree. TAGS files are useful for editors like Vim and Emacs

Which processes are listening on a specific port (e.g. port 80)
swap out "80" for your port of interest. Can use port number or named ports e.g. "http"

List files opened by a PID
Lis all files opened by a particular process id. "PID"

Update program providing java on Debian
Lets you set all the java alternatives at once to a matching version. Also has options for just changing the jre or the plugin.

Scan your LAN for unauthorized IPs
populate the auth.hosts file with a list of IP addresses that are authorized to be in use and when you run this command it will return the addresses that are pingable and not in the authorized list. Can be combined with the "Command line Twitter" command to tweet unauthorized access.

Filter the output of a file continously using tail and grep


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: