Differences

This shows you the differences between two versions of the page.

--- tshark [2016/09/14 21:12] – walkeradmin
+++ tshark [2023/03/09 22:35] (current) – external edit 127.0.0.1
@@ Line 56: / Line 56: @@
 ==== Capturing Network Traffic Using tshark ====
 \\
-The first command you should run is sudo tshark -D to get a list of the available network interfaces:
+The first command you should run is <color purple>sudo tshark -D</color> to get a list of the available network interfaces:
+\\
 \\
 <color purple>
-$ sudo tshark -D
+$ sudo tshark -D\\
-. eth0
+. eth0\\
-. nflog (Linux netfilter log (NFLOG) interface)
+. nflog (Linux netfilter log (NFLOG) interface)\\
-. any (Pseudo-device that captures on all interfaces)
+. any (Pseudo-device that captures on all interfaces)\\
-. lo
+. lo\\
 </color>
 \\
-If you run tshark as a normal user, you most likely will get the following output, because normal users do not have direct access to network interface devices:
+If you run tshark as a normal user, you most likely will get the following output, because normal users do not have direct access to network interface devices: \\
 \\
 <color purple>
@@ Line 75: / Line 76: @@
 \\
 The simplest way of capturing data is by running <color purple>tshark</color> without any parameters, which will display all data on screen. You can stop data capturing by pressing Ctrl-C.
+\\
 \\
 The output will scroll very fast on a busy network, so it won't be helpful at all. Older computers could not keep up with a busy network, so programs like tshark and tcpdump used to drop network packets. As modern computers are pretty powerful, this is no longer an issue.
@@ Line 85: / Line 87: @@
 \\
 <color purple>
-$ tshark -c 500 -w LJ.pcap
+$ tshark -c 500 -w LJ.pcap\\
 </color>
 \\
-The second-most useful parameter is -r. When followed by a valid filename, it allows you to read and process a previously captured file with network data.
+The second-most useful parameter is <color purple>-r</color>. When followed by a valid filename, it allows you to read and process a previously captured file with network data.
+\\
+\\
+If you get the following error:<color red>tshark: couldn't run /usr/bin/dumpcap in child process: permission denied</color>
+\\
+    Enter: sudo  usermod -a -G wireshark pi
 \\
 \\
 ==== Capture Filters ====
 \\
-Capture filters are filters that are applied during data capturing; therefore, they make tshark discard network traffic that does not match the filter criteria and avoids the creation of huge capture files. This can be done using the -f command-line parameter, followed by a filter in double quotes.
+Capture filters are filters that are applied during data capturing; therefore, they make tshark discard network traffic that does not match the filter criteria and avoids the creation of huge capture files. This can be done using the <color purple>-f</color> command-line parameter, followed by a filter in double quotes.
 \\
 The most important TCP-related Field Names used in capture filters are tcp.port (which is for filtering the source or the destination TCP port), tcp.srcport (which is for checking the TCP source port) and tcp.dstport (which is for checking the destination port).
@@ Line 103: / Line 110: @@
 \\
 ==== Display Filters ====
+\\
+Display filters are filters that are applied after packet capturing; therefore, they just "hide" network traffic without deleting it. You always can remove the effects of a display filter and get all your data back. \\
+\\
+Display Filters support comparison and logical operators. <color purple>The http.response.code == 404 && ip.addr == 192.168.10.1</color> display filter shows the traffic that either comes from the 192.168.10.1 IP address or goes to the 192.168.10.1 IP address that also has the 404 (Not Found) HTTP response code in it. The <color purple>!bootp && !ip</color? filter excludes BOOTP and IP traffic from the output. The <color purple>eth.addr == 01:23:45:67:89:ab && tcp.port == 25</color> filter displays the traffic to or from the network device with the 01:23:45:67:89:ab MAC address that uses TCP port 25 for its incoming or outgoing connections. \\
+\\
+When defining rules, remember that the <color purple>ip.addr != 192.168.1.5</color> expression does not mean that none of the ip.addr fields can contain the 192.168.1.5 IP address. It means that one of the <color purple>ip.addr</color> fields should not contain the 192.168.1.5 IP address! Therefore, the other <color purple>ip.addr</color> field value can be equal to 192.168.1.5! You can think of it as "there exists one <color purple>ip.addr</color> field that is not 192.168.1.5". The correct way of expressing it is by typing <color purple>!(ip.addr == 192.168.1.5</color>). This is a common misconception with display filters. \\
+\\
+Also remember that MAC addresses are truly useful when you want to track a given machine on your LAN, because the IP of a machine can change if it uses DHCP, but its MAC address is more difficult to change. \\
+\\
+Display filters are extremely useful tools when used correctly, but you still have to interpret the results, find the problem and think about the possible solutions yourself. It is advisable that you visit the display filters reference site for TCP-related traffic at\\
+http://www.wireshark.org/docs/dfref/t/tcp.html.\\
+\\
+For the list of all the available field names related to UDP traffic, see \\
+http://www.wireshark.org/docs/dfref/u/udp.html.
 \\
 \\
-Display filters are filters that are applied after packet capturing; therefore, they just "hide" network traffic without deleting it. You always can remove the effects of a display filter and get all your data back.
-Display Filters support comparison and logical operators. The http.response.code == 404 && ip.addr == 192.168.10.1 display filter shows the traffic that either comes from the 192.168.10.1 IP address or goes to the 192.168.10.1 IP address that also has the 404 (Not Found) HTTP response code in it. The !bootp && !ip filter excludes BOOTP and IP traffic from the output. The eth.addr == 01:23:45:67:89:ab && tcp.port == 25 filter displays the traffic to or from the network device with the 01:23:45:67:89:ab MAC address that uses TCP port 25 for its incoming or outgoing connections.
-When defining rules, remember that the ip.addr != 192.168.1.5 expression does not mean that none of the ip.addr fields can contain the 192.168.1.5 IP address. It means that one of the ip.addr fields should not contain the 192.168.1.5 IP address! Therefore, the other ip.addr field value can be equal to 192.168.1.5! You can think of it as "there exists one ip.addr field that is not 192.168.1.5". The correct way of expressing it is by typing !(ip.addr == 192.168.1.5). This is a common misconception with display filters.
-Also remember that MAC addresses are truly useful when you want to track a given machine on your LAN, because the IP of a machine can change if it uses DHCP, but its MAC address is more difficult to change.
-Display filters are extremely useful tools when used correctly, but you still have to interpret the results, find the problem and think about the possible solutions yourself. It is advisable that you visit the display filters reference site for TCP-related traffic at http://www.wireshark.org/docs/dfref/t/tcp.html. For the list of all the available field names related to UDP traffic, see http://www.wireshark.org/docs/dfref/u/udp.html.