WalkerWiki - wiki.alanwalker.uk

User Tools

Site Tools

Trace:
tshark

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tshark [2016/09/14 21:16] walkeradmintshark [2023/03/09 22:35] (current) – external edit 127.0.0.1
Line 91: Line 91:
 \\  \\ 
 The second-most useful parameter is <color purple>-r</color>. When followed by a valid filename, it allows you to read and process a previously captured file with network data.  The second-most useful parameter is <color purple>-r</color>. When followed by a valid filename, it allows you to read and process a previously captured file with network data. 
 +\\ 
 +\\ 
 +If you get the following error:<color red>tshark: couldn't run /usr/bin/dumpcap in child process: permission denied</color>
 +\\ 
 +    Enter: sudo  usermod -a -G wireshark pi 
 \\  \\ 
 \\  \\ 
Line 105: Line 110:
 \\  \\ 
 ==== Display Filters ==== ==== Display Filters ====
-\\  
 \\  \\ 
 Display filters are filters that are applied after packet capturing; therefore, they just "hide" network traffic without deleting it. You always can remove the effects of a display filter and get all your data back. \\  Display filters are filters that are applied after packet capturing; therefore, they just "hide" network traffic without deleting it. You always can remove the effects of a display filter and get all your data back. \\ 
 \\  \\ 
-Display Filters support comparison and logical operators. The http.response.code == 404 && ip.addr == 192.168.10.1 display filter shows the traffic that either comes from the 192.168.10.1 IP address or goes to the 192.168.10.1 IP address that also has the 404 (Not Found) HTTP response code in it. The !bootp && !ip filter excludes BOOTP and IP traffic from the output. The eth.addr == 01:23:45:67:89:ab && tcp.port == 25 filter displays the traffic to or from the network device with the 01:23:45:67:89:ab MAC address that uses TCP port 25 for its incoming or outgoing connections. \\ +Display Filters support comparison and logical operators. <color purple>The http.response.code == 404 && ip.addr == 192.168.10.1</color> display filter shows the traffic that either comes from the 192.168.10.1 IP address or goes to the 192.168.10.1 IP address that also has the 404 (Not Found) HTTP response code in it. The <color purple>!bootp && !ip</color? filter excludes BOOTP and IP traffic from the output. The <color purple>eth.addr == 01:23:45:67:89:ab && tcp.port == 25</color> filter displays the traffic to or from the network device with the 01:23:45:67:89:ab MAC address that uses TCP port 25 for its incoming or outgoing connections. \\ 
 \\  \\ 
-When defining rules, remember that the ip.addr != 192.168.1.5 expression does not mean that none of the ip.addr fields can contain the 192.168.1.5 IP address. It means that one of the ip.addr fields should not contain the 192.168.1.5 IP address! Therefore, the other ip.addr field value can be equal to 192.168.1.5! You can think of it as "there exists one ip.addr field that is not 192.168.1.5". The correct way of expressing it is by typing !(ip.addr == 192.168.1.5). This is a common misconception with display filters. \\ +When defining rules, remember that the <color purple>ip.addr != 192.168.1.5</color> expression does not mean that none of the ip.addr fields can contain the 192.168.1.5 IP address. It means that one of the <color purple>ip.addr</color> fields should not contain the 192.168.1.5 IP address! Therefore, the other <color purple>ip.addr</color> field value can be equal to 192.168.1.5! You can think of it as "there exists one <color purple>ip.addr</color> field that is not 192.168.1.5". The correct way of expressing it is by typing <color purple>!(ip.addr == 192.168.1.5</color>). This is a common misconception with display filters. \\ 
 \\  \\ 
 Also remember that MAC addresses are truly useful when you want to track a given machine on your LAN, because the IP of a machine can change if it uses DHCP, but its MAC address is more difficult to change. \\  Also remember that MAC addresses are truly useful when you want to track a given machine on your LAN, because the IP of a machine can change if it uses DHCP, but its MAC address is more difficult to change. \\ 
 \\  \\ 
-Display filters are extremely useful tools when used correctly, but you still have to interpret the results, find the problem and think about the possible solutions yourself. It is advisable that you visit the display filters reference site for TCP-related traffic at http://www.wireshark.org/docs/dfref/t/tcp.html. For the list of all the available field names related to UDP traffic, see http://www.wireshark.org/docs/dfref/u/udp.html. +Display filters are extremely useful tools when used correctly, but you still have to interpret the results, find the problem and think about the possible solutions yourself. It is advisable that you visit the display filters reference site for TCP-related traffic at\\  
 +http://www.wireshark.org/docs/dfref/t/tcp.html.\\  
 +\\  
 +For the list of all the available field names related to UDP traffic, see \\  
 +http://www.wireshark.org/docs/dfref/u/udp.html. 
 \\  \\ 
 \\  \\ 
tshark.1473884199.txt.gz · Last modified: 2023/03/09 22:35 (external edit)