Mergecap -w merged.pcapng filtered1.pcapng filtered2.pcapng filtered3.pcapng You can use other display filters such as tcp.port=443 or a conversation filter if you want. This command will use Tshark against a trace file that you specify, applying a display filter and then writing the output to a file. Tshark -r christest1.pcap -Y ip.addr=10.1.1.10 –w filtered1.pcapng Keep in mind that you may need to test this first to find the correct interface ID (the one shown is 1, yours could be different depending on your system - just test). Each file will be 500MB with a time/date stamp. The command above will create a ring buffer of 20 packet captures total then wrap back around. This is a very common one! I am going to credit Mike Pennacchi for first showing this one to me years ago. Keep in mind that some of these options may be different for you on your system - for example, my interface ID may be the number 1, yours could be the number 3 - so you may need to do some testing on your local system (hint: tshark -D)ĭumpcap -i 1 -w christest.pcapng -b filesize:500000 -b files:20
Maybe this will be useful for people that would like a quick-reference for a few common commands. So I thought it might be nice to share a few commands that I like to use when I am working with the command-line tools (dumpcap, tshark, mergecap, etc). But larger than that, I like to start filtering them on the command line (or using a read filter while I am opening them). Personally, I am fine with popping open traces that are up to around 500MB or so in Wireshark. That is well and good - until you start opening them up to work with them in the Wireshark interface.
Of course, large capture files were needed to catch it in the act. Last week I was working with one of my customers in troubleshooting a nagging intermittent performance problem. Hey packet heads! Let's talk about some commands for tshark and dumpcap.
0 kommentar(er)
