tshark.md

tshark

Capturing traffic

Capture some traffic and save in ‘pcap’ format:

$ tshark -w capture.pcap

Reading captured data

Get data out of the capture and remove all newlines and commas:

$ tshark -r capture.pcap -T fields -e data | tr -d '\n' | tr -d ',' > tempfile

Decode data:

#!/usr/bin/python

import sys

out = open(sys.argv[1], "r").read()
sys.stdout.write(out.decode("hex"))

Convert tempfile:

$ python convert.py tempfile > converted

Reading raw packets

$ tshark -r capture.pcap -T pdml > tempfile.xml