_1.jpg "wireshark tshark")
This is a very common one! I am going to credit Mike Pennacchi for first showing this one to me years ago. Keep in mind that some of these options may be different for you on your system - for example, my interface ID may be the number 1, yours could be the number 3 - so you may need to do some testing on your local system (hint: tshark -D)ĭumpcap -i 1 -w christest.pcapng -b filesize:500000 -b files:20 Maybe this will be useful for people that would like a quick-reference for a few common commands.
So I thought it might be nice to share a few commands that I like to use when I am working with the command-line tools (dumpcap, tshark, mergecap, etc). But larger than that, I like to start filtering them on the command line (or using a read filter while I am opening them). Personally, I am fine with popping open traces that are up to around 500MB or so in Wireshark. That is well and good - until you start opening them up to work with them in the Wireshark interface. Of course, large capture files were needed to catch it in the act. Last week I was working with one of my customers in troubleshooting a nagging intermittent performance problem. Hey packet heads! Let's talk about some commands for tshark and dumpcap.
0 kommentar(er)
