{"id":2033,"date":"2014-04-09T11:13:43","date_gmt":"2014-04-09T10:13:43","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=2033"},"modified":"2014-04-09T12:36:45","modified_gmt":"2014-04-09T11:36:45","slug":"tshark-capturing-packets-from-the-windows-command-line","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=2033","title":{"rendered":"tshark – Capturing Packets from the Windows Command Line"},"content":{"rendered":"

A quick aide-memoir about how to go about capturing traffic from the Windows command line.\u00a0 You must be in the Wireshark directory (or have the location in your PATH environment settings):<\/p>\n

1. Find interface Index:<\/strong><\/p>\n

C:\\Program Files (x86)\\Wireshark>tshark -D
\n1. \\Device\\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
\n2. \\Device\\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
\n3. \\Device\\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
\nNetwork Connection)<\/p><\/blockquote>\n

2. Capture traffic<\/strong>:<\/p>\n

C:\\Program Files (x86)\\Wireshark>tshark -i 3 -c 10 -w testing.pcap
\nCapturing on Intel(R) 82579LM Gigabit Network Connection
\n10<\/p><\/blockquote>\n

3. read in the file:<\/strong><\/p>\n

C:\\Program Files (x86)\\Wireshark>tshark -r testing.pcap
\n1\u00a0\u00a0 0.000000 fe80::89d1:db93:6fe0:93c4 -> ff02::c\u00a0\u00a0\u00a0\u00a0\u00a0 SSDP\u00a0 208 M-SEARCH * HTTP\/1.1
\n2\u00a0\u00a0 0.007155 fe80::5177:2132:f23f:323d -> ff02::1:ff2d:47f8 ICMPv6\u00a0 86 Neighbor Solicitation
\n3\u00a0\u00a0 0.009462 fe80::a57f:a2c0:4175:8a37 -> ff02::c\u00a0\u00a0\u00a0\u00a0\u00a0 SSDP\u00a0 208 M-SEARCH * HTTP\/1.1
\n4\u00a0\u00a0 0.012513 192.168.200.173 -> 100.23.52.74\u00a0 CFLOW\u00a0 1458 total: 29 (v9) records
\n5\u00a0\u00a0 0.030965 fe80::8884:585c:94f1:a93 -> ff02::1:ffb2:2b1a ICMPv6\u00a0 86 Neighbor Solicitation
\n6\u00a0\u00a0 0.054857 100.23.52.188 -> 100.23.255.255 NBNS\u00a0 92 Name query NB NET-MASTER<1b>
\n7\u00a0\u00a0 0.082469 100.23.15.101 -> 224.0.0.2\u00a0\u00a0\u00a0 HSRP\u00a0 62 Hello (state Active)
\n8\u00a0\u00a0 0.095470\u00a0 100.23.53.31 -> 100.23.255.255 NBNS\u00a0 92 Name query NB FS03<20>
\n9\u00a0\u00a0 0.101973 172.23.16.252 -> 224.0.0.2\u00a0\u00a0\u00a0 HSRP\u00a0 62 Hello (state Standby)
\n10\u00a0\u00a0 0.117974 fe80::3c5b:61f0:4cac:4620 -> ff02::1:ff95:5811 ICMPv6\u00a0 86 Neighbor Solicitation<\/p><\/blockquote>\n

3a. Read in the file with a Wireshark Display Filter:<\/strong><\/p>\n

C:\\Program Files (x86)\\Wireshark>tshark -r testing.pcap -R “ip.addr eq 224.0.0.2
\n”
\n7\u00a0\u00a0 0.082469 100.23.15.101 -> 224.0.0.2\u00a0\u00a0\u00a0 HSRP\u00a0 62 Hello (state Active)
\n9\u00a0\u00a0 0.101973 172.23.16.252 -> 224.0.0.2\u00a0\u00a0\u00a0 HSRP\u00a0 62 Hello (state Standby)<\/p><\/blockquote>\n

COMMAND LINE HELP:<\/strong><\/span><\/p>\n

TShark 1.6.8 (SVN Rev 42761 from \/trunk-1.6)
\nDump and analyze network traffic.
\nSee http:\/\/www.wireshark.org for more information.<\/p>\n

Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
\nThis is free software; see the source for copying conditions. There is NO
\nwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<\/p>\n

Usage: tshark [options] …<\/p>\n

Capture interface:
\n-i <interface>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 name or idx of interface (def: first non-loopback)
\n-f <capture filter>\u00a0\u00a0\u00a0\u00a0\u00a0 packet filter in libpcap filter syntax
\n-s <snaplen>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 packet snapshot length (def: 65535)
\n-p\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 don’t capture in promiscuous mode
\n-B <buffer size>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 size of kernel buffer (def: 1MB)
\n-y <link type>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 link layer type (def: first appropriate)
\n-D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 print list of interfaces and exit
\n-L\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 print list of link-layer types of iface and exit<\/p>\n

Capture stop conditions:
\n-c <packet count>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 stop after n packets (def: infinite)
\n-a <autostop cond.> …\u00a0 duration:NUM – stop after NUM seconds
\nfilesize:NUM – stop this file after NUM KB
\nfiles:NUM – stop after NUM files
\nCapture output:
\n-b <ringbuffer opt.> … duration:NUM – switch to next file after NUM secs
\nfilesize:NUM – switch to next file after NUM KB
\nfiles:NUM – ringbuffer: replace after NUM files
\nInput file:
\n-r <infile>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 set the filename to read from (no pipes or stdin!)<\/p>\n

Processing:
\n-R <read filter>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 packet filter in Wireshark display filter syntax
\n-n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 disable all name resolutions (def: all enabled)
\n-N <name resolve flags>\u00a0 enable specific name resolution(s): “mntC”
\n-d <layer_type>==<selector>,<decode_as_protocol> …
\n“Decode As”, see the man page for details
\nExample: tcp.port==8888,http
\n-H <hosts file>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 read a list of entries from a hosts file, which will
\nthen be written to a capture file. (Implies -W n)
\nOutput:
\n-w <outfile|->\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 write packets to a pcap-format file named “outfile”
\n(or to the standard output for “-“)
\n-C <config profile>\u00a0\u00a0\u00a0\u00a0\u00a0 start with specified configuration profile
\n-F <output file type>\u00a0\u00a0\u00a0 set the output file type, default is libpcap
\nan empty “-F” option will list the file types
\n-V\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add output of packet tree\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Packet Details)
\n-O <protocols>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Only show packet details of these protocols, comma
\nseparated
\n-S\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 display packets even when writing to a file
\n-x\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add output of hex and ASCII dump (Packet Bytes)
\n-T pdml|ps|psml|text|fields
\nformat of text output (def: text)
\n-e <field>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 field to print if -Tfields selected (e.g. tcp.port);
\nthis option can be repeated to print multiple fields
\n-E<fieldsoption>=<value> set options for output when -Tfields selected:
\nheader=y|n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 switch headers on and off
\nseparator=\/t|\/s|<char> select tab, space, printable character as separator
\noccurrence=f|l|a\u00a0\u00a0\u00a0\u00a0\u00a0 print first, last or all occurrences of each field
\naggregator=,|\/s|<char> select comma, space, printable character as
\naggregator
\nquote=d|s|n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 select double, single, no quotes for values
\n-t ad|a|r|d|dd|e\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 output format of time stamps (def: r: rel. to first)
\n-u s|hms\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 output format of seconds (def: s: seconds)
\n-l\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 flush standard output after each packet
\n-q\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 be more quiet on stdout (e.g. when using statistics)
\n-W n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Save extra information in the file, if supported.
\nn = write network address resolution information
\n-X <key>:<value>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 eXtension options, see the man page for details
\n-z <statistics>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 various statistics, see the man page for details<\/p>\n

Miscellaneous:
\n-h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 display this help and exit
\n-v\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 display version info and exit
\n-o <name>:<value> …\u00a0\u00a0\u00a0 override preference setting
\n-K <keytab>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 keytab file to use for kerberos decryption
\n-G [report]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dump one of several available reports and exit
\ndefault report=”fields”
\nuse “-G ?” for more help<\/p>\n","protected":false},"excerpt":{"rendered":"

A quick aide-memoir about how to go about capturing traffic from the Windows command line.\u00a0 You must be in the Wireshark directory (or have the location in your PATH environment settings): 1. Find interface Index: C:\\Program Files (x86)\\Wireshark>tshark -D 1. \\Device\\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft) 2. \\Device\\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun) 3. \\Device\\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit Network Connection)<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[53],"tags":[37],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2033"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2033"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2033\/revisions"}],"predecessor-version":[{"id":2035,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2033\/revisions\/2035"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2033"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}