tshark的使用技巧（wireshark的命令行，类似tcpdump）：转换格式，设置filter

tshark的使用技巧（wireshark的命令行，类似tcpdump）：转换格式，设置filter

tshark一般在 C:\Program Files\Wireshark

使用管理员权限 打开cmd

tshark -D 列出支持抓包的接口：
 

c:\Program Files\Wireshark>tshark.exe -D
1. \Device\NPF_{0ADF117A-117D-4816-B5EC-E36EF9CDB8CF} (鏈湴杩炴帴* 13)
2. \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06} (WLAN)
3. \Device\NPF_{C0D87A52-1F46-4C52-99B2-8E4183563C21} (鏈湴杩炴帴* 4)
4. \Device\NPF_{6CF18997-7C8D-4B70-908C-EC920BB66F50} (鏈湴杩炴帴* 14)
5. \Device\NPF_{8F8A308A-A12D-416D-BF86-D7D52C30DC72} (鏈湴杩炴帴* 10)
6. \Device\NPF_{6ADD7BB4-702D-4973-95D5-3B34066C9050} (鏈湴杩炴帴* 3)
7. \Device\NPF_Loopback (Adapter for loopback traffic capture)
8. \Device\NPF_{CAF44D47-293E-476B-9B2A-80240D8B25F9} (鏈湴杩炴帴)
9. \Device\NPF_{86D57797-51DE-4303-9070-F56C27F7EB77} (浠ュお缃?

tshark -i 使用指定接口：

c:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06}
Capturing on 'WLAN'
    1   0.000000 192.168.100.23 → 123.182.48.28 TCP 54 3488 → 443 [FIN, ACK] Seq=1 Ack=1 Win=255 Len=0
    2   0.000009 192.168.100.23 → 180.101.51.73 TCP 54 3501 → 80 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

tshark -c 指定抓包个数：

c:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06} -c 10

tshark -w写入文件：

c:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06} -c 10 -w wlan.pcap
Capturing on 'WLAN'
10

tshark -r读取：

c:\Program Files\Wireshark>tshark.exe -r wlan.pcap

转换格式：

默认tshark live capture只保存为pcap or pcapng。只能先存为pcap文件，再转换为其他文件格式：

c:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06} -c 10 -F k12text -w wlan.txt
tshark: Live captures can only be saved in pcap or pcapng format.

tshark -F 列出支持的文件格式：

c:\Program Files\Wireshark>tshark.exe -F
tshark.exe: option requires an argument -- 'F'
tshark: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file

tshark -r读取，-F另存为其他格式：

c:\Program Files\Wireshark>tshark.exe -r wlan.pcap -F k12text -w wlan.txt

tshark设置filter有2种方式：

tshark -f ""

c:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06} -f "host 172.175.234.12"
Capturing on 'WLAN'
0 packets captured

直接写filter

c:\Program Files\Wireshark>tshark.exe -i \Device\NPF_{23E14E7F-5D8F-42DB-AEA8-45038429FD06} host 172.175.234.12
Capturing on 'WLAN'
0 packets captured