Wireshark
From wikinotes
wireshark is a packet sniffer. It is useful for getting an overview of all of the traffic on your local network.
Documentation
man tshark
https://www.wireshark.org/docs/man-pages/tshark.html man wireshark-filter
(display filter syntax)https://www.wireshark.org/docs/man-pages/wireshark-filter.html man pcap-filter
(capture filter syntax)https://www.tcpdump.org/manpages/pcap-filter.7.html
Install
sudo pacman -S wireshark-cli usermod -a -G wireshark will newgrp wireshark # make changes to group active w/o login tshark # run wireshark
Usage
# filters(-f) are composable tshark -i any # capture on all ifaces tshark -i en0 -f "tcp" tshark -i en0 -f "tcp port 80 or tcp port 443" # write/read dump tshark -w out.pcap tshark -r out.pcap # extract HTTP requests from dumped data tshark -r out.pcap -V -2 -R 'http.request.method == "GET" || http.request.method == "HEAD"' # exclude tcp/ip traffic from an ip addr tshark -r out.pcap -2 -R 'ip.src!=192.168.1.100 and ip.src!=192.168.1.100' # allowlist http requests/responses tshark -r out.pcap -R 'http.request || http.response'
Filters
- capture filter
-f {exp}
- display filter (single pass)
-Y {exp}
- display filter (double pass)
-2 -R {exp}