Configuring tshark

Hi guys

I wanna collect the raw data to and from my server to cisco router. I googled and read up tshark, tried to find some simple guide for it but failed.

Anyone could help out?

Thanks alot

Well, as always, the man file is a tremendous help...

In anycase, this is the command I usually use

Code:

---

tshark -w - -i -eth0 -f "port 80" | dd of=./http_traf

---

Note that's a '-' after the -w switch to denote to write raw data to stdout. There is a option to specify the output file in tshark, but I typically wind up getting permission write problems when using that, so I pipe the output out to dd instead, which is extremely flexible in piping it out to other programs and files.

For a basic explanation...

-w - writes raw packet data to stdout
-i specifies the interface
-f "port 80" specifies the capture filter

You can look up tshark or wireshark capture filters on google to find more of these, or you can simply capture all traffic by ommiting the -f switch all-together. To capture on all interfaces, use 'any'. It might also work with 'all', but I've typically used it with 'any'

I think that should give you a good enough idea of how to use it, with a little help from the man file.

cool.. thanks alot! that really helps alot.. bwt im wish to see the raw packet in hex hash, any idea how do i do that?

Well, you could use a graphical packet capture program to open the data. Wireshark or Ethereal would probably do, and they would probably have an option to view as hex.

The other option is just to simply use a hex editor, but I don't think it would be nearly as informative as doing it with a packet capture program, as it would know how to differntiate between the data of the packet itself, and the data that the packet is carrying simply by highlighting different parts of the packet structure.

i see.. the server running on centos5 text.. no gui.. anyway thanks for your help :)