T-Shark , is the free command line network protocol analyzer
from popular wire shark community which lets us capture packet data
from a live network. Below are few examples to illustrate its usage. Hope it is useful to some Linux command line protocol analyzer newbies.
where -i any indicates any ethernet port , -R is the filter ( in this example captures all SMPP packets towards IP 192.168.7.6) , -T text is for human readable format , -V for long format , -x for Hex dump and -c 1000 , stops after first 1000 packets.
Command : tshark tcp port 80 or tcp port 443 -V -R "http.request || http.response"
Command : tshark -t ad -r pdu.pcap -R "smpp" -T fields -e frame.time -e smpp.sequence_number -e smpp.command_id -e smpp.source_addr -e smpp.destination_addr -E separator='|'
Command : tshark -q -i any -w test.pcap -b duration:30 -b files:10
Command : tshark -i any -R "gsm_map" -T text -V -x -c 100
Refer this link for more capture filters
http://www.wireshark.org/docs/dfref/
- As an online Short message peer to peer (SMPP) protocol analyzer
where -i any indicates any ethernet port , -R is the filter ( in this example captures all SMPP packets towards IP 192.168.7.6) , -T text is for human readable format , -V for long format , -x for Hex dump and -c 1000 , stops after first 1000 packets.
- For simple HTTP / XML traffic checks
Command : tshark tcp port 80 or tcp port 443 -V -R "http.request || http.response"
- Selecting required fields from a offline file and generate a CSV file.
Command : tshark -t ad -r pdu.pcap -R "smpp" -T fields -e frame.time -e smpp.sequence_number -e smpp.command_id -e smpp.source_addr -e smpp.destination_addr -E separator='|'
- Rotating the files based on duration
Command : tshark -q -i any -w test.pcap -b duration:30 -b files:10
- GSM MAP protocol analyzer filter.
Command : tshark -i any -R "gsm_map" -T text -V -x -c 100
Refer this link for more capture filters
http://www.wireshark.org/docs/dfref/