tshark special filters
SMB2 Vul. Filter
- smb.cmd (0x72 is an SMB Negotiate Protocol command)
- smb.flags.response (a bit value of 0 indicates this is a request packet)
- smb.pid.high (a value other than 0x0000 would be considered abnormal)
wireshark filter
    ((smb.cmd == 0x72) && (smb.flags.response == 0)) && !(smb.pid.high == 0)

Advanced dumpcap Filters
options similar to tshark, but fasterer and writes only to a file
But it supports Ringbuffer in the Output
See Option -b
-b <ringbuffer opt.> ...
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
And here a Sample:
	dumpcap -i eth0 -s 1600 -b filesize:100 files:100 -w capture.cap

Advanced editcap Filters
used to manipulate captures files in frame or time ranges
And here a Sample:
	editcap -r capture1-1.cap tmp.cap 1-1000 2001-3000
	
	editcap -A "2008-08-11 11:40:00" -B "2008-08-11 11:49:59" capture1.cap tmp.cap
split file in chunks 
	editcap -c 1000  sharkfest-1.cap tmp.cap
change snaplen, time 
	editcap -s 96  capture1.cap tmp.cap
	editcap -t -3600 capture1.cap tmp.cap

Advanced mergecap Filters
Merge Capture Files.
Timestap based:
	mergecap -w new.cap capture1.cap capture2.cap
Append
	mergecap -a -w new.cap capture1.cap capture2.cap

Advanced text2pcap
converts TEXT Captures Output in Pcap File

Sample:
Output from a Software with not working pcap export, but we can "cut and paste" one frame. 
45 00 00 34 71 b7 40 00 69 06 49 78 0a 0a 0a 01 E..4q.@.i.Ix....
0a 00 00 02 12 97 01 bd e6 19 3f 48 00 00 00 00 ..........?H....
80 02 7f ff 5e ce 00 00 02 04 05 b4 01 03 03 00 ....^...........
01 01 04 02 35 78 69 6a 41 0d 0a 41 41 41 41 41 ....5xijA..AAAAA
41 41 41 41 41 41 41 41 41 41 41 41             AAAAAAAAAAAA
you must convert this to a text2pcap readable format with this script
 arbor2text.pl
#!/usr/bin/perl
#
# arbor2text.pl
#
# converts arbor text export ASCII Files to text2pcap readable input format  
#
# Version 0.3
# date 30.12.2009
# (c) by packetlevel.ch
#
#################################################
#
# Usage:  arbor2test.pl arbor_txt.txt > arbor_hex.txt
# 
# create PCAP File with text2pcap  (included in wireshark / tshark)
#         text2pcap -l 1 -e 0x0800 arbor_hex.txt arbor.pcap
#
#################################################
#

@packets = ();
$i = 1;

while (<>) {
        $line = $_;
	
        if ( $line =~ /^[0-9A-Fa-f]{2} / ) {
        	$hex_part = substr($line, 0, 47);
		$hex_part =~ s/\s//g;
        	$packets[$i] .= $hex_part;
		}
	else {
		$i++;
		}
	     
}

for ($i = 1; $i <= @packets; $i++) {

        if ( exists $packets[$i] ) {

                for ( $j = 0; $j < length($packets[$i]); $j += 2 ) {
                        if ( $j == 0 )  {
                                printf "# Packet \n%08X";
                        } elsif ( $j % 32 == 0 ) {
				printf "\n%08X", $j/2;
                        }
                        print " ".substr($packets[$i], $j, 2);
                }
                print "\n";
        }
}
this generate following output in a file 
# Packet
00000000 45 00 00 34 71 b7 40 00 69 06 49 78 0a 0a 0a 01
00000010 0a 00 00 02 12 97 01 bd e6 19 3f 48 00 00 00 00
00000020 80 02 7f ff 5e ce 00 00 02 04 05 b4 01 03 03 00
00000030 01 01 04 02 35 78 69 6a 41 0d 0a 41 41 41 41 41
00000040 41 41 41 41 41 41 41 41 41 41 41 41
and now we create the pcap file. 
	text2pcap -l 1 -e 0x0800 arbor_hex.txt arbor.pcap

(c) 2009 by packetlevel.ch / last update: 30.12.2009