tshark filters
ip multicastIP Multicast
ether multicastEthernet Multicast

tshark ipv6 filters

Advanced tshark Filters
for creating a ";" separated file with "source IP" "destination IP" and "Destination Port" from all with SYN initiated connections, you can use following sample:
Use the options -T , -E and -e (see man pages for infos)
	tshark -nn -r capturefile.dmp -T fields -E separator=';' -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport '(tcp.flags.syn == 1 and tcp.flags.ack == 0)'
this generate the following Output (sample>;51514;;21;50914;;50366;47575;;35328;43957;;56747;36637;;33607
Display http response codes:
	tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -e http.response.code 
Display Top 10 URLs
	tshark -r sample1.cap -R http.request 
		-T fields -e http.host -e http.request.uri |
		sed -e 's/?.*$//' |
		sed -e 's#^\(.*\)\t\(.*\)$#http://\1\2#' |
		sort | uniq -c | sort -rn | head
Display Source IP and MAC Address. (coma sep) tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip Display Target IP and Mac Address (coma sep)
	tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip
Soure and Target IP
	tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip
Source and Target IPv6
	tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ip
Source IP and DNS Query
	tshark -i eth0 -nn -e ip.src -e dns.qry.name -E separator=";" -T fields port 53

my tshark special filters
Answer Seq Numbers
for a test , if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet.
the -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr.
        tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host and tcp[13]=0x12

tshark special filters
SMB2 Vul. Filter
- smb.cmd (0x72 is an SMB Negotiate Protocol command)
- smb.flags.response (a bit value of 0 indicates this is a request packet)
- smb.pid.high (a value other than 0x0000 would be considered abnormal)
wireshark filter
    ((smb.cmd == 0x72) && (smb.flags.response == 0)) && !(smb.pid.high == 0)

Output Filters
You can define the output of tshark : And here a Samples:
display only the Source and the Destination IP
trilobit@drotops:~/trace/blub$ sudo tshark -o column.format:'"Source", "%s","Destination", "%d"' -Ttext
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0 -> -> -> -> -> -> -> -> ->
9 packets captured
Some othe Sample:
tshark -nn -i eth0 -o column.format:'"No.", "%m", "Info", "%i", "Len", "%Cus:tcp.len"'
tshark -nn -i eth0 -o column.format:'"Packet#","%m","Time","%t","Source","%rhs","Destination","%uhd", 	\						"Speed","%x","Size","%L","RSSI","%e","Info","%i"'

Output Filters
Some other Sampels: (found around the world):
And here a Samples:
tshark -i eth0 -c 100 -f "udp dst port 137" -T fields -t ad -e frame.date -e frame.time -e  ip.src -e ip.dst -e nbns.id -e nbns.flags.opcode -e nbns.flags.rcode
tshark -r samples.cap -o column.format:'"No.", "%m", "Info", "%i", "Len", "%Cus:tcp.len"'
tshark -r samples.cap -Ttext > outfile.txt
tshark -r samples.cap -o column.format:'"Source", "%s","Destination", "%d"' -Ttext
tshark -r samples.cap -R http.response.code==200 -T fiels -e http.content_type
tshark -r samples.cap -R dns.cflags.response==0

Statistics from a capture file
And here a Samples:
tshark -r samples.cap -qz io,stat,1,0,sum(tcp.analysis.retransmission)"ip.addr==" > stat.txt
tshark -r samples.cap -qz io,stat,120,"ip.addr== &&  tcp","COUNT(tcp.analysis.retransmission)ip.addr== && tcp.analysis.retransmission"
tshark -r samples.cap -q -z io,stat,30,"COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission"
tshark -r samples.cap -q -z  io,stat,30,"COUNT(tcp.analysis.retranmission)tcp.analysis.retransmission","AVG(tcp.window_size)tcp.window_size","MAX(tcp.window_size)","MIN(tcp.window_size)tcp.window_size"
tshark -r samples.cap -q -z io,stat,5,"COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission","COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack","COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment","COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission"
tshark -r samples.cap -q -z io,stat,5,"MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt","MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt","AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt"
tshark -r samples.cap -q -z ip_hosts,tree
tshark -r samples.cap -q -z conv,tcp

tshark -r samples.cap -q -z ptype,tree
Browser Filters
Sometime, you need the Infos about the Browser Type and other HTTP Infos And here a Samples:
display only the Source IP and the Browser Type
trilobit@drotops:~/trace/blub$ sudo tshark -nn -r capture_file.pcap -Tfields -e ip.src -e http.user_aget -R "http.user_agent"
Other Usefull Infos

(c) 2010 by packetlevel.ch / last update: 18.12.2010