root@dco:~$ tshark -r Desktop/exercise-files/demo.pcapng -Y "frame.number == 29"
29 4.105904 65.208.228.223 ? 145.254.160.237 TCP 1434 80 ? 3372 [PSH, ACK] Seq=12421 Ack=480 Win=6432 Len=1380 [TCP segment of a reassembled PDU]
* the -Y flag in tshark is used to apply a display filter to the packets
being processed. it ensures that only packets matching the given filter
expression are displayed
READING AND WRITING FILTERED PCAP DATA
# Read the first packet of the demo.pcapng, create write-demo.pcap and save the first packet there.
root@dco:~$ tshark -r demo.pcapng -c 1 -w write-demo.pcap
# List the contents of the current folder.
root@dco:~$ ls
demo.pcapng write-demo.pcap
# Read the write-demo.pcap and show the packet bytes/details.
root@dco:~$ tshark -r write-demo.pcap
1 0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1
READING AND DISPLAYING PCAP DATA IN HEX/ASCII
it will be hard to spot anomalies with large data sets. reduce the number of packets prior to analysis
# Read the packets from write-demo.pcap
root@dco:~$ tshark -r write-demo.pcap
1 0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1
# Read the packets from write-demo.pcap and show the packet bytes/details.
root@dco:~$ tshark -r write-demo.pcap -x
0000 fe ff 20 00 01 00 00 00 01 00 00 00 08 00 45 00 .. ...........E.
0010 00 30 0f 41 40 00 80 06 91 eb 91 fe a0 ed 41 d0 .0.A@.........A.
0020 e4 df 0d 2c 00 50 38 af fe 13 00 00 00 00 70 02 ...,.P8.......p.
0030 22 38 c3 0c 00 00 02 04 05 b4 01 01 04 02 "8............
READING AND DISPLAYING PACKET DETAILS
displaying full packet details makes it difficult to investigate long and complex terminal output for each packet; however, this is helpful for in-depth packet analysis and scripting. only use the verbosity level after filtering the packets
