Capture
CLI (tshark)
Display Filters
By Protocol
By IP
By Port
By Flags
Combine
Capture Filters (BPF)
Applied before capture (less CPU):Follow Streams
Right-click packet → Follow → TCP/UDP/HTTP Stream.tshark
Credential Extraction
HTTP Auth
FTP
Telnet
SMB
SMTP
Export Objects
File → Export Objects → HTTP/SMB/FTP/TFTP.tshark
Statistics
- Statistics → Endpoints (top talkers)
- Statistics → Conversations (who talks to whom)
- Statistics → Protocol Hierarchy (protocol breakdown)
- Statistics → I/O Graphs (traffic over time)
Useful Filters
| Purpose | Filter |
|---|---|
| HTTP requests | http.request |
| POST data | http.request.method == "POST" |
| DNS queries | dns.flags.response == 0 |
| Failed logins | ftp.response.code == 530 |
| ARP requests | arp.opcode == 1 |
| ICMP | icmp |
| Cleartext creds | http.authbasic || ftp || telnet |
tshark One-Liners
Quick Reference
| Task | Filter/Command |
|---|---|
| Filter by IP | ip.addr == TARGET |
| HTTP POST | http.request.method == "POST" |
| Follow stream | Right-click → Follow → TCP Stream |
| Export files | File → Export Objects → HTTP |
| Credentials | http.authbasic, ftp, ntlmssp |