Tshark usage sample below
Get stats on HTTP
tshark -r xxx.pcap -n -q -z http,tree
Get stream numbers with HTTP in it
tshark -r xxx.pcap -n -Y ‘tcp.port == 80 and http.request.method == GET’ -T fields -e tcp.stream | sort -n | uniq
Search for URL
tshark -n -r xxx.pcap -Y ‘tcp contains test.com’
Filter by IP address and Port, then get Stream numbers
tshark -n -r xxx.pcap -Y ‘ip.addr == xx and tcp.port == xx’ -T fields -e tcp.stream | uniq
Follow a stream
tshark -n -r xxx.pcap -z follow,tcp,ascii,yyy
where yyy is the stream number
Get source IP of packets where ECN flag is set to 1
tshark -n -r xxx.pcap -Y ‘tcp.flags.ecn == 1’ -T fields -e ip.src | sort -n | uniq
Get source IP of packets with listening ports (based on SYN ACK response)
tshark -n -r xxx.pcap -Y ‘tcp.flags.syn == 1 && tcp.flags.ack == 1’ -T fields -e ip.src | sort | uniq
Get strange DNS packets with query and response in it
tshark -n -r xxx.pcap -Y ‘(udp.dstport == 53 and dns.flags.response == 0 and dns.count.queries > 0 and dns.count.answers > 0)’ -T fields -e dns.a
Need to loop through multiple packets?
#!/bin/bash
for file in “/folder/with/pcaps”*;
do
tshark -n -r $file xxxxxx
done
where xxxxxx is all your filters like -Y ‘ip.addr == x.x.x.x’ -T fields -e ip.src | sort | uniq
Save the above into a file
chmod +x it
Then ./filename to run it