Packet Captures: Difference between revisions
Content added Content deleted
m (→Non-Root Capture in Ubuntu: m) |
m (→Misc: m) |
||
Line 247: | Line 247: | ||
</pre> |
</pre> |
||
= Misc = |
|||
* In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage. |
|||
* In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured. |
|||
==Tshark== |
|||
apt-get install tshark |
|||
tshark -r lotsapackets.cap -R dns -w dns.cap |
|||
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w web.cap |
|||
capinfos web.cap |
|||
editcap -c 50000 lotsapackets.cap fewerpackets.cap |
|||