WireShark의 유용한 프로그램들
tshark - Dump and analyze network traffic
tshark.exe -i <인터페이스번호> -w 파일명
mergecap - 둘 이상의 cap파일을 합친다.
mergecap.exe -w 3.cap 1.cap 2.cap
capinfos - cap파일의 정보를 출력
capinfos.exe 1.cap
dumpcap - Dump network traffic
dumpcap.exe -i <인터페이스번호> -w 파일명
editcap - Edit and/or translate the format of capture files
==============================================================================================
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
editcap -s 64 -F snoop capture.pcap shortcapture.snoopTo delete packet 1000 from the capture file use:
editcap capture.pcap sans1000.pcap 1000To limit a capture file to packets from number 200 to 750 (inclusive) use:
editcap -r capture.pcap small.pcap 200-750To get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500or
editcap capture.pcap first500.pcap 501-9999999To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
editcap capture.pcap exclude.pcap 1 5 10-20 30-40To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
editcap -r capture.pcap select.pcap 1 5 10-20 30-40To remove duplicate packets seen within the prior four frames use:
editcap -d capture.pcap dedup.pcapTo remove duplicate packets seen within the prior 100 frames use:
editcap -D 101 capture.pcap dedup.pcapTo remove duplicate packets seen equal to or less than 1/10th of a second:
editcap -w 0.1 capture.pcap dedup.pcapTo display the MD5 hash for all of the packets (and NOT generate any real output file):
editcap -v -D 0 capture.pcap /dev/nullor on Windows systems
editcap -v -D 0 capture.pcap NULTo introduce 5% random errors in a capture file use:
editcap -E 0.05 capture.pcap capture_error.pcap
================================================================================================
이어서...
