tshark
- tshark.dev
- 参考
# interfaces
tshark -D
# filter
tshark -f "net 192.168.8.0/24"
# 只显示 req header
tshark tcp port 80 or tcp port 443 -V -R "http.request"
# 只显示 res header
tshark -V -Y "tcp.port == 80 && http.response"
# DHCP
tshark -i ethX -n port 68 -R 'bootp.type == 2'
# SNI
tshark -V -Y 'tcp.port==443 && ssl.handshake.extensions_server_name=="example.com"'
FAQ
Couldn't run /usr/bin/dumpcap in child process: Operation not permitted
- 运行时添加 --cap-add=NET_RAW --cap-add=NET_ADMIN
getcap $(which dumpcap)
# /usr/bin/dumpcap cap_net_admin,cap_net_raw=eip