(replacing the initial tcpdump with tshark results in this error in my local system: This seems to work when you'd want to combine -w and bpf packet filters (ie, what you put on -f): tcpdump -nli en1 -w - 'tcp port 80' | tshark -i -R' = "GET"' Lars asked to add -f: sudo /usr/sbin/tshark -T fields -e ' contains "cnc=13"' \ It works, but in this case i have under /tmp several temp files with huge size 1G+. I have really big traffic, during 10 min i get pcap file size 950M. w samples.pcap -R ' = "GET"'Īs you see I defined to store filtered results to 1 file with max size 1G and name: samples.pcap. I run followed command to filter incoming traffic and fetch only GET requests: /usr/sbin/tshark -b filesize:1024000 -b files:1 \ I try to calculate GET Request from my server.
0 kommentar(er)
