Tag Archives: tcpdump

Analysing tcpdump output on CLI

I recently needed to analyse a tcpdump output for an application layer protocol (mysql). Wireshark is there, but I wanted to be able to process the output with various text-process utilities. So I decided to give a shot to tshark(1), which is part of wireshark, and is like wireshark for terminals. With it, I was able to find get the list of SELECT queries from the captured stream, using following command-line:

% tshark  -r file.cap -d "tcp.port==$port,mysql" -Eheader=y -Tfields  -e ip.src -e tcp.stream -e mysql.query -R 'mysql.query contains "SELECT"'

Perfect!