I recently needed to analyse a
tcpdump output for an application layer protocol (
mysql). Wireshark is there, but I wanted to be able to process the output with various text-process utilities. So I decided to give a shot to tshark(1), which is part of wireshark, and is like wireshark for terminals. With it, I was able to find get the list of
SELECT queries from the captured stream, using following command-line:
% tshark -r file.cap -d "tcp.port==$port,mysql" -Eheader=y -Tfields -e ip.src -e tcp.stream -e mysql.query -R 'mysql.query contains "SELECT"'