mit ifconfig das interface herausfinden (inet, netmask, broadcast)
tshark -n -i vtnet0 -a filesize:100000 -b files:3 -w wantrace.pcapng
# -n disable network object name resolution (hostnames statt ips)
# -i capture interface
# -a stop writing to a capture file after the specified filesize in kb (100mb logfiles)
# -b use 3 files for the ring buffer
# -w file format and name
# -f filter angeben
Beispiel – DHCP Traffic in tshark mit einem ringpuffer:
tshark -n -i vtnet0 -a filesize:100000 -b files:3 -w wantrace.pcapng -f „port 67 or port 68“
tshark -n -i p1p2 -a filesize:100000 -b files:3 -w wantrace.pcapng -f „ether host xx:ab:xx:4b:xx:87“
