wireshark-users October 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] tshark filter

Re: [Wireshark-users] tshark filter

From: j.snelders <j.snelders_at_nospam>
Date: Fri Oct 15 2010 - 03:44:22 GMT
To: "Community support list for Wireshark" <wireshark-users@wireshark.org>

Hi David,

Use:
$ tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"

Best regards
Joke

On Thu, 14 Oct 2010 19:04:38 -0400 David Milbourne wrote:
>So I did:
>
>tshark -r <capturefile> 'ftp.response.code == 230'
>
>And it shows me all the successful logins. Is there a way to combine that
>with:
>
>'(ftp.request.command == "PASS" or ftp.request.command == "USER")'
>
>in order to show all the valid usernames and passwords that were used to
>successfully log in?
>
>Thanks in advance,
>DM
>
>On Wed, Oct 13, 2010 at 5:53 PM, David Milbourne <dmilbo@gmail.com> wrote:
>
>> Marco,
>>
>> That works - thank you!
>>
>> DM
>>
>>
>> On Wed, Oct 13, 2010 at 3:58 AM, Marco Simone Zuppone <msz@msz.eu> wrote:
>>
>>> Hello,
>>>
>>> you can try with: ftp.response.code == 230
>>>
>>> Regards.
>>> Marco S. Zuppone
>>>
>>> On Tue, Oct 12, 2010 at 10:56 PM, David Milbourne <dmilbo@gmail.com>wrote:
>>>
>>>> I have a capture file that I'd like to go through and list all of the
>>>> successful ftp logins. How can I do that with tshark?
>>>>
>>>> Thanks,
>>>> DM

       

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe