|Main Archive Page > Month Archives > wireshark-users archives|
$ tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"
On Thu, 14 Oct 2010 19:04:38 -0400 David Milbourne wrote:
>So I did:
>tshark -r <capturefile> 'ftp.response.code == 230'
>And it shows me all the successful logins. Is there a way to combine that
>'(ftp.request.command == "PASS" or ftp.request.command == "USER")'
>in order to show all the valid usernames and passwords that were used to
>successfully log in?
>Thanks in advance,
>On Wed, Oct 13, 2010 at 5:53 PM, David Milbourne <email@example.com> wrote:
>> That works - thank you!
>> On Wed, Oct 13, 2010 at 3:58 AM, Marco Simone Zuppone <firstname.lastname@example.org> wrote:
>>> you can try with: ftp.response.code == 230
>>> Marco S. Zuppone
>>> On Tue, Oct 12, 2010 at 10:56 PM, David Milbourne <email@example.com>wrote:
>>>> I have a capture file that I'd like to go through and list all of the
>>>> successful ftp logins. How can I do that with tshark?
Sent via: Wireshark-users mailing list <firstname.lastname@example.org>