Wireshark mailing list archives

Re: tshark filter

From: David Milbourne <dmilbo () gmail com>
Date: Mon, 18 Oct 2010 12:47:46 -0400

That shows me all the successful and unsuccessful logins.  Is there an easy
way of filtering out all the unsuccessful logins so I don't see all the
password guessing attempts?

On Thu, Oct 14, 2010 at 11:44 PM, j.snelders <j.snelders () telfort nl> wrote:

Hi David,

Use:
$ tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"

Best regards
Joke

On Thu, 14 Oct 2010 19:04:38 -0400 David Milbourne wrote:

So I did:

tshark -r <capturefile> 'ftp.response.code == 230'

And it shows me all the successful logins.  Is there a way to combine that
with:

'(ftp.request.command == "PASS" or ftp.request.command == "USER")'

in order to show all the valid usernames and passwords that were used to
successfully log in?

Thanks in advance,
DM

On Wed, Oct 13, 2010 at 5:53 PM, David Milbourne <dmilbo () gmail com>

wrote:

Marco,

That works - thank you!

DM


On Wed, Oct 13, 2010 at 3:58 AM, Marco Simone Zuppone <msz () msz eu>

wrote:

Hello,

you can try with: ftp.response.code == 230

Regards.
Marco S. Zuppone

On Tue, Oct 12, 2010 at 10:56 PM, David Milbourne <dmilbo () gmail com

wrote:

I have a capture file that I'd like to go through and list all of the
successful ftp logins.  How can I do that with tshark?

Thanks,
DM





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tshark filter David Milbourne (Oct 12)
- Re: tshark filter Marco Simone Zuppone (Oct 13)
  - Re: tshark filter David Milbourne (Oct 13)
    - Re: tshark filter David Milbourne (Oct 14)
    - Re: tshark filter j.snelders (Oct 14)
    - Re: tshark filter David Milbourne (Oct 18)
    - Re: tshark filter Guy Harris (Oct 18)