tshark过滤条件那偶就来解答一下吧跟着做就行了:
tshark使用-f来指定捕捉包过滤规则,规则与tcpdump一样,可以通过命令man pcap-filter来查得tshark使用-R来过滤已捕捉到的包,与界面板wireshark的左上角Filter一致举个栗子抓Mysql包命令如下:tshark -s 512 -i eth0 -n -f 'tcp dst port 3306' -R 'mysql.query' -T fields -e mysql.querytshark -s 512 -i em1 -n -f 'tcp dst port 3306' -R 'mysql.query' -T fields -e mysql.query过滤HTTP请求:# tshark 'tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)' -R 'http.request.method == "GET" || http.request.method == "HEAD"'