Lisa Rushworth Home Page

I was trying to use nethogs with a -t switch to see what is causing the large quantity of traffic that gets bucketed as “unknown TCP”. But the display jumped around a lot – I think because they’re attempting to increment the sums at the top of the “page” rather than just stream information to STDOUT. Figured I could more readily see what I wanted to see using Wireshark. Or, more accurately, tshark.

tshark -i any -f "not port 22" -Y "tcp or udp" -T fields -e ip.src -e tcp.srcport -e udp.srcport -e ip.dst -e tcp.dstport -e udp.dstport | tee /path/tonetcap.cap

Yields:

10.5.5.90 56572 10.5.5.91 3306
10.5.5.90 56572 10.5.5.91 3306
10.5.5.91 3306 10.5.5.90 56572
10.5.5.91 3306 10.5.5.90 56572
10.5.5.90 56572 10.5.5.91 3306
10.5.5.90 56572 10.5.5.91 3306
10.5.5.90 56572 10.5.5.91 3306
10.5.5.75 38552 10.5.5.85 443
10.5.5.75 38552 10.5.5.85 443
10.5.5.75 443 40.97.205.53 12160
10.5.5.75 443 40.97.205.53 12160
10.5.5.75 443 40.97.205.53 12160
10.5.5.75 443 40.97.205.53 12160
10.5.5.75 443 40.97.205.53 12160
10.5.5.75 443 40.97.205.53 12160
10.5.5.61 51389 255.255.255.255 6667
10.5.5.61 51389 255.255.255.255 6667
10.5.5.61 51389 255.255.255.255 6667
10.5.5.61 51389 255.255.255.255 6667
10.5.5.61 51389 255.255.255.255 6667

Lisa's Home Page

Tag: nethogs

Wireshark Capture of Source and Dest Pairs