Wireshark · Wireshark-users: Re: [Wireshark-users] tshark filter

[David Milbourne <dmilbo@xxxxxxxxx>]

That shows me all the successful and unsuccessful logins.  Is there an easy way of filtering out all the unsuccessful logins so I don't see all the password guessing attempts?

On Thu, Oct 14, 2010 at 11:44 PM, j.snelders <j.snelders@xxxxxxxxxx> wrote:

Hi David,

Use:
$ tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"

Best regards
Joke

On Thu, 14 Oct 2010 19:04:38 -0400 David Milbourne wrote:
>So I did:
>
>tshark -r <capturefile> 'ftp.response.code == 230'
>
>And it shows me all the successful logins.  Is there a way to combine that
>with:
>
>'(ftp.request.command == "PASS" or ftp.request.command == "USER")'
>
>in order to show all the valid usernames and passwords that were used to
>successfully log in?
>
>Thanks in advance,
>DM
>
>On Wed, Oct 13, 2010 at 5:53 PM, David Milbourne <dmilbo@xxxxxxxxx> wrote:
>
>> Marco,
>>
>> That works - thank you!
>>
>> DM
>>
>>
>> On Wed, Oct 13, 2010 at 3:58 AM, Marco Simone Zuppone <msz@xxxxxx> wrote:
>>
>>> Hello,
>>>
>>> you can try with: ftp.response.code == 230
>>>
>>> Regards.
>>> Marco S. Zuppone
>>>
>>> On Tue, Oct 12, 2010 at 10:56 PM, David Milbourne <dmilbo@xxxxxxxxx>wrote:
>>>
>>>> I have a capture file that I'd like to go through and list all of the
>>>> successful ftp logins.  How can I do that with tshark?
>>>>
>>>> Thanks,
>>>> DM




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe