Tshark Quick Reference
======================

BASIC USAGE
  tshark -r file.pcap            Read pcap file
  tshark -i eth0                 Live capture
  tshark -c 100 -i eth0          Capture 100 packets

DISPLAY FILTERS
  tshark -r f.pcap -Y "http"               HTTP only
  tshark -r f.pcap -Y "tcp.port==80"       Port 80
  tshark -r f.pcap -Y "ip.addr==10.0.0.1"  Specific IP
  tshark -r f.pcap -Y "dns"                DNS only
  tshark -r f.pcap -Y "tcp.flags.syn==1"   SYN packets
  tshark -r f.pcap -Y "http.request"       HTTP requests
  tshark -r f.pcap -Y "http.response"      HTTP responses
  tshark -r f.pcap -Y "ftp"                FTP traffic
  tshark -r f.pcap -Y "smtp"               SMTP (email)

FIELD EXTRACTION
  tshark -r f.pcap -T fields -e frame.number -e ip.src -e ip.dst
  tshark -r f.pcap -T fields -e http.request.uri
  tshark -r f.pcap -T fields -e dns.qry.name
  tshark -r f.pcap -T fields -e data.data

OUTPUT FORMATS
  tshark -r f.pcap -T json       JSON output
  tshark -r f.pcap -T fields     Tab-separated fields
  tshark -r f.pcap -V            Verbose (full decode)
  tshark -r f.pcap -x            Hex dump

CAPTURE FILTERS
  tshark -i eth0 -f "port 80"           Port 80
  tshark -i eth0 -f "host 10.0.0.1"     Specific host
  tshark -i eth0 -f "tcp"               TCP only

STATISTICS
  tshark -r f.pcap -z conv,tcp          TCP conversations
  tshark -r f.pcap -z endpoints,ip      IP endpoints
  tshark -r f.pcap -z http,tree         HTTP statistics
  tshark -r f.pcap -z io,stat,1         I/O graph data

STREAM FOLLOWING
  tshark -r f.pcap -z follow,tcp,ascii,0    Follow TCP stream 0
  tshark -r f.pcap -z follow,http,ascii,0   Follow HTTP stream

EXPORT
  tshark -r f.pcap --export-objects http,./output/
  tshark -r f.pcap -w filtered.pcap -Y "http"

COMMON CTF PATTERNS
  # Extract HTTP POST data
  tshark -r f.pcap -Y "http.request.method==POST" \
         -T fields -e http.file_data

  # Find credentials
  tshark -r f.pcap -Y "ftp.request.command==PASS" \
         -T fields -e ftp.request.arg

  # DNS exfil
  tshark -r f.pcap -Y "dns.qry.name" \
         -T fields -e dns.qry.name | sort -u

  # Extract files
  tshark -r f.pcap --export-objects http,./extracted/
