Hi guys - I've got the following script that I've made fairly generic so we can capture all traffic on a subnet (or series of them)
SETLOCAL EnableDelayedExpansion
set TSHARK="C:\Program Files (x86)\Wireshark\tshark"
set LOCATION=C:\temp\wireshark\
set NAME=bc4.pcapng
set net1=net 10.198.1
set net2=net 10.198.4
set net3=net 10.198.2
set net4=net 10.198.64
set net5=net 10.198.63
set ip_list=10.198.1.200
rem set socket_range=tcp port 2096 and tcp portrange 20000-20399
set "FILTER=(%net1% or %net2% or %net3% or %net4% or %net5%) and not udp portrange 2530-2500 and not port 5900"
for %%i in (%ip_list%) do set "FILTER=!FILTER! and ip src not %%i and ip dst not %%i"
if not exist %LOCATION% mkdir %LOCATION%
%TSHARK% -i 5 -b filesize:50000 -b files:2000 -f "%FILTER%" -w %LOCATION%%NAME%
I'd like to see if I can add a particular display filter, which is: sttp.offset == 0 - I don't think it's possible, but it will always be from UDP 2550, and it will be the first one in the stream (I just want to verify it's there) as the STTP traffic will make up about 80-90% of all the traffic in this instance.
User Datagram Protocol, Src Port: 2550, Dst Port: 64485
