Wireshark-users: Re: [Wireshark-users] newbie question

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Wed, 16 Aug 2006 10:32:35 -0700
On Wed, Aug 16, 2006 at 09:00:31AM +0200, Krekan wrote:

>     Hello all, I am new to Ethereal. I would like to ask when I got 
> file about 1 mb full of data captured how do I extract certain 
> information such as password from those sniffed data. I run ethereal 
> start to capture and when the size of file reaches limit which I set I 
> get a file. The contents of this file I can only view in ethereal When 
> I open it in regular viewer only bunch of binary data is seen. How can 
> I filter for example ftp or pop Passwords?

You can specify a capture filter to tshark (or wireshark while it's 
running) for the field that you are looking for.  In the case of FTP, 
the password is shown in the info column so you only need to filter for 
the request command "PASS":

tshark -r <capture filename> ftp.request.command == "PASS"

  1   0.000000 10.134.121.235 -> 10.134.9.203 FTP 71 Request: PASS <pwd>


Steve