Wireshark-users: Re: [Wireshark-users] newbie question

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 16 Aug 2006 11:34:15 -0700
Stephen Fisher wrote:

You can specify a capture filter to tshark (or wireshark while it's running) for the field that you are looking for. In the case of FTP, the password is shown in the info column so you only need to filter for the request command "PASS":

tshark -r <capture filename> ftp.request.command == "PASS"

  1   0.000000 10.134.121.235 -> 10.134.9.203 FTP 71 Request: PASS <pwd>

I assume you meant "You can specify a display filter to tshark ...", as that's a display filter (and as the person who asked the question already has the capture files).