Stephen Fisher wrote:
You can specify a capture filter to tshark (or wireshark while it's
running) for the field that you are looking for. In the case of FTP,
the password is shown in the info column so you only need to filter for
the request command "PASS":
tshark -r <capture filename> ftp.request.command == "PASS"
1 0.000000 10.134.121.235 -> 10.134.9.203 FTP 71 Request: PASS <pwd>
I assume you meant "You can specify a display filter to tshark ...", as
that's a display filter (and as the person who asked the question
already has the capture files).