Tshark is the command-line version of Wireshark, a
popular network protocol analyzer. It is used to capture and analyze network
traffic in real time, providing detailed insights into network communication.
Here are some common tshark commands and examples for various use cases:
Basic Syntax
tshark [options] [capture_filter] [display_filter]
Common tshark Commands and Options
- Capture Network Traffic To start capturing traffic
on a specific interface (e.g., eth0):
tshark -i eth0
- Capture and Display Packets
in Real-Time Capture
packets on interface eth0 and display the packet
details:
tshark -i eth0 -V
The -V option provides
verbose output showing full details of each packet.
- Capture a Specific Number of
Packets Capture
only the first 100 packets on interface eth0:
tshark -i eth0 -c 100
- Capture Traffic with a Filter Capture packets that match a
specific filter, for example, capturing only HTTP traffic:
tshark -i eth0 -f "tcp port 80"
The -f option allows
you to use capture filters (similar to tcpdump filters).
- Apply Display Filters After capturing packets, you
can apply display filters to analyze specific traffic. For example,
capture packets and only show those related to HTTP:
tshark -i eth0 -Y "http"
- Save Captured Packets to a
File To save captured packets in
a file (e.g., capture.pcap), you can use:
tshark -i eth0 -w capture.pcap
- Read a Capture File To read and analyze a
previously captured packet file:
tshark -r capture.pcap
- Show Only Specific Fields You can display specific
fields from captured packets. For example, to show only the IP addresses:
tshark -i eth0 -T fields -e ip.src -e ip.dst
- Capture Packets with a Time
Limit Capture
packets for a specified duration (e.g., 60 seconds):
tshark -i eth0 -a duration:60
- Filter by IP Address To capture traffic from or
to a specific IP address:
tshark -i eth0 host 192.168.1.1
- Capture and Show TCP Streams To capture and display the
TCP streams:
tshark -i eth0 -Y "tcp.stream eq 1"
- Capture with a Specific Port To capture traffic on a
specific port, such as DNS (port 53):
tshark -i eth0 port 53
- Display the Output in a
Specific Format You can
change the output format with the -T option. For
example, to show output in JSON format:
tshark -i eth0 -T json
- Display Only the Summary of
Packets To display
a simple summary of the packets captured, use the following:
tshark -i eth0 -z io,stat,0
- Use Multiple Capture Filters To filter based on multiple
criteria, combine filters like:
tshark -i eth0 -f "tcp port 80 or tcp port
443"
Examples
- Capture HTTP Traffic and Save
to File:
tshark -i eth0 -f "tcp port 80" -w
http_traffic.pcap
- Analyze DNS Traffic:
tshark -i eth0 -Y "dns"
- Capture 10 Packets and
Display Only Source and Destination IPs:
tshark -i eth0 -c 10 -T fields -e ip.src -e ip.dst
- Display Packets with HTTP GET
Requests:
tshark -i eth0 -Y "http.request.method ==
GET"
- Export Fields to CSV Format:
tshark -i eth0 -T fields -e ip.src -e ip.dst -e
frame.time -E header=y -E separator=, > output.csv
Conclusion
Tshark is a powerful tool for capturing and analyzing
network traffic from the command line. It provides advanced features for
filtering, saving, and analyzing packets, making it essential for network
administrators, security professionals, and anyone needing deep insights into
network communications.
0 Comments