Ticker

6/recent/ticker-posts

Advertisement

What is Tshark

Tshark is the command-line version of Wireshark, a popular network protocol analyzer. It is used to capture and analyze network traffic in real time, providing detailed insights into network communication. Here are some common tshark commands and examples for various use cases:

Basic Syntax

tshark [options] [capture_filter] [display_filter]

Common tshark Commands and Options

  1. Capture Network Traffic To start capturing traffic on a specific interface (e.g., eth0):

tshark -i eth0

  1. Capture and Display Packets in Real-Time Capture packets on interface eth0 and display the packet details:

tshark -i eth0 -V

The -V option provides verbose output showing full details of each packet.

  1. Capture a Specific Number of Packets Capture only the first 100 packets on interface eth0:

tshark -i eth0 -c 100

  1. Capture Traffic with a Filter Capture packets that match a specific filter, for example, capturing only HTTP traffic:

tshark -i eth0 -f "tcp port 80"

The -f option allows you to use capture filters (similar to tcpdump filters).

  1. Apply Display Filters After capturing packets, you can apply display filters to analyze specific traffic. For example, capture packets and only show those related to HTTP:

tshark -i eth0 -Y "http"

  1. Save Captured Packets to a File To save captured packets in a file (e.g., capture.pcap), you can use:

tshark -i eth0 -w capture.pcap

 

 

 

  1. Read a Capture File To read and analyze a previously captured packet file:

tshark -r capture.pcap

  1. Show Only Specific Fields You can display specific fields from captured packets. For example, to show only the IP addresses:

tshark -i eth0 -T fields -e ip.src -e ip.dst

  1. Capture Packets with a Time Limit Capture packets for a specified duration (e.g., 60 seconds):

tshark -i eth0 -a duration:60

  1. Filter by IP Address To capture traffic from or to a specific IP address:

tshark -i eth0 host 192.168.1.1

  1. Capture and Show TCP Streams To capture and display the TCP streams:

tshark -i eth0 -Y "tcp.stream eq 1"

  1. Capture with a Specific Port To capture traffic on a specific port, such as DNS (port 53):

tshark -i eth0 port 53

  1. Display the Output in a Specific Format You can change the output format with the -T option. For example, to show output in JSON format:

tshark -i eth0 -T json

  1. Display Only the Summary of Packets To display a simple summary of the packets captured, use the following:

tshark -i eth0 -z io,stat,0

  1. Use Multiple Capture Filters To filter based on multiple criteria, combine filters like:

tshark -i eth0 -f "tcp port 80 or tcp port 443"

Examples

  1. Capture HTTP Traffic and Save to File:

tshark -i eth0 -f "tcp port 80" -w http_traffic.pcap

  1. Analyze DNS Traffic:

tshark -i eth0 -Y "dns"

  1. Capture 10 Packets and Display Only Source and Destination IPs:

tshark -i eth0 -c 10 -T fields -e ip.src -e ip.dst

  1. Display Packets with HTTP GET Requests:

tshark -i eth0 -Y "http.request.method == GET"

  1. Export Fields to CSV Format:

tshark -i eth0 -T fields -e ip.src -e ip.dst -e frame.time -E header=y -E separator=, > output.csv

Conclusion

Tshark is a powerful tool for capturing and analyzing network traffic from the command line. It provides advanced features for filtering, saving, and analyzing packets, making it essential for network administrators, security professionals, and anyone needing deep insights into network communications.

 


Post a Comment

0 Comments