Tshark
Command Line Network Protocol Analyzer
Legal Notice: Only capture network traffic on networks you own or have explicit permission to monitor. Unauthorized packet capture may violate privacy laws and organizational policies.
Interactive Tshark Command Builder
Primary wired network interface
Web traffic on port 80
Brief packet summary (default)
tshark -i eth0 -f "http"What is Tshark?
Terminal-based Wireshark
Tshark is the command-line version of Wireshark, the world's most popular network protocol analyzer. It provides:
- Live Capture: Real-time network traffic monitoring
- File Analysis: Examine pre-captured packet files
- Protocol Decoding: Understands hundreds of network protocols
- Filtering: Powerful capture and display filters
- Export Options: Multiple output formats for analysis
Key Advantages
- Remote Access: Works over SSH and headless servers
- Automation: Perfect for scripting and automation
- Low Resource: Minimal CPU and memory usage
- Batch Processing: Analyze multiple files efficiently
Relationship to Wireshark:
Tshark shares the same core engine as Wireshark GUI but operates from the command line, making it ideal for server environments and automated analysis.
Common Tshark Scenarios
Web Traffic Analysis
tshark -i eth0 -f "port 80 or port 443" -VCapture and analyze all web traffic with detailed output
DNS Investigation
tshark -i any -f "udp port 53" -T fields -e dns.qry.name -e dns.resp.addrMonitor DNS queries and responses
Network Troubleshooting
tshark -i eth0 -f "host 192.168.1.1" -c 100Capture 100 packets to/from specific host
Security Monitoring
tshark -i any -f "tcp[tcpflags] & tcp-syn != 0" -c 50Monitor TCP connection attempts (SYN packets)
Essential Tshark Commands
| Command | Description | Use Case |
|---|---|---|
tshark -D | List available network interfaces | Interface discovery |
tshark -i eth0 -c 10 | Capture 10 packets from eth0 | Quick network check |
tshark -r capture.pcap | Read packets from file | Offline analysis |
tshark -i any -w output.pcap | Write packets to file | Save for later analysis |
tshark -i eth0 -f "host 8.8.8.8" | Capture traffic to/from specific host | Host-specific monitoring |
tshark -i eth0 -Y "http.request" | Display filter for HTTP requests | Web traffic analysis |
Understanding Tshark Output
1 0.000000 192.168.1.100 → 93.184.216.34 HTTP 314 GET / HTTP/1.1
2 0.045123 93.184.216.34 → 192.168.1.100 HTTP 1434 HTTP/1.1 200 OK (text/html)
3 0.045856 192.168.1.100 → 93.184.216.34 TCP 66 49152 → 80 [ACK] Seq=249 Ack=1369 Win=229 Len=0
4 0.098445 192.168.1.100 → 8.8.8.8 DNS 82 Standard query 0x1234 A example.com
5 0.112334 8.8.8.8 → 192.168.1.100 DNS 98 Standard query response 0x1234 A example.com A 93.184.216.34Summary Format Fields:
- Packet #: Sequential packet number
- Timestamp: Time since capture started
- Source → Destination: IP addresses or hostnames
- Protocol: Network protocol (HTTP, TCP, DNS, etc.)
- Length: Packet size in bytes
- Info: Protocol-specific information
Frame 1: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) on interface eth0, id 0
Encapsulation type: Ethernet (1)
Arrival Time: Jan 15, 2024 10:30:45.123456000 GMT
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 314 bytes (2512 bits)
Capture Length: 314 bytes (2512 bits)
Ethernet II, Src: aa:bb:cc:dd:ee:ff, Dst: 11:22:33:44:55:66
Destination: 11:22:33:44:55:66
Source: aa:bb:cc:dd:ee:ff
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 93.184.216.34
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Total Length: 300
Identification: 0x1234 (4660)
Source Address: 192.168.1.100
Destination Address: 93.184.216.34Verbose Output Includes:
- Frame Details: Physical layer information
- Ethernet Headers: MAC addresses and frame type
- IP Headers: Version, length, addresses, flags
- Protocol Analysis: Detailed protocol field breakdown
Capture vs Display Filters
Capture Filters (-f)
Applied during packet capture to reduce captured data:
tshark -i eth0 -f "tcp port 80"- Uses Berkeley Packet Filter (BPF) syntax
- More efficient - filters at kernel level
- Cannot be changed after capture starts
- Reduces file size and processing load
Common Capture Filters:
host 192.168.1.1- Specific hostnet 192.168.0.0/16- Network rangeport 53- Specific porttcp and not port 22- TCP except SSH
Display Filters (-Y)
Applied after capture to filter displayed packets:
tshark -r file.pcap -Y "http.request.method == GET"- Uses Wireshark display filter syntax
- More powerful and flexible
- Can be changed during analysis
- Allows complex logical expressions
Popular Display Filters:
http.request.method == "GET"HTTP GET requests only
tcp.flags.syn == 1TCP SYN packets (connection attempts)
dns.flags.response == 0DNS queries (not responses)
ip.addr == 192.168.1.100Traffic to/from specific IP
Advanced Display Filters
| Filter Expression | Description | Security Use Case |
|---|---|---|
http.request.method == "GET" | HTTP GET requests only | Web Analysis |
tcp.flags.syn == 1 | TCP SYN packets (connection attempts) | Connection Analysis |
dns.flags.response == 0 | DNS queries (not responses) | DNS Monitoring |
ip.addr == 192.168.1.100 | Traffic to/from specific IP | Host Tracking |
tcp.port == 443 and tls.handshake.type == 1 | HTTPS connection establishments | Encryption Monitoring |
icmp.type == 8 | ICMP echo requests (ping) | Network Diagnostics |
arp | ARP protocol packets | ARP Analysis |
not tcp | Non-TCP traffic only | Non-TCP Protocols |
Output Formats and Analysis
Field Extraction
Extract specific fields for analysis:
tshark -T fields -e ip.src -e ip.dst -e tcp.dstportOutputs: source IP, destination IP, destination port
Statistical Analysis
tshark -q -z io,stat,1Generate I/O statistics per second
tshark -q -z conv,ipShow IP conversation statistics
Export Options
JSON Export
tshark -T json -r file.pcapMachine-readable format for scriptingCSV Export
tshark -T fields -E separator=, -e ip.src -e ip.dstImport into spreadsheet applicationsXML Export
tshark -T pdml -r file.pcapPacket Details Markup LanguageSecurity and Legal Considerations
⚠️ Legal Requirements
- Network Ownership: Only capture on networks you own or administrate
- User Consent: Inform users when monitoring their traffic
- Data Privacy: Follow GDPR, HIPAA, and other privacy regulations
- Corporate Policy: Adhere to organizational monitoring policies
- Retention Limits: Don't store captures longer than necessary
Sensitive Data Handling
- Avoid capturing credentials or personal data
- Use filters to exclude sensitive traffic
- Encrypt stored packet captures
- Implement access controls on capture files
🛡️ Best Practices
- Least Privilege: Run with minimum required permissions
- Time Limits: Use
-a duration:300for auto-stop - Ring Buffer: Use
-b filesize:100000to limit file size - Secure Storage: Store captures in encrypted directories
- Log Analysis: Monitor who accesses packet captures
🔒 Security Applications
- Incident Response: Analyze security breaches
- Forensics: Evidence collection and analysis
- Monitoring: Detect anomalous network behavior
- Compliance: Verify security policy enforcement
Knowledge Check
Answer: Capture filters (-f) are applied during packet capture using BPF syntax and are more efficient as they filter at the kernel level. Display filters (-Y) are applied after capture using Wireshark syntax and are more flexible, allowing complex expressions and can be changed during analysis.
Answer:
This uses a capture filter for UDP port 53 (DNS), limits to 100 packets (-c), and writes to a file (-w).
tshark -i any -f "udp port 53" -c 100 -w dns_capture.pcapThis uses a capture filter for UDP port 53 (DNS), limits to 100 packets (-c), and writes to a file (-w).
Answer:
This reads from a file (-r), uses field extraction (-T fields), extracts IP source and HTTP method (-e), and only shows HTTP requests (-Y).
tshark -r capture.pcap -T fields -e ip.src -e http.request.method -Y "http.request"This reads from a file (-r), uses field extraction (-T fields), extracts IP source and HTTP method (-e), and only shows HTTP requests (-Y).