Uses of Tshark/Wireshark for beginners

Most of the time when we connect to the internet, we don’t think about the network protocols which work behind that make it all possible. Right now, while you are reading this article, many packets are being exchanged by your computer and traveling across the internet.

To understand these protocols, you need a tool that can capture and help you analyze these packets. Wireshark is a popular open source graphical user interface (GUI) tool for analyzing packets. However, it also provides a powerful command-line utility called TShark for people who prefer to work on the Linux command line.

Check your installation

First, ensure the required packages are installed:

# rpm -qa | grep -i wireshark

If the Wireshark package is installed, check whether the TShark utility is installed and, if so, which version:

# tshark -v

If you are logged in as a regular, non-root user, you need sudo rights to use the TShark utility. Root users can skip sudo and directly run the tshark command.

Useful tshark commands

  1. All tshark commands displayed on your machine
    • # sudo tshark -h
  2. 2. Capture network traffic with tshark by providing interface
    • # sudo tshark -i <interface>
  3. Capture network packets and copy in file traffic-capture.pcap
    • By using -w options, user can easily copy all output of tshark tool into single file of format pcap.
    • tshark -i <interface> -w <file-name>.pcap
    • Read captured packets with tshark by providing input pcap file
  4. By using option -r with tshark, user can read saved pcap file easily.
    1. tshark -r <file-name>.pcap
    2. Capture packets and copy traffic into .pcap file for the particular duration
  5. If user wants to capture network traffic from the live network for a specific period of time, just use -a option. Below command helps you to capture traffic for a particular duration.
    1. tshark -i <interface> -a duration:<time>
  6. Capture the specific number of packets
    1. tshark tool provide flexibility to user to display specific number of captured packets.
    2. tshark -c <number> -i <interface>
  7. Capture only packets from the specific source or destination IP
    • This is most used command by security researchers and network engineers. If you want to filter traffic based on specific IP, use -f option.
    • tshark -i <interface> -f "host <IP>"
  8. Capture only specific protocol network packets
    1. Below example shows how you can filter specific protocol while displaying results of tool tshark.
    2. tshark -i <interface> -f "<protocol>"
    3. Note: <protocol> may be tcp, udp, dns etc.

Conclusion

This short tutorial equipped you to initiate the use of tshark in analyzing network traffic. You can use different options in the same command to filter results more specific to your requirement.

..

..

Author

Pravin Tewari
Senior Manager, Application and Cloud Support

Pravin is a visionary professional with over 11 years of experience in Technical Support, Cloud Infrastructure Management, and Customer Experience. He has hands-on experience in working across the lifecycle of project delivery and deployment, solution consulting, and support. He has deep experience in managing cloud deployments and implementing DevOps tools for automation to provide better uptime. Pravin has successfully led large product & cloud support teams, and coached & mentored a high-performing team that delivers high-quality service to customers.