Tshark & Filtering Basics

Tshark Overview

Tshark is a command-line tool used for network packet analysis. It helps you capture, inspect, and analyze network traffic in a readable format. Tshark can provide insights into network behavior, identify issues, and troubleshoot problems. By capturing and decoding packets, it allows you to see details like source and destination addresses, protocols used, and even application data. It's like a detective tool for understanding what's happening on a computer network.

Tshark Commands

General Commands

List available capture interfaces:
```
tshark -D
```
Capture packets on a specific interface (e.g., eth0):
```
tshark -i eth0
```
Read and analyze packets from a saved pcap file:
```
tshark -r <file_path.pcap>
```

Advanced Analysis

Read packets from a pcap file and display protocol hierarchy statistics quietly:
```
tshark -r <file_path.pcap> -z io,phs -q
```
Read packets from a pcap file and filter based on a display filter:
```
tshark -r <file_path.pcap> -Y "http.request"
```

Read packets from a pcap file and filter for HTTP GET requests with timestamp, source IP, and full URI:

tshark -r <file_path.pcap> -Y 'http.request.method==GET' -Tfields -e frame.time -e ip.src -e http.request.full_uri

Read packets from a pcap file and filter for HTTP requests containing the word "password":
```
tshark -r <file_path.pcap> -Y 'http contains password'
```

Capture Options

Capture packets on a specific interface with a packet count limit:
```
tshark -i eth0 -c 100
```
Capture packets and save to a file in pcap format:
```
tshark -i wlan0 -w capture.pcap
```

Display Options

Display packet details in real-time with human-readable output:
```
tshark -i enp0s25 -V
```
Print a summary of unique source and destination IP addresses from a pcap file:
```
tshark -r capture.pcap -T fields -e ip.src -e ip.dst | sort -u
```
Filter and display packets between a specific source and destination IP address:
```
tshark -r <file_path.pcap> -Y 'ip.src==<IP> && ip.dst==<IP>'
```

Hacker's Mantra:I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization. - Kevin Mitnick

PreviousNetwork-Based Attacks NextArp Poisoning

Last updated 10 months ago

Was this helpful?

Tshark Overview

Tshark Commands

General Commands

List available capture interfaces:

tshark -D

Capture packets on a specific interface (e.g., eth0):

tshark -i eth0

Read and analyze packets from a saved pcap file:

tshark -r <file_path.pcap>

Advanced Analysis

Read packets from a pcap file and display protocol hierarchy statistics quietly:

tshark -r <file_path.pcap> -z io,phs -q

Read packets from a pcap file and filter based on a display filter:

tshark -r <file_path.pcap> -Y "http.request"

Read packets from a pcap file and filter for HTTP GET requests with timestamp, source IP, and full URI:

tshark -r <file_path.pcap> -Y 'http.request.method==GET' -Tfields -e frame.time -e ip.src -e http.request.full_uri

Read packets from a pcap file and filter for HTTP requests containing the word "password":

tshark -r <file_path.pcap> -Y 'http contains password'

Capture Options

Capture packets on a specific interface with a packet count limit:

tshark -i eth0 -c 100

Capture packets and save to a file in pcap format:

tshark -i wlan0 -w capture.pcap

Display Options

Display packet details in real-time with human-readable output:

tshark -i enp0s25 -V

Print a summary of unique source and destination IP addresses from a pcap file:

tshark -r capture.pcap -T fields -e ip.src -e ip.dst | sort -u

Filter and display packets between a specific source and destination IP address:

tshark -r <file_path.pcap> -Y 'ip.src==<IP> && ip.dst==<IP>'

Hacker's Mantra:

I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization. - Kevin Mitnick