tshark: Basic Tutorial with Practical Examples
tshark is a command-line based protocol analyzer tool used to capture and analyze network traffic from a live network. This can be used as a substitute for Wireshark if you enjoy working on a black screen. This guide is for beginners who want to start analyzing protocols and use some basic commands of tshark. Here, I am listing some basic commands with example usage which help you to capture and analyze the network traffic.
Installation on Linux based OS
You can install tshark just type below command for installation:
sudo apt-get install tshark
1. All tshark commands displayed on your machine
If user wants to see the different options available with tshark, just type below command. Remember to use sudo while using tshark.
sudo tshark -h
2. Capture network traffic with tshark by providing interface
Just type interface name in from of -i option to display traffic dedicated to specific interface. This option displays clean output of single interface.
sudo tshark -i <interface>
3. Capture network packets and copy in file traffic-capture.pcap
By using -w options, user can easily copy all output of tshark tool into single file of format pcap.
tshark -i <interface> -w <file-name>.pcap
4. Read captured packets with tshark by providing input pcap file
By using option -r with tshark, user can read saved pcap file easily.
tshark -r <file-name>.pcap
5. Capture packets and copy traffic into .pcap file for the particular duration
If user wants to capture network traffic from the live network for a specific period of time, just use -a option. Below command helps you to capture traffic for a particular duration.
tshark -i <interface> -a duration:<time>
Note: <time> is in seconds
6. Check the version of tshark
Just check version of tshark tool by using -v options
7. Capture the specific number of packets
tshark tool provide flexibility to user to display specific number of captured packets.
tshark -c <number> -i <interface>
8. List out all the interfaces available to capture the network traffic
If you have a doubt of number of available interfaces, use -D option.
9. Capture only packets from the specific source or destination IP
This is most used command by security researchers and network engineers. If you want to filter traffic based on specific IP, use -f option.
tshark -i <interface> -f "host <IP>"
10. Capture only specific protocol network packets
Below example shows how you can filter specific protocol while displaying results of tool tshark.
tshark -i <interface> -f "<protocol>"
Note: <protocol> may be tcp, udp, dns etc.
This short tutorial equipped you to initiate the use of tshark in analyzing network traffic. You can use different options in the same command to filter results more specific to your interest. Further, if you are more interested in learning depth, Click Here to see the official manual of tshark.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.