tshark Linux command
Tshark is a command-line network protocol analyzer that lets you capture or display packet information. It is a versatile tool for network troubleshooting and security analysis. With tshark, you can capture live data from a network interface or read packets from a file. The tool offers various options for filtering and analyzing network traffic, making it easier to identify issues, troubleshoot network problems, and monitor network security. Tshark supports a wide range of protocols and provides detailed information about each packet captured, including source and destination addresses, protocol type, and payload data. It is a valuable tool for network administrators, security professionals, and anyone working with network data.
tshark Syntax:
Section titled “tshark Syntax:”tshark [options] [capture_filter] [read_filter] [write_filter] ...
Options:
Section titled “Options:”Option | Description |
---|---|
-i <interface> | Set the interface to capture packets from |
-f <capture_filter> | Set the capture filter to restrict packet capture |
-R <read_filter> | Set the display filter for reading packets |
-Y <write_filter> | Set the display filter for writing packets |
-w <output_file> | Write the captured packets to a file |
-r <input_file> | Read packets from a specified input file |
-V | Display packet details verbosely |
-e <field> | Print the value of the specified field |
-T fields | Print selected fields |
-z | Output various statistics about the capture file |
Parameters:
Section titled “Parameters:”Parameter | Description |
---|---|
capture_filter | Specifies the filter expression for capturing packets |
read_filter | Specifies the filter expression for reading packets |
write_filter | Specifies the filter expression for writing packets |
tshark bash Examples:
Section titled “tshark bash Examples:”Capture and Display Live Packets
Section titled “Capture and Display Live Packets”tshark
Captures and displays live packets in the terminal.
Capture Packets to a File
Section titled “Capture Packets to a File”tshark -i eth0 -w capture.pcap
Captures packets from interface “eth0” and saves them to a file named “capture.pcap”.
Filter Packets by Protocol
Section titled “Filter Packets by Protocol”tshark -i eth0 -f "tcp port 80"
Captures packets on interface “eth0” and filters them to show only TCP packets on port 80.
Display Packet Details
Section titled “Display Packet Details”tshark -r capture.pcap
Reads a previously saved capture file “capture.pcap” and displays detailed information about the packets.
Decode Packets in HEX and ASCII
Section titled “Decode Packets in HEX and ASCII”tshark -r capture.pcap -x
Reads a capture file “capture.pcap” and decodes the packets in both HEX and ASCII formats.
Display Packet Summary
Section titled “Display Packet Summary”tshark -r capture.pcap -q -z io,phs
Reads a capture file “capture.pcap” and displays a summary of packet sizes in a tabular format.
How do I capture packets with tshark?
Section titled “How do I capture packets with tshark?”To capture packets using tshark in Linux, use the following command:
tshark -i <interface>
How do I display packet details with tshark?
Section titled “How do I display packet details with tshark?”To display packet details using tshark in Linux, use the following command:
tshark -V
How do I apply a display filter with tshark?
Section titled “How do I apply a display filter with tshark?”To apply a display filter using tshark in Linux, use the following command:
tshark -Y <filter>
How do I save captured packets to a file with tshark?
Section titled “How do I save captured packets to a file with tshark?”To save captured packets to a file using tshark in Linux, use the following command:
tshark -i <interface> -w <output_file>
How do I read saved packet files with tshark?
Section titled “How do I read saved packet files with tshark?”To read saved packet files using tshark in Linux, use the following command:
tshark -r <input_file>
How do I capture a specific number of packets with tshark?
Section titled “How do I capture a specific number of packets with tshark?”To capture a specific number of packets using tshark in Linux, use the following command:
tshark -c <count>
How do I list available interfaces for packet capturing with tshark?
Section titled “How do I list available interfaces for packet capturing with tshark?”To list available interfaces for packet capturing using tshark in Linux, use the following command:
tshark -D
How do I decode encrypted traffic with tshark?
Section titled “How do I decode encrypted traffic with tshark?”To decode encrypted traffic using tshark in Linux, use the following command:
tshark -o <ssl.keys_list>:<ssl.keys_string>
Applications of the tshark command
Section titled “Applications of the tshark command”- Capture live network packets
- Analyze saved packet capture files
- Display detailed packet information
- Filter packets based on specific criteria
- Generate statistics from network traffic
- Decrypt encrypted packets
- Export packet data to other tools or formats