Using Wireshark Command-Line Tool (TShark)

# yum install wireshark
# apt-get install tshark
# tshark -v

If you are logged in as a regular, non-root user, you need sudo rights to use the TShark utility and need adding “sudo” prefix to all commands.

# sudo tshark …. 

Why TShark?

You don’t have GUI (X Windows) or don’t use it. You can analyze the Linux server directly on itself. Maybe you are the “terminal” lover and think the terminal output is more human-readable. Tshark works like “tcpdump”, “ngrep”, and others, however, as it provides the protocol decoding features of Wireshark.

Beginning

Network packets are processed via a network interface card (NIC) on servers. If you have multiple NICs, you must select which NIC wants to inspect. So you should list your network devices.

# tshark -D
# tshark -i eth0
# tshark -i eth0 -c 50
# tshark -i eth0 -w /tmp/dump.pcap -c 100

The file has .pcap extension is a special formatted file. You can’t just open the file using an editor like Vim. The PCAPNG file type is primarily associated with WireShark by Gerald Combs. PCAPNG (Packet CAPture Next Generation) is the file extension for the PCAP Next Generation dump file format.

You can read this file with Wireshark or Tshark later. Need “-r” command for giving this file to Tshark.

# tshark -r /tmp/dump.pcap

Understanding the Output

The protocol layer just above the Internet Layer is the Host-to-Host Transport Layer, usually shortened to Transport Layer. The two most important protocols in the Transport Layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). If you don’t know the basics about the OSI Reference Model, please inspect OSI Model. It contains seven layers that define the functions of data communications protocols.

You can view the three packets in TCP packages. The first packet sends an SYN request from the source to the destination server. The second packet is the destination server replying with an SYN, ACK flag set. Finally, the third packet is the source sending an ACK request to acknowledge receiving the second packet. This is called a TCP handshake and called “3-Way Handshake”.

Filtering

All information so far was for filtering. We generally want to apply a filter while analyzing traffic. If you are on a busy network, your output may be unreadable probably. Your screen will be like on the Matrix movies, flowing too fast and almost impossible to read. To solve this problem Tshark provides many types of filters. “Capture Filters” and “Display Filters” are the two most used.

Capture Filters

It uses “-f” option. You can use the traditional “pcap” filter to select what to capture from your interface. It means you can use a packet filter in “libpcap” “filter syntax.

# tshark -f "host 192.168.1.2 and (dst port 80 or 443)"
# tshark-i eth0 -f "tcp port 22 and not src host 192.168.1.2"
# tshark -f "tcp portrange 1024–9999"
# tshark -f "net 192.168.1.0/24"

Display Filters

Display filters are set with -Y and have the Wireshark display filter syntax.
For example; To see all connections from host 192.168.1.2

# tshark -i eth0 -Y "ip.addr==192.168.1.2"
# tshark -Y "ip.src == 8.8.8.8 or ip.dst == 192.168.1.2"
# tshark -i eth0 -Y "ip.addr==192.168.1.2 and tcp.port==80"
# tshark -i eth0 -Y "tcp.port== 8080 and http.request"
# tshark -Y "not ssh"
# tshark -i eth0 -Y "(tcp.dstport >= 1024 and tcp.dstport < 10000) or udp"
# tshark -i eth0 -Y "ip.src !=192.168.1.2"
# tshark -i eth0 -Y "http.host contains demo"# tshark -i eth0 -Y "http.request.uri contains demo"
# tshark -i eth0 -Y "http.request.uri contains string(ip.dst)"
# tshark -Y "sip.To contains "2023""
# tshark -Y "dns.qry.name contains picus"
# tshark -Y "dns.qry.name=="picussecurity.com""
# tshark -i eth0 -Y "tcp.flags.fin==1"

Formatting

Sometimes you need more or less information from the network packets to be displayed, also you may need to specify how and where to show this information. There a few options below.

# tshark -V …..
# tshark -O dns …..
# tshark -i eth0 -O icmp -T fields -e ip
# tshark -i eth0 -O icmp -T fields -e ip.src
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=,
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d > MyTshark.csv
# tshark -G fields | less

Secure Layer (SSL)

You can also analyze encrypted connections like SSL, the following example is showing the HTTP within the secure socket layer

# tshark -r encrypted.pcap -Y “tcp.port == 443” -O http \
-o “ssl.desegment_ssl_records: TRUE” \
-o “ssl.desegment_ssl_application_data: TRUE” \
-o “ssl.keys_list: 127.0.0.1,443,http,server.key” \
-o “ssl.debug_file: debug-ssl.log”

Statistics

If you may want to an analytical report, in this case use “ -z “ option followed by one of the many report types available. It is using to collect various types of statistics and display the result after finishing reading the capture file. Use the -q option if you’re reading a capture file and only want the statistics printed, not any per-packet information.

# tshark -z help
# tshark -z icmp,srt -q -c 100

Tricks

I know many people tried the “grep” command with Tshark commands. However, As before I said, The output of Thsark is special formatted binary data. You can’t just open the data using an editor like Vim or read on-screen without using Tshark. So the command below will NOT run.

# tshark -f “port 22” | grep “ACK”
# tshark -r traffic.pcap | grep “ACK”
# tshark -w traffic.pcap -f “port 22”
# tshark -w /tmp/dump.cap -c 1000
# tshark -r /tmp/dump.pcap -T fields -e ip.src -e ip.dst | awk -F " " '{print $1"\n"$2"\n"}' | sort | uniq | grep -v "^$" > /tmp/myiplist.txt

Tag Line

Wireshark or Tshark has many many features and options. I want to finish right there. Because I don’t want to be boring, and just want to give a perspective about Tshark that is command-line Wireshark tool.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store