Using Wireshark Command-Line Tool (TShark)

Whatever you are a DevOps engineer or system administrator or Linux administrator and even software engineer, you need to analyze network packets. When we talk about network sniffing, Wireshark is the first thing that comes to mind. But Wireshark requires a graphic user interface (GUI). If you are a system engineer, you have to work in black screens named as the shell or maybe you don’t like graphic interfaces like me. If you’ve ever dived deep into the Linux world, you’ve heard of Tcpdump or used it. Tcpdump is a powerful command-line tool that helps ease the pain of troubleshooting network issues. However, if you a Wireshark lover, you can use Wireshark in the shell. TShark is Wireshark Command-Line Tool. So A Linux Shell and Wireshark lover should prefer using TShark.

In RHEL machines you can install with the following command:

# yum install wireshark

In Debian or Ubuntu or derivatives, you can install with the following command:

# apt-get install tshark

Check the installation with the following command:

# tshark -v

If you are logged in as a regular, non-root user, you need sudo rights to use the TShark utility and need adding “sudo” prefix to all commands.

# sudo tshark …. 

Why TShark?

You don’t have GUI (X Windows) or don’t use it. You can analyze the Linux server directly on itself. Maybe you are the “terminal” lover and think the terminal output is more human-readable. Tshark works like “tcpdump”, “ngrep”, and others, however, as it provides the protocol decoding features of Wireshark.

Beginning

Network packets are processed via a network interface card (NIC) on servers. If you have multiple NICs, you must select which NIC wants to inspect. So you should list your network devices.

# tshark -D

Output:

1. eth0
2. virbr0
3. docker0
4. nflog
5. nfqueue
6. br-1d92b521d78e
7. br-3ac6da3d7d0b
8. any
9. lo (Loopback)

You can see these devices with “ip addr show” command too. If you use old systems, try command: “ifconfig -a”

“ -i ” option is used for setting which device we interested in.

# tshark -i eth0

This command produces output continuously. Press “CTRL+C” to stop it. If you want to set limit,” use “ -c “ (count) option. You can limit the number of packets captured and displayed on the screen.

# tshark -i eth0 -c 50

You often need to save data to a file to use it later. Use “-w “ option to tell TShark to dump the output to a file. For example; the following command saves the output to a file named dump.pcap in “/tmp” directory.

# tshark -i eth0 -w /tmp/dump.pcap -c 100

The file has .pcap extension is a special formatted file. You can’t just open the file using an editor like Vim. The PCAPNG file type is primarily associated with WireShark by Gerald Combs. PCAPNG (Packet CAPture Next Generation) is the file extension for the PCAP Next Generation dump file format.

You can read this file with Wireshark or Tshark later. Need “-r” command for giving this file to Tshark.

# tshark -r /tmp/dump.pcap

When you used “-r” command, do not need to set any device with “-i” because Tshark reads data from the file instead of the device.

Understanding the Output

1 0.000000000 172.31.75.91 -> 52.51.144.114 SSH 190 Encrypted response packet len=124
2 0.134494755 172.31.75.91 -> 172.217.7.174 ICMP 98 Echo (ping) request id=0x37b1, seq=132/33792, ttl=64
3 0.135425211 172.217.7.174 -> 172.31.75.91 ICMP 98 Echo (ping) reply id=0x37b1, seq=132/33792, ttl=112 (request in 2)
4 0.135470953 52.51.144.114 -> 172.31.75.91 TCP 66 58149 > ssh [ACK] Seq=1 Ack=125 Win=2046 Len=0 TSval=465528958 TSecr=3775816593
5 0.135566427 172.31.75.91 -> 52.51.144.114 SSH 198 Encrypted response packet len=132
6 0.275464916 52.51.144.114 -> 172.31.75.91 TCP 66 58145 > ssh [ACK] Seq=1 Ack=133 Win=2048 Len=0 TSval=465529093 TSecr=3775816729
7 0.915254311 172.31.75.91 -> 52.51.144.114 SSH 782 Encrypted response packet len=716
8 0.966146047 172.31.75.91 -> 52.46.156.29 TLSv1.2 123 Application Data
9 0.967632229 52.46.156.29 -> 172.31.75.91 TCP 54 https > 46720 [ACK] Seq=1 Ack=70 Win=24562 Len=0
10 1.051029711 52.51.144.114 -> 172.31.75.91 TCP 66 58149 > ssh [ACK] Seq=1 Ack=841 Win=2036 Len=0 TSval=465529871 TSecr=3775817509
11 1.135616456 172.31.75.91 -> 172.217.7.174 ICMP 98 Echo (ping) request id=0x37b1, seq=133/34048, ttl=64
12 1.136517344 172.217.7.174 -> 172.31.75.91 ICMP 98 Echo (ping) reply id=0x37b1, seq=133/34048, ttl=112 (request in 11)
13 1.136639811 172.31.75.91 -> 52.51.144.114 SSH 198 Encrypted response packet len=132
14 1.276002686 52.51.144.114 -> 172.31.75.91 TCP 66 58145 > ssh [ACK] Seq=1 Ack=265 Win=2048 Len=0 TSval=465530090 TSecr=3775817730
15 1.500152266 172.31.75.91 -> 52.51.144.114 SSH 958 Encrypted response packet len=892
16 1.716048976 52.51.144.114 -> 172.31.75.91 TCP 66 58149 > ssh [ACK] Seq=1 Ack=1733 Win=2034 Len=0 TSval=465530532 TSecr=3775818093
17 1.965681943 172.31.75.91 -> 52.94.228.178 TLSv1.2 107 Encrypted Alert
18 1.965732090 172.31.75.91 -> 52.94.228.178 TCP 54 44774 > https [FIN, ACK] Seq=54 Ack=1 Win=356 Len=0
19 1.967041096 52.94.228.178 -> 172.31.75.91 TCP 54 https > 44774 [ACK] Seq=1 Ack=54 Win=32700 Len=0
20 1.976555761 52.94.228.178 -> 172.31.75.91 TLSv1.2 235 Application Data

You can see the example output (20 lines). There is four important data point of the Tshark output: Source IP, Destination IP, Protocol, and Port. You can see some protocols like SSH, ICMP, or TLS, But probably TCP is will be seen commonly, because TCP is a transport layer protocol.

The protocol layer just above the Internet Layer is the Host-to-Host Transport Layer, usually shortened to Transport Layer. The two most important protocols in the Transport Layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). If you don’t know the basics about the OSI Reference Model, please inspect OSI Model. It contains seven layers that define the functions of data communications protocols.

You can view the three packets in TCP packages. The first packet sends an SYN request from the source to the destination server. The second packet is the destination server replying with an SYN, ACK flag set. Finally, the third packet is the source sending an ACK request to acknowledge receiving the second packet. This is called a TCP handshake and called “3-Way Handshake”.

Filtering

All information so far was for filtering. We generally want to apply a filter while analyzing traffic. If you are on a busy network, your output may be unreadable probably. Your screen will be like on the Matrix movies, flowing too fast and almost impossible to read. To solve this problem Tshark provides many types of filters. “Capture Filters” and “Display Filters” are the two most used.

Capture Filters

It uses “-f” option. You can use the traditional “pcap” filter to select what to capture from your interface. It means you can use a packet filter in “libpcap” “filter syntax.

# tshark -f "host 192.168.1.2 and (dst port 80 or 443)"

Below is a brief overview of the libpcap filter language’s syntax. Complete documentation can be found at the pcap-filter man page. You can find many Capture Filter examples at https://gitlab.com/wireshark/wireshark/wikis/CaptureFilters.

# tshark-i eth0 -f "tcp port 22 and not src host 192.168.1.2"

Capturing all SSH traffic, not from “192.168.1.2”

# tshark -f "tcp portrange 1024–9999"

Port range is available with newer versions of libpcap (0.9.1 and later)

# tshark -f "net 192.168.1.0/24"

Capture traffic from a range of IP addresses.

Display Filters

Display filters are set with -Y and have the Wireshark display filter syntax.
For example; To see all connections from host 192.168.1.2

# tshark -i eth0 -Y "ip.addr==192.168.1.2"

Sometimes, which source or destination is so important:

# tshark -Y "ip.src == 8.8.8.8 or ip.dst == 192.168.1.2"

What if you want trace from host 192.168.1.2 and port 80?

# tshark -i eth0 -Y "ip.addr==192.168.1.2 and tcp.port==80"

Display HTTP requests on TCP port 8080

# tshark -i eth0 -Y "tcp.port== 8080 and http.request"

Sometimes, A protocol bothers us. For example; all traffic but no SSH

# tshark -Y "not ssh"

What if you need just UDP traffic in a port range:

# tshark -i eth0 -Y "(tcp.dstport >= 1024 and tcp.dstport < 10000) or udp"

Unwanted IP?

# tshark -i eth0 -Y "ip.src !=192.168.1.2"

Maybe more advance content search in package headers.

# tshark -i eth0 -Y "http.host contains demo"
# tshark -i eth0 -Y "http.request.uri contains demo"

If you want to look for client’s direct web access packets for local network.

# tshark -i eth0 -Y "http.request.uri contains string(ip.dst)"

If you are interested in VOIP, You are lucky. Match packets where SIP To-header contains the string “2023” anywhere in the header.

# tshark -Y "sip.To contains "2023""

Maybe you are inspecting DNS queries.

# tshark -Y "dns.qry.name contains picus"

or exact match:

# tshark -Y "dns.qry.name=="picussecurity.com""

Output:

481 42.129647007 172.31.75.91 -> 172.31.0.2 DNS 77 Standard query 0x19f0 A picussecurity.com
482 42.129659316 172.31.75.91 -> 172.31.0.2 DNS 77 Standard query 0xaa19 AAAA picussecurity.com
484 42.156963089 172.31.0.2 -> 172.31.75.91 DNS 147 Standard query response 0xaa19
485 42.176814541 172.31.0.2 -> 172.31.75.91 DNS 109 Standard query response 0x19f0 A 162.255.119.196 A 3.224.24.8

What if you wanted to dig a little deeper and examine TCP packets?

# tshark -i eth0 -Y "tcp.flags.fin==1"

Which means “check if the FIN flag is set”. It will display just TCP packages included FIN flags.

Maybe you wonder SSL connections on HTTP for a specific client IP address.

tshark -i eth0 -Y “ip.src==”192.168.1.2" and (http.request or ssl.handshake.type == 1)”

Formatting

Sometimes you need more or less information from the network packets to be displayed, also you may need to specify how and where to show this information. There a few options below.

“ -V “ option is used to dump the entire packet information on the screen. The output is divided into various sections. Use “-V” to make Tshark verbose and display details about packets, showing all the fields of all protocols in the packet.This option has no value.

# tshark -V …..

“ -O “ option is much like the -V option, however it will show details of a specific protocol.

# tshark -O dns …..

Use the -T option to output data in different formats, this can be very handy when you need a specific format to your analysis. It is usefull to populate some databases like Elasticsearch generally.

The “-T” option can get values of “ek|fields|json|jsonraw|pdml|ps|psml|tabs|text” for last version of Wireshark (3.4.X) nowadays. Do not forget old versions may have less values. For example; Version 1.4.X was getting values of “pdml|ps|psml|text|fields”.

“ek” and “json” are very convenient to import data to database. For example; “ek” Newline special delimited JSON format for bulk import into Elasticsearch.

The value “fields” is the most used certainly, escpically when you want to display spesicif data.

If you choose “fields” to the -T option, you must set the -e option at least once to tell Tshark wich field of information to display, you can use this option multiple times to display more fields.

Now we need do some exercises. Therefore, a specific data will be beneficial. Please start a ping to anywhere in an other terminal on your device.

# tshark -i eth0 -O icmp -T fields -e ip

This command will show you cleaned data. We want to view just IP data on ICMP protocol traffic.

Internet Protocol Version 4, Src: 52.51.144.114 (52.51.144.114), Dst: 172.31.75.91 (172.31.75.91)
Internet Protocol Version 4, Src: 52.51.144.114 (52.51.144.114), Dst: 172.31.75.91 (172.31.75.91)
Internet Protocol Version 4, Src: 52.51.144.114 (52.51.144.114), Dst: 172.31.75.91 (172.31.75.91)

Maybe you want to more specific and just getting source IPs.

# tshark -i eth0 -O icmp -T fields -e ip.src

52.51.144.114
52.51.144.114
172.31.75.91

Multiple data is possible like below. Display all active protocols and ports.

# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport

eth:ip:tcp 443
eth:ip:tcp:ssl 53904
eth:ip:tcp 22

Additional formatting can be done with the -E option. You can show or hide headers, add seperator, set quote character and more.

# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=,

After adding coma seperator, your output will be more formated.

eth:ip:tcp,443
eth:ip:tcp:ssl,53904
eth:ip:tcp,22

Let’s create a CSV file with one last touch. “-E” can be used multiple times to set more settings.

# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d

“eth:ip:tcp”,”443"
“eth:ip:tcp:ssl”,”53904"
“eth:ip:tcp”,”22"

Your CSV file is ready when you saved your output.

# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d > MyTshark.csv

To get a complete list of the possible fields to use with the -e flag use -G option as below.

# tshark -G fields | less

Secure Layer (SSL)

You can also analyze encrypted connections like SSL, the following example is showing the HTTP within the secure socket layer

There’s no doubt that secure sockets is so important to us and our protection. However, it is a real trouble while analyzing. On the other hand, it is your network and you have SSL certification files. You can also analyze encrypted connections like SSL, the following example is showing the HTTP within the secure socket layer.

“-o” option will use to set a preference value, overriding the default value and any value read from a preference file. Syntax is “prefname:value”.

# tshark -r encrypted.pcap -Y “tcp.port == 443” -O http \
-o “ssl.desegment_ssl_records: TRUE” \
-o “ssl.desegment_ssl_application_data: TRUE” \
-o “ssl.keys_list: 127.0.0.1,443,http,server.key” \
-o “ssl.debug_file: debug-ssl.log”

Here we are displaying packets on the TCP port 443, telling Tshark to be verbose with the HTTP protocol, do segmentation on SSL, use the private key on the PEM formatted server.key file and dump debug information on the debug-ssl.log file.

Statistics

If you may want to an analytical report, in this case use “ -z “ option followed by one of the many report types available. It is using to collect various types of statistics and display the result after finishing reading the capture file. Use the -q option if you’re reading a capture file and only want the statistics printed, not any per-packet information.

# tshark -z help

You can see all values for “-z” option by the command above.

After started a ping command, run the command below.

# tshark -z icmp,srt -q -c 100

Output:

Capturing on ‘eth0’
100 packets captured

========================================
ICMP Service Response Time (SRT) Statistics (all times in ms):
Filter: <none>

Requests Replies Lost % Loss
13 13 0 0.0%

Minimum Maximum Mean Median SDeviation Min Frame Max Frame
1.166 1.268 1.211 1.199 0.033 9 53
========================================

Tricks

I know many people tried the “grep” command with Tshark commands. However, As before I said, The output of Thsark is special formatted binary data. You can’t just open the data using an editor like Vim or read on-screen without using Tshark. So the command below will NOT run.

# tshark -f “port 22” | grep “ACK”

Nevertheless, you can use “grep” with Thsark while reading data from a file, not NIC.

# tshark -r traffic.pcap | grep “ACK”

Reminder:
The data can be saved to file by “-w” option.

# tshark -w traffic.pcap -f “port 22”

For example; we want to collect all source and destination IPs in unique and sorted and save a file.

# tshark -w /tmp/dump.cap -c 1000
# tshark -r /tmp/dump.pcap -T fields -e ip.src -e ip.dst | awk -F " " '{print $1"\n"$2"\n"}' | sort | uniq | grep -v "^$" > /tmp/myiplist.txt

Output:

172.31.0.2
172.31.75.91
43.46.156.29
52.51.154.114
52.94.233.158

Tag Line

Wireshark or Tshark has many many features and options. I want to finish right there. Because I don’t want to be boring, and just want to give a perspective about Tshark that is command-line Wireshark tool.

The latest version of Tshark 3.4 includes a number of useful new features. To install the latest version, you should use upgraded linux distros. You can find release notes in the URL below.

Wireshark · Release Notes

There is the URL below contains a summary of options for the last version of Tshark.

D.2. tshark: Terminal-based Wireshark

However, if you need a full manual page detailed, visit the URL below.

tshark - The Wireshark Network Analyzer 3.4.2

Have fun with Wireshark/Tshark. If you have any questions or challenges, feel free to write to me. We can learn together.