Using Wireshark Command-Line Tool (TShark)

# yum install wireshark
# apt-get install tshark
# tshark -v

If you are logged in as a regular, non-root user, you need sudo rights to use the TShark utility and need adding “sudo” prefix to all commands.

# sudo tshark …. 

Why TShark?

Beginning

# tshark -D
# tshark -i eth0
# tshark -i eth0 -c 50
# tshark -i eth0 -w /tmp/dump.pcap -c 100

The file has .pcap extension is a special formatted file. You can’t just open the file using an editor like Vim. The PCAPNG file type is primarily associated with WireShark by Gerald Combs. PCAPNG (Packet CAPture Next Generation) is the file extension for the PCAP Next Generation dump file format.

# tshark -r /tmp/dump.pcap

Understanding the Output

The protocol layer just above the Internet Layer is the Host-to-Host Transport Layer, usually shortened to Transport Layer. The two most important protocols in the Transport Layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). If you don’t know the basics about the OSI Reference Model, please inspect OSI Model. It contains seven layers that define the functions of data communications protocols.

Filtering

Capture Filters

# tshark -f "host 192.168.1.2 and (dst port 80 or 443)"
# tshark-i eth0 -f "tcp port 22 and not src host 192.168.1.2"
# tshark -f "tcp portrange 1024–9999"
# tshark -f "net 192.168.1.0/24"

Display Filters

# tshark -i eth0 -Y "ip.addr==192.168.1.2"
# tshark -Y "ip.src == 8.8.8.8 or ip.dst == 192.168.1.2"
# tshark -i eth0 -Y "ip.addr==192.168.1.2 and tcp.port==80"
# tshark -i eth0 -Y "tcp.port== 8080 and http.request"
# tshark -Y "not ssh"
# tshark -i eth0 -Y "(tcp.dstport >= 1024 and tcp.dstport < 10000) or udp"
# tshark -i eth0 -Y "ip.src !=192.168.1.2"
# tshark -i eth0 -Y "http.host contains demo"# tshark -i eth0 -Y "http.request.uri contains demo"
# tshark -i eth0 -Y "http.request.uri contains string(ip.dst)"
# tshark -Y "sip.To contains "2023""
# tshark -Y "dns.qry.name contains picus"
# tshark -Y "dns.qry.name=="picussecurity.com""
# tshark -i eth0 -Y "tcp.flags.fin==1"

Formatting

# tshark -V …..
# tshark -O dns …..
# tshark -i eth0 -O icmp -T fields -e ip
# tshark -i eth0 -O icmp -T fields -e ip.src
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=,
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d > MyTshark.csv
# tshark -G fields | less

Secure Layer (SSL)

# tshark -r encrypted.pcap -Y “tcp.port == 443” -O http \
-o “ssl.desegment_ssl_records: TRUE” \
-o “ssl.desegment_ssl_application_data: TRUE” \
-o “ssl.keys_list: 127.0.0.1,443,http,server.key” \
-o “ssl.debug_file: debug-ssl.log”

Statistics

# tshark -z help
# tshark -z icmp,srt -q -c 100

Tricks

# tshark -f “port 22” | grep “ACK”
# tshark -r traffic.pcap | grep “ACK”
# tshark -w traffic.pcap -f “port 22”
# tshark -w /tmp/dump.cap -c 1000
# tshark -r /tmp/dump.pcap -T fields -e ip.src -e ip.dst | awk -F " " '{print $1"\n"$2"\n"}' | sort | uniq | grep -v "^$" > /tmp/myiplist.txt

Tag Line

--

--

--

DevOps & Software & Architect & Linux Geek — http://baturorkun.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Meet our Distiller, Gary, and his dog, Kali!

TribalFly Update — Tool Parts Now Available

My Top KNIME Tips — Part 1

TryHackMe: Complete Beginner Path

Create a Twitter Auto-Retweet App with Batch.dart

The Ultimate Guide To Python Classes

😲WOAH!!! I can’t get enough of this @WSGToken’s DUNK IT!!!

Using an in-memory hash vs. a MySQL table

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Batur Orkun

Batur Orkun

DevOps & Software & Architect & Linux Geek — http://baturorkun.com

More from Medium

【Technology Sharing】Album-Image Data Conversion Processing

The difference between apt remove, purge, and autoremove

In this article, we will look at how container systems use UTS namespace to provide hostname…

Raspberry Pi Pico Sensor Data Display on Webpage using Serial Port