Using Wireshark Command-Line Tool (TShark)

# yum install wireshark
# apt-get install tshark
# tshark -v

If you are logged in as a regular, non-root user, you need sudo rights to use the TShark utility and need adding “sudo” prefix to all commands.

# sudo tshark …. 

Why TShark?


# tshark -D
# tshark -i eth0
# tshark -i eth0 -c 50
# tshark -i eth0 -w /tmp/dump.pcap -c 100

The file has .pcap extension is a special formatted file. You can’t just open the file using an editor like Vim. The PCAPNG file type is primarily associated with WireShark by Gerald Combs. PCAPNG (Packet CAPture Next Generation) is the file extension for the PCAP Next Generation dump file format.

# tshark -r /tmp/dump.pcap

Understanding the Output

The protocol layer just above the Internet Layer is the Host-to-Host Transport Layer, usually shortened to Transport Layer. The two most important protocols in the Transport Layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). If you don’t know the basics about the OSI Reference Model, please inspect OSI Model. It contains seven layers that define the functions of data communications protocols.


Capture Filters

# tshark -f "host and (dst port 80 or 443)"
# tshark-i eth0 -f "tcp port 22 and not src host"
# tshark -f "tcp portrange 1024–9999"
# tshark -f "net"

Display Filters

# tshark -i eth0 -Y "ip.addr=="
# tshark -Y "ip.src == or ip.dst =="
# tshark -i eth0 -Y "ip.addr== and tcp.port==80"
# tshark -i eth0 -Y "tcp.port== 8080 and http.request"
# tshark -Y "not ssh"
# tshark -i eth0 -Y "(tcp.dstport >= 1024 and tcp.dstport < 10000) or udp"
# tshark -i eth0 -Y "ip.src !="
# tshark -i eth0 -Y " contains demo"# tshark -i eth0 -Y "http.request.uri contains demo"
# tshark -i eth0 -Y "http.request.uri contains string(ip.dst)"
# tshark -Y "sip.To contains "2023""
# tshark -Y " contains picus"
# tshark -Y """"
# tshark -i eth0 -Y "tcp.flags.fin==1"


# tshark -V …..
# tshark -O dns …..
# tshark -i eth0 -O icmp -T fields -e ip
# tshark -i eth0 -O icmp -T fields -e ip.src
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=,
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d
# tshark -i eth0 -T fields -e frame.protocols -e tcp.dstport -E separator=, -E quote=d > MyTshark.csv
# tshark -G fields | less

Secure Layer (SSL)

# tshark -r encrypted.pcap -Y “tcp.port == 443” -O http \
-o “ssl.desegment_ssl_records: TRUE” \
-o “ssl.desegment_ssl_application_data: TRUE” \
-o “ssl.keys_list:,443,http,server.key” \
-o “ssl.debug_file: debug-ssl.log”


# tshark -z help
# tshark -z icmp,srt -q -c 100


# tshark -f “port 22” | grep “ACK”
# tshark -r traffic.pcap | grep “ACK”
# tshark -w traffic.pcap -f “port 22”
# tshark -w /tmp/dump.cap -c 1000
# tshark -r /tmp/dump.pcap -T fields -e ip.src -e ip.dst | awk -F " " '{print $1"\n"$2"\n"}' | sort | uniq | grep -v "^$" > /tmp/myiplist.txt

Tag Line




DevOps & Software & Architect & Linux Geek —

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Meet our Distiller, Gary, and his dog, Kali!

TribalFly Update — Tool Parts Now Available

My Top KNIME Tips — Part 1

TryHackMe: Complete Beginner Path

Create a Twitter Auto-Retweet App with Batch.dart

The Ultimate Guide To Python Classes

😲WOAH!!! I can’t get enough of this @WSGToken’s DUNK IT!!!

Using an in-memory hash vs. a MySQL table

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Batur Orkun

Batur Orkun

DevOps & Software & Architect & Linux Geek —

More from Medium

【Technology Sharing】Album-Image Data Conversion Processing

The difference between apt remove, purge, and autoremove

In this article, we will look at how container systems use UTS namespace to provide hostname…

Raspberry Pi Pico Sensor Data Display on Webpage using Serial Port