Tshark

How to user Tshark Command capture? Learn with examples. 

Tshark is a command-line packet capture tool or program available on both Windows and Linux.  Wireshark is another packet capturing tool, which has a GUI option to analyze the network captures.  With Tshark we can captured bytes over a computer network and displays the capture on-screen or may save in a file.  By default, Tshark is available on Linux operating systems only.  On windows, we need to install Wireshark. During the installation of Wireshark, this tool is also installed.

The installation location on Windows is C:\Program Files\Wireshark  and on Linux its /usr/sbin/tshark.  The path where Tshark is installed on Linux is added to the PATH. So to check its location following is the command.

# which tshark
/usr/sbin/tshark

The following are the Tshark examples

Capturing is done on specific interfaces or all interfaces. To list down the interfaces available for capturing:

#tshark -D
1. virbr0
2. nflog (Linux netfilter log (NFLOG) interface)
3. nfqueue (Linux netfilter queue (NFQUEUE) interface)
4. usbmon1 (USB bus number 1)
5. eth12
6. eth13
7. any (Pseudo-device that captures on all interfaces)
8. lo

Now we have a list of network interfaces to capture the computer network bytes.  Capture is to analyze a network message flow. Mostly when need to verify protocol behavior.  The next step is to do an analysis of the captured file. More accurate the capture, more easy and fast analysis will be.  The first step to select the interfaces, where the relevant packets are available.

For catapulting on an interface, you can give numeric value or name. Here we are using the name.

#tshark -i eth12

For capturing on multiple interfaces.

#tshark -i eth12 -i eth13

For capturing on all interfaces.

#tshark -i any

Reading Pcap capture :

A .pcap file is the output file when captured with the Tshark command.  Wireshark is the GUI based tool. Wireshark reads the .pcap file and shows the full packet in text and value format. If can have multiple filters.  The command-line tool provides console-based functionality to analyze a captured file.   Suppose there is a captured file example.pcap

Reading a file, this uses -r option of Tshark. Displays all packets. 

#tshark -r example.pcap

 1 0.000000000 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1
2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0
3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0
5 1.001294556 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1
6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0
8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
9 2.002598633 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1
10 2.277095183 fe80::19b0:571:6e26:445c -> ff02::1:2 DHCPv6 150 Solicit XID: 0xdb1fa2 CID: 000100011f73ed8f88ae1dac510e

Reading packets with a specific host IP address. 

# tshark -r example.pcap ip.host=="192.168.1.4"
Running as user "root" and group "root". This could be dangerous.
2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0
3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0
6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0
8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
11 2.297914597 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=193 Win=16309 Len=0
13 2.522839755 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
14 2.819578550 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=257 Win=16293 Len=0

List of packets with a specific source IP address. 

# tshark -r example.pcap ip.src=="192.168.1.4"
Running as user "root" and group "root". This could be dangerous.
2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0
4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0
7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0
11 2.297914597 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=193 Win=16309 Len=0
14 2.819578550 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=257 Win=16293 Len=0
17 3.460140798 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=321 Win=16277 Len=0
29 3.995859046 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=385 Win=16261 Len=0
41 4.602727936 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=449 Win=16245 Len=0

List of packets with a specific destination IP address.

# tshark -r example.pcap ip.dst=="192.168.1.4"
Running as user "root" and group "root". This could be dangerous.
3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
13 2.522839755 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
16 3.255651199 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
19 3.777443706 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
39 4.349803703 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64

 

Leave a Comment