How to use Tshark Command capture? Learn with examples.
Tshark is a command-line packet capture tool or program available on Windows and Linux. Wireshark is another packet-capturing tool with a GUI option to analyze the network captures. With Tshark, we can capture bytes over a computer network and display the capture on-screen or save it in a file.
By default, Tshark is available on Linux operating systems only. On Windows, we need to install Wireshark. During the installation of Wireshark, this tool is also installed.
The installation location on Windows is C:\Program Files\Wireshark, and on Linux, its /usr/sbin/tshark. The path where Tshark is installed on Linux is added to the PATH. So to check its location following is the command.
# which tshark /usr/sbin/tshark
The following are the Tshark examples.
Capturing is done on specific interfaces or all interfaces. To list down the interfaces available for capturing:
#tshark -D 1. virbr0 2. nflog (Linux netfilter log (NFLOG) interface) 3. nfqueue (Linux netfilter queue (NFQUEUE) interface) 4. usbmon1 (USB bus number 1) 5. eth12 6. eth13 7. any (Pseudo-device that captures on all interfaces) 8. lo
Now we have a list of network interfaces to capture the computer network bytes. Capture is to analyze a network message flow. Mainly when needs to verify protocol behavior.
The next step is to analyze the captured file. The more accurate the capture, the easier and fast the analysis will be. The first step is to select the interfaces where the relevant packets are available.
You can give a numeric value or name for catapulting on an interface. Here we are using the name.
#tshark -i eth12
For capturing on multiple interfaces.
#tshark -i eth12 -i eth13
For capturing overall network interfaces.
#tshark -i any
Reading Pcap capture :
A .pcap file is the output file when captured with the Tshark command. Wireshark is a GUI-based tool. Wireshark reads the .pcap file and shows the whole packet in text and value format. t can have multiple filters. The command-line tool provides console-based functionality to analyze a captured file. Suppose there is a captured file example.pcap
Reading a file uses the -r option of Tshark. Displays all packets.
#tshark -r example.pcap 1 0.000000000 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1 2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0 3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0 5 1.001294556 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1 6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0 8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 9 2.002598633 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1 10 2.277095183 fe80::19b0:571:6e26:445c -> ff02::1:2 DHCPv6 150 Solicit XID: 0xdb1fa2 CID: 000100011f73ed8f88ae1dac510e
Reading packets with a specific host IP address.
# tshark -r example.pcap ip.host=="192.168.1.4" Running as user "root" and group "root". This could be dangerous. 2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0 3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0 6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0 8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 11 2.297914597 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=193 Win=16309 Len=0 13 2.522839755 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 14 2.819578550 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=257 Win=16293 Len=0
List of packets with a particular source IP address.
# tshark -r example.pcap ip.src=="192.168.1.4" Running as user "root" and group "root". This could be dangerous. 2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0 4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0 7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0 11 2.297914597 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=193 Win=16309 Len=0 14 2.819578550 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=257 Win=16293 Len=0 17 3.460140798 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=321 Win=16277 Len=0 29 3.995859046 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=385 Win=16261 Len=0 41 4.602727936 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=449 Win=16245 Len=0
List of packets with a specific destination IP address.
# tshark -r example.pcap ip.dst=="192.168.1.4" Running as user "root" and group "root". This could be dangerous. 3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 13 2.522839755 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 16 3.255651199 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 19 3.777443706 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64 39 4.349803703 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64