Minimize downtime from code errors

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Tshark - Network Packet Analyzer & Capture Tool

Utilize Tshark, the powerful command-line network packet analyzer from the Wireshark project, to capture, filter, and analyze network traffic effectively.

Tshark

Tshark: Command-Line Network Packet Analysis

Tshark is a powerful command-line network protocol analyzer. It allows you to capture live packet data from a network interface or read packets from a saved capture file for offline analysis. As part of the Wireshark project, Tshark provides extensive capabilities for dissecting network traffic and understanding protocol behavior.

Core Tshark Functionality

Tshark's primary function is to capture and analyze network packets. It supports a wide range of network protocols and can filter traffic based on various criteria, making it an indispensable tool for network administrators, security professionals, and developers.

Packet Capture and Saving

Learn how to initiate packet captures on specific network interfaces and save the captured data to files for later examination. This is crucial for troubleshooting network issues or investigating security incidents.

# Basic packet capture on interface
tshark -i eth0 

# Capture packets and save to a file
tshark -i eth0 -w capturefile.pcap

Real-time Analysis and Filtering

Discover how to view captured packets in real-time and apply filters to isolate specific types of network traffic, such as HTTP or TCP connections.

# Display packets captured in real-time in human-readable form
tshark -i eth0 

# Capture packets with a specific filter (e.g., HTTP traffic)
tshark -i eth0 -f "tcp port 80"

Reading and Analyzing Capture Files

Tshark excels at analyzing pre-existing packet capture files (e.g., .pcap). Explore commands to read these files and extract valuable information.

# Read packets from a file
tshark -r capturefile.pcap 

# Display a summary of packets, rather than detailed packet information
tshark -q -z io,stat,1 -r capturefile.pcap

Advanced Capture and Display Options

Delve into more advanced options, including capturing a specific number of packets, setting capture durations, and displaying only selected packet fields.

# Capture packets with a specific duration (e.g., 10 seconds)
tshark -a duration:10 -i eth0

# Capture packets with a specific packet count (e.g., 100 packets)
tshark -c 100 -i eth0

# Capture packets and display only specific fields
tshark -i eth0 -T fields -e ip.src -e ip.dst

# Capture packets and display with time format in seconds since the Unix epoch
tshark -i eth0 -t e

# Decode specific port traffic as a specific protocol (e.g., decode traffic on port 9999 as HTTP)
tshark -d tcp.port==9999,http -r capturefile.pcap

# Capture packets and include packet timestamp in a specific format (ISO 8601)
tshark -i eth0 -t a

# Use a specific configuration profile when capturing or reading packets
tshark -C <profile_name> -i eth0

Further Resources

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments