How to use the command 'tshark' (with examples)
- Linux
- December 25, 2023
Tshark is a packet analysis tool and the command line version of Wireshark. It allows users to capture and dissect network packets, making it a valuable tool for network troubleshooting, protocol analysis, and security auditing. In this article, we will explore several use cases of the ’tshark’ command with detailed explanations and examples.
Use case 1: Monitor everything on localhost
Code:
tshark
Motivation: Monitoring network traffic on localhost can help diagnose and troubleshoot various network-related issues. By capturing all packets on localhost, we can gain insights into the communication happening between different processes and services running on our local machine.
Explanation: Running the ’tshark’ command without any filters or options captures all packets on the default interface (usually the first available interface). It monitors all incoming and outgoing traffic on the local machine.
Example output:
Capturing on 'eth0'
...
Use case 2: Only capture packets matching a specific capture filter
Code:
tshark -f 'udp port 53'
Motivation: In certain situations, we might only be interested in capturing packets that match specific criteria. By using a capture filter, we can focus our analysis on packets that meet these criteria. For example, capturing only UDP packets on port 53 (DNS) can help us analyze network-related issues related to DNS queries and responses.
Explanation: The ‘-f’ flag is used to specify a capture filter. In this example, we are filtering packets based on the UDP protocol and port 53. Only packets that match this filter will be captured and displayed.
Example output:
Capturing on 'eth0'
1 0.000000 192.168.1.100 → 8.8.8.8 DNS Standard query A www.example.com
2 0.001234 8.8.8.8 → 192.168.1.100 DNS Standard query response CNAME example.com
...
Use case 3: Only show packets matching a specific output filter
Code:
tshark -Y 'http.request.method == "GET"'
Motivation: When analyzing network traffic, we often want to focus on specific protocols or patterns. By using an output filter, we can selectively display packets that match certain criteria. For instance, filtering for HTTP GET requests allows us to inspect the details of these HTTP transactions.
Explanation: The ‘-Y’ flag is used to specify an output filter. In this example, we are filtering for packets with an HTTP request method equal to “GET”. Only packets that match this filter will be displayed.
Example output:
1 0.000000 192.168.1.100 → 172.217.168.228 HTTP 164 GET / HTTP/1.1
2 0.023874 172.217.168.228 → 192.168.1.100 HTTP 539 HTTP/1.1 200 OK
...
Use case 4: Decode a TCP port using a specific protocol (e.g., HTTP)
Code:
tshark -d tcp.port==8888,http
Motivation: Tshark provides the ability to decode the payload of packets to understand the underlying protocols. By decoding a specific port using a known protocol, we can analyze the contents of the packets exchanged on that port. For example, decoding port 8888 using the HTTP protocol allows us to inspect HTTP traffic on that port.
Explanation: The ‘-d’ flag is used to decode a port using a specific protocol. In this example, we are decoding port 8888 using the HTTP protocol. Tshark will interpret the payload of packets on this port as HTTP traffic and display the relevant information.
Example output:
Frame 1: 151 bytes on wire (1208 bits), 151 bytes captured (1208 bits)
Ethernet II, Src: 0c:29:1a:54:8b:80 (0c:29:1a:54:8b:80), Dst: 0c:29:1a:54:99:f8 (0c:29:1a:54:99:f8)
Internet Protocol Version 4, Src: 192.168.1.100, Dst: 192.168.1.101
Transmission Control Protocol, Src Port: 8888, Dst Port: 48984
Hypertext Transfer Protocol
GET /index.html HTTP/1.1
Host: example.com
...
Use case 5: Specify the format of captured output
Code:
tshark -T json|text|ps|...
Motivation: Tshark offers various output formats to suit different needs. By specifying the output format, we can choose the desired format for captured packets. For example, using JSON output can facilitate further processing and analysis of packets using other tools or scripts.
Explanation: The ‘-T’ flag is used to specify the format of the captured output. Supported formats include JSON, text, PostScript, etc. In this example, we can replace ‘json|text|ps|…’ with the preferred format.
Example output:
{
"_index": "packets",
"_type": "_doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "4",
"frame.interface_id_tree": {
"frame.interface_name": "eth0"
},
...
}
}
},
...
}
Use case 6: Select specific fields to output
Code:
tshark -T fields|ek|json|pdml -e http.request.method -e ip.src
Motivation: When analyzing network packets, we are often interested in specific fields or information within those packets. By selecting specific fields to output, we can focus on the information that is most relevant to our analysis. For example, extracting the HTTP request method and source IP address allows us to gain insights into the origin and type of HTTP traffic.
Explanation: The ‘-e’ flag is used to specify the fields to output. Each field is specified in the format ‘protocol.fieldname’. In this example, we are selecting the ‘http.request.method’ and ‘ip.src’ fields. Tshark will only display these two fields for each packet.
Example output:
GET
192.168.1.100
...
Use case 7: Write captured packet to a file
Code:
tshark -w path/to/file
Motivation: Capturing packets and storing them in a file allows us to analyze the network traffic at a later time or share it with others for further analysis. By writing the captured packets to a file, we can examine the contents, filter them, or process them using other tools.
Explanation: The ‘-w’ flag is used to specify the path and name of the file to write the captured packets to. In this example, replace ‘path/to/file’ with the desired file location.
Use case 8: Analyze packets from a file
Code:
tshark -r path/to/file.pcap
Motivation: In certain scenarios, we may want to analyze packets that have been previously captured and stored in a file. By reading packets from a file, we can replay the captured traffic, apply filters, and gain insights into the communication that occurred during the capture.
Explanation: The ‘-r’ flag is used to specify the path and name of the file to read packets from. In this example, replace ‘path/to/file.pcap’ with the actual file location.
Conclusion: The ’tshark’ command provides a powerful set of features for network packet analysis. With its ability to capture, filter, and analyze network traffic, it is an essential tool for network administrators, security professionals, and developers. By mastering the various use cases of the ’tshark’ command, users can gain valuable insights into network behavior and identify and address various network-related issues.