tshark

Monitor everything on localhost

$ tshark

$ tshark -f '[udp port 53]'

$ tshark -Y '[http.request.method == "GET"]'

$ tshark -d tcp.port==[8888],[http]

$ tshark -T [json|text|ps|...]

$ tshark -T [fields|ek|json|pdml] -e [http.request.method] -e [ip.src]

$ tshark -w [path/to/file]

$ tshark -r [path/to/file.pcap]

tshark [options] [capture-filter] [display-filter]
tshark -i [options] [capture-filter]
tshark -r [options] [display-filter]

-i
    Specifies the network interface to capture live packets from (e.g., eth0, wlan0).

-r
    Reads packets from the specified capture file (e.g., .pcap, .pcapng).

-w
    Writes the captured raw packet data to the specified output file.

-Y
    Applies a display filter to packets after capture or reading, controlling what is shown (e.g., tcp.port == 80).

-f
    Applies a capture filter (BPF syntax) to limit which packets are captured directly at the interface (e.g., 'port 22').

-c
    Stops capturing or reading after count packets have been processed.

-s
    Sets the snapshot length (bytes to capture per packet), truncating packets longer than snaplen.

-T
    Sets the output format. Common options include text for human-readable output or json for machine-readable data.

-V
    Adds verbose packet details, showing full dissection trees for each packet.

-q
    Enables quiet mode, suppressing standard output of packet dissections. Useful when only statistics or writes to file are needed.

-z
    Collects and displays various statistics, such as io,phs for protocol hierarchy statistics.

tshark is the powerful command-line version of the popular network protocol analyzer, Wireshark. It allows users to capture live network traffic from an interface, or read and analyze packets from a previously saved capture file (e.g., .pcap, .pcapng). tshark supports a vast array of network protocols for dissection and analysis.

It's an invaluable tool for network troubleshooting, security analysis, protocol development, and education. Users can apply sophisticated capture filters to limit the data captured, and display filters to narrow down the packets shown for analysis. Its command-line nature makes it ideal for scripting, automation, and remote server analysis where a graphical interface is not available. tshark can output dissection results in various formats, including plain text, XML, JSON, and PostScript, providing flexibility for integration with other tools.

Live packet capturing with tshark often requires elevated privileges (e.g., root or sudo) to access network interfaces. Capturing large volumes of traffic can quickly consume disk space. Understanding Wireshark's display filter syntax and BPF capture filter syntax is crucial for effective use. Resource usage can be high, particularly with complex dissections or high-bandwidth interfaces.

It's important to distinguish between capture filters (specified with -f) and display filters (specified with -Y).

Capture filters are applied at the very beginning of the capture process by the packet capture library (e.g., libpcap). They reduce the amount of data saved to disk or processed, enhancing efficiency but irreversibly discarding unmatched packets.

Display filters are applied after packets have been captured or read from a file. They only control which packets are shown or processed for analysis, without discarding the underlying raw data. This allows for flexible post-capture analysis of the full dataset.

tshark is an integral part of the Wireshark suite of tools. Wireshark, originally named Ethereal, was created by Gerald Combs in 1998. It was renamed to Wireshark in 2006 due to trademark issues. tshark provides the same powerful dissection engine as its graphical counterpart but in a command-line interface, making it highly versatile for remote analysis, scripting, and integration into automated workflows.

wireshark(1), tcpdump(1), netstat(8), ss(8)