tshark
Analyze network traffic
TLDR
Monitor everything on localhost
Only capture packets matching a specific capture filter
Only show packets matching a specific output filter
Decode a TCP port using a specific protocol (e.g. HTTP)
Specify the format of captured output
Select specific fields to output
Write captured packet to a file
Analyze packets from a file
SYNOPSIS
tshark [options] [capture_filter] [read_filter]
PARAMETERS
-i
Specifies the interface to capture traffic from. Example: -i eth0
-r
Reads packet data from a capture file. Example: -r capture.pcap
-w
Writes raw packet data to a capture file. Example: -w output.pcap
-F
Specifies the format of the capture file to write. Common options include pcap, pcapng.
-T
Sets the format of the output. Text is the default.
-q
Suppresses output.
-c
Sets the maximum number of packets to capture.
-f
Sets the capture filter (BPF syntax) to filter packets during capture.
-Y
Sets the display filter (Wireshark syntax) to filter packets during analysis.
-n
Disable network name resolution (DNS, etc.).
-N
Enable specific name resolving flags.
-d
Specifies how certain traffic should be decoded.
-e
Extracts specified field(s). Useful for creating custom output. Example: -e frame.number -e ip.src -e ip.dst
-E
Change the separator used to separate fields in -e fields. -E separator=,
-x
Print the packet data in hex and ASCII.
-v
Verbose output.
-h
Displays the help message.
DESCRIPTION
Tshark is a powerful command-line network protocol analyzer. It's essentially the command-line version of Wireshark. Tshark allows you to capture and analyze network traffic from various sources, including live interfaces, capture files (like .pcap, .pcapng), and more. It's crucial for network troubleshooting, security analysis, and protocol debugging. It supports a vast array of protocols, providing detailed dissection and analysis of each. Tshark can filter traffic based on various criteria, allowing you to focus on specific packets or connections. Output can be formatted in multiple ways, including text, XML, or CSV, making it easy to integrate with other tools and scripts. Because it's a command-line tool, Tshark is ideal for automated analysis and server-side use cases, where a graphical interface isn't available or desired. It depends on the same libraries as Wireshark. This provides very powerful analysis capabilities, including decoding a vast library of standard network protocols.
CAVEATS
Capture filters applied with '-f' during live capture have better performance than display filters applied later with '-Y'. Capturing without any filters can generate massive amounts of data very quickly. Ensure you have adequate storage and processing capabilities. Requires appropriate permissions (often root) to capture on network interfaces. Some options like -i require superuser privileges. It should be noted that certain protocols are not enabled by default.
DISPLAY FILTERS VS. CAPTURE FILTERS
Capture filters (using the `-f` option) are applied *during* the capture process. They are written in BPF syntax and are highly efficient for reducing the amount of data captured. Display filters (using the `-Y` option) are applied *after* the capture, allowing you to selectively view packets based on more complex criteria (using Wireshark's display filter syntax). Use capture filters when possible to reduce resource usage, but display filters offer more flexibility.
OUTPUT FORMATS
Tshark supports various output formats. Text (-T text) is human-readable, while XML (-T pdml) and JSON (-T json) are better suited for parsing and integration with other tools. The choice of format depends on the use case. For automation and scripting, JSON or XML are often preferred.
HISTORY
Tshark evolved from Wireshark (formerly Ethereal) as the command-line component. Development has paralleled Wireshark's, inheriting its extensive protocol support and analysis capabilities. It's been a widely used tool for network professionals since the early 2000s, becoming a staple for automated network analysis and security auditing.