tshark

Monitor everything on localhost

$ tshark

$ tshark -f 'udp port 53'

$ tshark -Y 'http.request.method == "GET"'

$ tshark -d tcp.port==8888,http

$ tshark -T [json|text|ps]

$ tshark -T fields -e http.request.method -e ip.src

$ tshark -w [path/to/file]

$ tshark -r [path/to/file.pcap]

tshark [options] [filter]

tshark is the command-line version of Wireshark, providing network packet capture and analysis capabilities. It can capture live traffic from network interfaces, read packets from capture files, and decode protocol data.
The tool supports both capture filters (BPF syntax, applied during capture) and display filters (Wireshark syntax, applied to output). It can output data in various formats including text, JSON, and PDML for further processing.

-i interface

Capture on specified interface

Capture filter (BPF syntax)

Display filter (Wireshark syntax)

Read packets from file

Write packets to file

Output format (text, json, pdml, ps, fields, etc.)

Field to print (with -T fields/json/pdml)

Decode as protocol (e.g., tcp.port==8080,http)

Stop after capturing count packets

Autostop condition (duration:sec, filesize:KB)

Verbose output (packet tree)

Print hex dump of packet data

Quiet mode (less output)

Requires root or appropriate capabilities for live capture. Capture and display filter syntaxes are different. Large captures can consume significant disk space and memory. Some protocol decoding requires port hints via -d option.

Part of the Wireshark project, originally called Ethereal. The command-line version has been available since the early days of the project. tshark provides the same protocol analysis engine as Wireshark but suited for scripting and headless systems.

wireshark(1), tcpdump(8), dumpcap(1)