tshark

Monitor everything on localhost

$ tshark

$ tshark -f '[udp port 53]'

$ tshark -Y '[http.request.method == "GET"]'

$ tshark -d tcp.port==[8888],[http]

$ tshark -T [json|text|ps|...]

$ tshark -T [fields|ek|json|pdml] -e [http.request.method] -e [ip.src]

$ tshark -w [path/to/file]

$ tshark -r [path/to/file.pcap]

tshark [options] [capture_filter] [read_filter]

-i
    Specifies the interface to capture traffic from. Example: -i eth0

-r
    Reads packet data from a capture file. Example: -r capture.pcap

-w
    Writes raw packet data to a capture file. Example: -w output.pcap

-F
    Specifies the format of the capture file to write. Common options include pcap, pcapng.

-T
    Sets the format of the output. Text is the default.

-q
    Suppresses output.

-c
    Sets the maximum number of packets to capture.

-f
    Sets the capture filter (BPF syntax) to filter packets during capture.

-Y
    Sets the display filter (Wireshark syntax) to filter packets during analysis.

-n
    Disable network name resolution (DNS, etc.).

-N
    Enable specific name resolving flags.

-d ==,
    Specifies how certain traffic should be decoded.

-e
    Extracts specified field(s). Useful for creating custom output. Example: -e frame.number -e ip.src -e ip.dst

-E
    Change the separator used to separate fields in -e fields. -E separator=,

-x
    Print the packet data in hex and ASCII.

-v
    Verbose output.

-h
    Displays the help message.

Tshark is a powerful command-line network protocol analyzer. It's essentially the command-line version of Wireshark. Tshark allows you to capture and analyze network traffic from various sources, including live interfaces, capture files (like .pcap, .pcapng), and more. It's crucial for network troubleshooting, security analysis, and protocol debugging. It supports a vast array of protocols, providing detailed dissection and analysis of each. Tshark can filter traffic based on various criteria, allowing you to focus on specific packets or connections. Output can be formatted in multiple ways, including text, XML, or CSV, making it easy to integrate with other tools and scripts. Because it's a command-line tool, Tshark is ideal for automated analysis and server-side use cases, where a graphical interface isn't available or desired. It depends on the same libraries as Wireshark. This provides very powerful analysis capabilities, including decoding a vast library of standard network protocols.

Capture filters applied with '-f' during live capture have better performance than display filters applied later with '-Y'. Capturing without any filters can generate massive amounts of data very quickly. Ensure you have adequate storage and processing capabilities. Requires appropriate permissions (often root) to capture on network interfaces. Some options like -i require superuser privileges. It should be noted that certain protocols are not enabled by default.

Capture filters (using the `-f` option) are applied *during* the capture process. They are written in BPF syntax and are highly efficient for reducing the amount of data captured. Display filters (using the `-Y` option) are applied *after* the capture, allowing you to selectively view packets based on more complex criteria (using Wireshark's display filter syntax). Use capture filters when possible to reduce resource usage, but display filters offer more flexibility.

Tshark supports various output formats. Text (-T text) is human-readable, while XML (-T pdml) and JSON (-T json) are better suited for parsing and integration with other tools. The choice of format depends on the use case. For automation and scripting, JSON or XML are often preferred.

Tshark evolved from Wireshark (formerly Ethereal) as the command-line component. Development has paralleled Wireshark's, inheriting its extensive protocol support and analysis capabilities. It's been a widely used tool for network professionals since the early 2000s, becoming a staple for automated network analysis and security auditing.

tcpdump(1), wireshark(1)