# tshark `tshark` is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities. The command below will take a pcap file as input, limit to only IP 192.168.1.1 sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data. ```bash tshark -r packets.pcap -Y "ip.src == 192.168.1.1 && ICMP" -T fields -e data.data ``` Quick analysis and easy to analyze packets ```bash tshark -i eth0 -w packets.pcap # Capture all packets on eth0 and save to packets.pcap tshark -r packets.pcap -c10 # Read the first 10 packets from packets.pcap tshark -xr packets.pcap # Display all packets in hexdump (ASCII) format from file tcpdump -Xr packets.pcap # Similar to above command, just in tcpdump instead ``` Summary Statistics ```bash tshark -z help # Get help for statistics tshark -r packets.pcap -z conv,ip # Stats about IP conversations in pcap tshark -r packets.pcap -z http,tree # Breakdown of HTTP requests and responses tshark -r http.pcap -z follow,tcp,ascii,0 # Follows the stream of TCP 0 displayed in ASCII, similar to GUI tshark -r packets.pcap -z follow,udp,ascii,10.1.1.1:52344,10.1.1.2:53 # Follow a UDP stream # Additional fun statistical options ip_hosts,tree # Display every IP in capture with stats io,phs # Protocol hierarchy showing all protocols found in capture http,tree # Stats for HTTP requests and responses http_req,tree # Stats for HTTP requests only smb,srt # Stats for SMB to analyze Windows activity endpoints,wlan # Displays all wireless endpoints expert # Shows all expert info, chats & errors and stuff ``` Timestamp format ```bash tshark -r packets.pcap -t ad # Absolute time (in local time zone) with date tshark -r packets.pcap -t ud # Absolute time (UTC) with date packet was captured tshark -r packets.pcap -t e # Epoch time ```