# tshark `tshark` is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities. The command below will take a pcap file as input, limit to only IP 192.168.1.1 sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data. ```bash tshark -r packets.pcap -Y "ip.src == 192.168.1.1 && ICMP" -T fields -e data.data ``` Quick analysis and easy to analyze packets ```bash tshark -i eth0 -w packets.pcap # Capture all packets on eth0 and save to packets.pcap tshark -r packets.pcap -c10 # Read the first 10 packets from packets.pcap tshark -xr packets.pcap # Display all packets in hexdump (ASCII) format from file tcpdump -Xr packets.pcap # Similar to above command, just in tcpdump instead ``` Summary Statistics ```bash tshark -z help # Get help for statistics tshark -r packets.pcap -z conv,ip # Stats about IP conversations in pcap tshark -r packets.pcap -z http,tree # Breakdown of HTTP requests and responses tshark -r http.pcap -z follow,tcp,ascii,0 # Follows the stream of TCP 0 displayed in ASCII, similar to GUI tshark -r packets.pcap -z follow,udp,ascii,10.1.1.1:52344,10.1.1.2:53 # Follow a UDP stream # Additional fun statistical options ip_hosts,tree # Display every IP in capture with stats io,phs # Protocol hierarchy showing all protocols found in capture http,tree # Stats for HTTP requests and responses http_req,tree # Stats for HTTP requests only smb,srt # Stats for SMB to analyze Windows activity endpoints,wlan # Displays all wireless endpoints expert # Shows all expert info, chats & errors and stuff ``` Timestamp format ```bash tshark -r packets.pcap -t ad # Absolute time (in local time zone) with date tshark -r packets.pcap -t ud # Absolute time (UTC) with date packet was captured tshark -r packets.pcap -t e # Epoch time ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.m4lwhere.org/defensive/network-forensics/tshark.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.