tshark is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities.
The command below will take a pcap file as input, limit to only IP 192.168.1.1 sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data.
tshark -i eth0 -w packets.pcap # Capture all packets on eth0 and save to packets.pcap
tshark -r packets.pcap -c10 # Read the first 10 packets from packets.pcap
tshark -xr packets.pcap # Display all packets in hexdump (ASCII) format from file
tcpdump -Xr packets.pcap # Similar to above command, just in tcpdump instead
Summary Statistics
tshark -z help # Get help for statistics
tshark -r packets.pcap -z conv,ip # Stats about IP conversations in pcap
tshark -r packets.pcap -z http,tree # Breakdown of HTTP requests and responses
tshark -r http.pcap -z follow,tcp,ascii,0 # Follows the stream of TCP 0 displayed in ASCII, similar to GUI
tshark -r packets.pcap -z follow,udp,ascii,10.1.1.1:52344,10.1.1.2:53 # Follow a UDP stream
# Additional fun statistical options
ip_hosts,tree # Display every IP in capture with stats
io,phs # Protocol hierarchy showing all protocols found in capture
http,tree # Stats for HTTP requests and responses
http_req,tree # Stats for HTTP requests only
smb,srt # Stats for SMB to analyze Windows activity
endpoints,wlan # Displays all wireless endpoints
expert # Shows all expert info, chats & errors and stuff
Timestamp format
tshark -r packets.pcap -t ad # Absolute time (in local time zone) with date
tshark -r packets.pcap -t ud # Absolute time (UTC) with date packet was captured
tshark -r packets.pcap -t e # Epoch time