search

tshark

tshark is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities.

The command below will take a pcap file as input, limit to only IP 192.168.1.1 sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data.

tshark -r packets.pcap -Y "ip.src == 192.168.1.1 && ICMP" -T fields -e data.data

Quick analysis and easy to analyze packets

tshark -i eth0 -w packets.pcap    # Capture all packets on eth0 and save to packets.pcap
tshark -r packets.pcap -c10       # Read the first 10 packets from packets.pcap
tshark -xr packets.pcap           # Display all packets in hexdump (ASCII) format from file
tcpdump -Xr packets.pcap          # Similar to above command, just in tcpdump instead

Summary Statistics

tshark -z help                                    # Get help for statistics
tshark -r packets.pcap -z conv,ip                 # Stats about IP conversations in pcap
tshark -r packets.pcap -z http,tree               # Breakdown of HTTP requests and responses
tshark -r http.pcap -z follow,tcp,ascii,0         # Follows the stream of TCP 0 displayed in ASCII, similar to GUI
tshark -r packets.pcap -z follow,udp,ascii,10.1.1.1:52344,10.1.1.2:53        # Follow a UDP stream

# Additional fun statistical options
ip_hosts,tree        # Display every IP in capture with stats
io,phs               # Protocol hierarchy showing all protocols found in capture
http,tree            # Stats for HTTP requests and responses
http_req,tree        # Stats for HTTP requests only
smb,srt              # Stats for SMB to analyze Windows activity
endpoints,wlan       # Displays all wireless endpoints
expert               # Shows all expert info, chats & errors and stuff

Timestamp format

PreviousNetwork ForensicsNextWireshark Filters

Last updated