tshark is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities.

The command below will take a pcap file as input, limit to only IP sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data.

tshark -r packets.pcap -Y "ip.src == && ICMP" -T fields -e data.data

Quick analysis and easy to analyze packets

tshark -i eth0 -w packets.pcap    # Capture all packets on eth0 and save to packets.pcap
tshark -r packets.pcap -c10       # Read the first 10 packets from packets.pcap
tshark -xr packets.pcap           # Display all packets in hexdump (ASCII) format from file
tcpdump -Xr packets.pcap          # Similar to above command, just in tcpdump instead

Summary Statistics

tshark -z help                                    # Get help for statistics
tshark -r packets.pcap -z conv,ip                 # Stats about IP conversations in pcap
tshark -r packets.pcap -z http,tree               # Breakdown of HTTP requests and responses
tshark -r http.pcap -z follow,tcp,ascii,0         # Follows the stream of TCP 0 displayed in ASCII, similar to GUI
tshark -r packets.pcap -z follow,udp,ascii,,        # Follow a UDP stream

# Additional fun statistical options
ip_hosts,tree        # Display every IP in capture with stats
io,phs               # Protocol hierarchy showing all protocols found in capture
http,tree            # Stats for HTTP requests and responses
http_req,tree        # Stats for HTTP requests only
smb,srt              # Stats for SMB to analyze Windows activity
endpoints,wlan       # Displays all wireless endpoints
expert               # Shows all expert info, chats & errors and stuff

Timestamp format

tshark -r packets.pcap -t ad        # Absolute time (in local time zone) with date
tshark -r packets.pcap -t ud        # Absolute time (UTC) with date packet was captured
tshark -r packets.pcap -t e         # Epoch time

Last updated