tshark is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities.
The command below will take a pcap file as input, limit to only IP 192.168.1.1 sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data.
tshark-ieth0-wpackets.pcap# Capture all packets on eth0 and save to packets.pcaptshark-rpackets.pcap-c10# Read the first 10 packets from packets.pcaptshark-xrpackets.pcap# Display all packets in hexdump (ASCII) format from filetcpdump-Xrpackets.pcap# Similar to above command, just in tcpdump instead
Summary Statistics
tshark-zhelp# Get help for statisticstshark-rpackets.pcap-zconv,ip# Stats about IP conversations in pcaptshark-rpackets.pcap-zhttp,tree# Breakdown of HTTP requests and responsestshark-rhttp.pcap-zfollow,tcp,ascii,0# Follows the stream of TCP 0 displayed in ASCII, similar to GUItshark-rpackets.pcap-zfollow,udp,ascii,10.1.1.1:52344,10.1.1.2:53# Follow a UDP stream# Additional fun statistical optionsip_hosts,tree# Display every IP in capture with statsio,phs# Protocol hierarchy showing all protocols found in capturehttp,tree# Stats for HTTP requests and responseshttp_req,tree# Stats for HTTP requests onlysmb,srt# Stats for SMB to analyze Windows activityendpoints,wlan# Displays all wireless endpointsexpert# Shows all expert info, chats & errors and stuff
Timestamp format
tshark-rpackets.pcap-tad# Absolute time (in local time zone) with datetshark-rpackets.pcap-tud# Absolute time (UTC) with date packet was capturedtshark-rpackets.pcap-te# Epoch time