TShark Packet Analysis

TShark cheatsheet — command-line Wireshark. tshark -i eth0, tshark -Y 'http', tshark -r capture.pcap, tshark -T json. Deep packet inspection and analysis from terminal.

10 min read

What it is

TShark is a command-line network protocol analyzer used to capture and interactively browse the contents of network packets. You reach for it when you need to deeply inspect network traffic from the terminal or automate packet analysis.

Installation

Linux

sudo apt update && sudo apt install tshark
# For Fedora/CentOS/RHEL:
sudo dnf install wireshark-cli
# Or
sudo yum install wireshark-cli

Note: On many Linux systems, you’ll need to add your user to the wireshark group to capture packets without sudo.

sudo usermod -aG wireshark $USER
# You may need to log out and log back in for this to take effect.

macOS

brew install wireshark
# TShark is installed as part of the Wireshark package.

Windows

Download the installer from the Wireshark website. During installation, ensure that the "TShark" component is selected. TShark will be available in your system’s PATH if installed correctly.

Core Concepts

  • Packet Capture: TShark can capture live network traffic or read previously saved capture files.
  • Packet Dissection: It decodes packets based on their protocols, showing fields and values.
  • Display Filters: These filters are applied after packets are captured or read, allowing you to hide packets that don’t match your criteria from the output. They are less performant for filtering during capture but more flexible.
  • Capture Filters: These filters are applied during packet capture, reducing the amount of data captured and saved. They use the BPF (Berkeley Packet Filter) syntax and are more performant for reducing capture size.
  • Fields: TShark exposes a vast number of fields for each protocol (e.g., ip.addr, tcp.port, http.request.method). You can list all available fields using tshark -G fields.

Commands / Usage

Capturing Live Traffic

Capture from a specific interface

tshark -i eth0

Starts capturing packets on the eth0 interface and displays them in real-time.

Capture from all interfaces

tshark -i any

Captures packets from all available network interfaces.

Capture with a capture filter

tshark -i eth0 "tcp port 80"

Captures only TCP traffic on port 80 on the eth0 interface.

Capture and save to a file

tshark -i eth0 -w capture.pcap

Captures packets from eth0 and saves them to capture.pcap without displaying them on the screen.

Capture with a limit on packets

tshark -i eth0 -c 100

Captures a maximum of 100 packets from eth0 and then stops.

Capture with a time limit

tshark -i eth0 -a duration:60

Captures packets from eth0 for 60 seconds and then stops.

Capture with a file size limit

tshark -i eth0 -a filesize:10240

Captures packets from eth0 and creates a new capture file every 10MB (10240 KB). Often used with -w and -b.

Ring buffer capture (multiple files)

tshark -i eth0 -b files:5 -b filesize:10240 -w capture_

Captures packets into 5 files, each up to 10MB, with filenames like capture_00000_20231027100000.pcap. Oldest files are overwritten.

Reading Capture Files

Read from a capture file

tshark -r capture.pcap

Reads and displays packets from the capture.pcap file.

Read and apply a display filter

tshark -r capture.pcap "ip.addr == 192.168.1.100"

Reads capture.pcap and displays only packets where the source or destination IP address is 192.168.1.100.

Read and show specific fields

tshark -r capture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.dstport

Reads capture.pcap and displays only the frame number, source IP, destination IP, and destination TCP port for each packet.

Read and show all fields in JSON format

tshark -r capture.pcap -T json

Reads capture.pcap and outputs each packet’s details in JSON format.

Read and show all fields in Fields format

tshark -r capture.pcap -T fields

Reads capture.pcap and outputs each packet’s details in a human-readable, field-based format.

Read and show specific fields with custom delimiter

tshark -r capture.pcap -T fields -E separator=, -e frame.number -e ip.src -e ip.dst

Reads capture.pcap and outputs frame number, source IP, and destination IP, separated by commas (CSV format).

Analyzing Traffic (Outputting Specific Information)

Show HTTP requests

tshark -r capture.pcap -Y "http" -T fields -e frame.number -e http.request.method -e http.request.uri

Reads capture.pcap and shows the frame number, HTTP method, and URI for all HTTP requests.

Show DNS queries

tshark -r capture.pcap -Y "dns" -T fields -e frame.number -e dns.qry.name

Reads capture.pcap and shows the frame number and queried domain name for all DNS queries.

Show TCP connection details

tshark -r capture.pcap -Y "tcp.flags.syn == 1 and tcp.flags.ack == 0" -T fields -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport

Reads capture.pcap and shows the frame number and IP/port details for TCP SYN packets (start of connections).

Count occurrences of specific fields

tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq -c | sort -nr

Reads capture.pcap, extracts all DNS query names, sorts them, counts unique occurrences, and shows the most frequent queries first.

Show packet details in XML format

tshark -r capture.pcap -T pdml

Reads capture.pcap and outputs packet details in PDML (Packet Detail Markup Language) format.

Common Flags

  • -i <interface>: Specify the network interface to capture from (e.g., eth0, en0, any).
  • -r <file>: Read packets from a capture file (e.g., capture.pcap).
  • -w <file>: Write captured packets to a file.
  • -c <count>: Stop capturing packets after receiving <count> packets.
  • -a <attribute>=<value>: Set capture attributes. Common attributes:
    • duration:<seconds>: Stop capturing after a specified duration.
    • files:<number>: Create <number> files for capturing.
    • filesize:<kbytes>: Stop writing to the current file when it reaches <kbytes> size.
  • -b <attribute>=<value>: Similar to -a, used for setting ring buffer parameters.
  • -Y <filter>: Apply a display filter to filter packets after capture or reading. Uses Wireshark’s display filter syntax.
  • -f <filter>: Apply a capture filter during capture. Uses BPF syntax (e.g., "tcp port 80").
  • -T <format>: Specify the output format for dissected packets. Common formats:
    • pdml: Packet Detail Markup Language (XML-based).
    • psml: Packet Summary Markup Language (XML-based).
    • json: JSON format.
    • fields: Fields format (default for -e).
    • text: Plain text format.
  • -e <field>: Select and display a specific field in fields output format. Can be specified multiple times.
  • -E <option>=<value>: Set options for the fields output format. Common options:
    • separator=<string>: Specify a custom separator for fields (e.g., , for CSV).
    • header=y|n: Include or exclude header line in fields output.
    • quote=y|n: Quote fields in fields output.
  • -V: Verbose output. Shows packet details.
  • -x: Show packet bytes in hex and ASCII.
  • -n: Disable network name resolution (e.g., don’t resolve IPs to hostnames).
  • -N: Enable network name resolution.
  • -d <layer_type>==<value>: Decode as. Specifies that a protocol should be dissected as another protocol (e.g., -d tcp.port==8080,http).
  • -G: List all available fields, protocols, or dissectors.
    • tshark -G fields: List all available fields.
    • tshark -G protocols: List all dissectors.
    • tshark -G io_graph_types: List I/O graph types.

Listing Available Information

List all available fields

tshark -G fields

Prints a comprehensive list of all fields TShark can dissect and filter on.

List all available protocols

tshark -G protocols

Prints a list of all protocols TShark knows how to dissect.

List I/O graph types

tshark -G io_graph_types

Lists the types of graphs that can be generated (e.g., tp, bps, pps).

Common Patterns

Extracting HTTP Request URIs from a capture

tshark -r traffic.pcap -Y "http.request.method" -T fields -e http.request.method -e http.request.uri

This command extracts the method and URI for all HTTP requests found in traffic.pcap.

Identifying the top talkers by IP address

tshark -r traffic.pcap -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -nr | head -n 10

This command counts and lists the top 10 source/destination IP address pairs in the capture.

Saving only HTTP traffic to a new file

tshark -r all_traffic.pcap -Y "http" -w http_traffic.pcap

Filters all_traffic.pcap for HTTP packets and saves them into http_traffic.pcap.

Following a TCP stream

While TShark doesn’t have a direct "follow stream" command like Wireshark GUI, you can reconstruct data by filtering for a specific connection and extracting payload.

# First, find the relevant packets for a specific connection (e.g., SYN, SYN/ACK, ACK)
tshark -r capture.pcap -Y "tcp.stream eq 5" -V

# To extract the payload for a specific stream (requires scripting or manual extraction from -V/json output)
# Example: Extracting data from a specific stream and saving to a file (using JSON output for easier parsing)
tshark -r capture.pcap -Y "tcp.stream eq 5" -T json | jq -r '.[] | select(.tcp.analysis.stream_index == 5) | ._source.layers."data"'
# Note: 'jq' is a JSON processor and needs to be installed separately. The exact field name for payload might vary.

Analyzing DNS query patterns

tshark -r dns_traffic.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | awk '{print tolower($0)}' | sort | uniq -c | sort -nr | head -n 20

Extracts DNS query names, converts them to lowercase, sorts, counts, and shows the top 20 most frequent DNS queries.

Decoding a specific port as HTTP

tshark -r capture.pcap -d tcp.port==8080,http -Y "http" -T fields -e frame.number -e http.request.uri

Treats traffic on TCP port 8080 as HTTP and then filters and displays HTTP requests.

Saving filtered output to CSV

tshark -r capture.pcap -Y "smb" -T fields -E separator=, -e frame.number -e smb.command.name -e smb.file.name > smb_analysis.csv

Extracts frame number, SMB command name, and file name for SMB traffic and saves it as a CSV file.

Gotchas

  • Permissions: Capturing live traffic often requires root privileges (sudo) or membership in the wireshark group.
  • Display Filters vs. Capture Filters: Misunderstanding the difference can lead to inefficient captures or not capturing the desired data. Display filters (-Y) work on already captured data; capture filters (-f) reduce data during capture.
  • Field Names: TShark has thousands of fields. Use tshark -G fields to find the exact name. Field names are case-sensitive.
  • Name Resolution: By default, TShark attempts to resolve IP addresses to hostnames and port numbers to service names. This can slow down analysis and sometimes be inaccurate or undesirable. Use -n to disable network name resolution.
  • Output Formatting: For programmatic use, JSON (-T json) is often the most reliable format. Plain text (-T text) can change between versions. The fields format is good for CSV-like output.
  • Packet Bytes (-x): When using -x with other output formats like -T fields, the hex dump is appended to the field output, which might not be what you expect.
  • Large Capture Files: Analyzing very large capture files directly with TShark can be memory and CPU intensive. Consider using capture filters, saving specific traffic, or using tools like tcpdump for initial filtering.
  • Protocol Dissection: TShark’s ability to dissect protocols relies on its internal dissectors. If a protocol is malformed or proprietary, it might not be dissected correctly. The -d option can help in some cases.
  • any Interface: While convenient, capturing on any can sometimes lead to duplicate packets if traffic is received on multiple interfaces (e.g., loopback and physical interface). Be specific with -i when possible.