TShark#

TShark is Wireshark’s terminal companion, a packet capture and analyzer the operator drives from the command line. Display filters peel the haystack down to the bytes that matter; output flags pull fields into pipelines for statistics and further analysis.

Basic#

$ tshark -D                                  # available interfaces
$ tshark -h                                  # help
$ tshark -i 1                                # capture on interface number
$ tshark -i 'name'                           # capture on interface by name
$ tshark -i 1 -w /tmp/capture.pcapng         # write capture to file
$ tshark -i 1 -f "filter text using BPF syntax"
$ tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.pcapng

Display filters#

The -Y flag attaches a display filter while reading a capture.

$ tshark -Y "eth.addr == 00:08:15:00:08:15"
$ tshark -Y "eth.type == 0x0806"             # ARP
$ tshark -Y "eth.addr == ff:ff:ff:ff:ff:ff"  # ethernet broadcast
$ tshark -Y "not arp"
$ tshark -Y "ip"                              # IPv4 only
$ tshark -Y "ip6"                             # IPv6 only
$ tshark -Y "!(ip.addr == 192.168.0.1)"
$ tshark -Y "ipx"
$ tshark -Y "tcp"
$ tshark -Y "udp"
$ tshark -Y "!(tcp.port == 53)"               # tcp not on port 53
$ tshark -Y "tcp.port == 80 || udp.port == 80"
$ tshark -Y "http"
$ tshark -Y "not arp and not (udp.port == 53)"
$ tshark -Y "not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1"

Field extraction#

Pull specific protocol fields out of a capture for analysis.

$ tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -e http.response.code
$ tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip
$ tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip
$ tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip
$ tshark -i eth0 -nn -e ip6.src -e ip6.dst -Tfields -E separator=, -R ip6
$ tshark -i eth0 -nn -e ip.src -e dns.qry.name -E separator=";" -T fields port 53
$ tshark -o column.format:'"Source","%s","Destination","%d"' -Ttext

Statistics#

Roll up retransmissions, conversation tables, and protocol type trees out of an offline capture.

$ tshark -r capture.pcapng -qz io,stat,1,0,sum(tcp.analysis.retransmission)"ip.addr==10.10.10.10" > stat.txt
$ tshark -r capture.pcapng -qz io,stat,120,"ip.addr==194.134.109.48 && tcp","COUNT(tcp.analysis.retransmission)ip.addr==194.134.109.48 && tcp.analysis.retransmission"
$ tshark -r samples.cap -q -z io,stat,30,"COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission"
$ tshark -r capture.pcapng -q -z ip_hosts,tree
$ tshark -r capture.pcapng -q -z conv,tcp
$ tshark -r capture.pcapng -q -z ptype,tree

Top URLs#

Display the top ten URLs out of an HTTP capture.

$ tshark -r capture.pcapng -R http.request -T fields -e http.host -e http.request.uri | sed -e 's/?.*$//' | sed -e 's#^(.*)t(.*)$#http://12#' | sort | uniq -c | sort -rn | head

SYN-initiated CSV#

Build a CSV of source IP, destination IP, and destination port for SYN-initiated connections.

$ tshark -nn -r capturefile.dmp -T fields -E separator=';' -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport '(tcp.flags.syn == 1 and tcp.flags.ack == 0)'

HTTP work#

$ tshark -Y 'http' -r HTTP_traffic.pcap
$ tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"
$ tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"
$ tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri
$ tshark -r HTTP_traffic.pcap -Y "http contains password"
$ tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e ip.dst
$ tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie
$ tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e ip.dst -e http.user_agent

HTTPS / TLS#

$ tshark -Y 'ssl' -r HTTPS_traffic.pcap
$ tshark -r HTTPS_traffic.pcap -Y "ssl.handshake" -Tfields -e ip.src -e ip.dst
$ tshark -r HTTPS_traffic.pcap -Y "ssl.handshake.certificate" -Tfields -e x509sat.printableString
$ tshark -r HTTPS_traffic.pcap -Y "ssl && ssl.handshake.type==1" -Tfields -e ip.dst
$ tshark -r HTTPS_traffic.pcap -Y "ip contains askexample" -Tfields -e ip.dst
$ tshark -r HTTPS_traffic.pcap -Y "ip.dst==151.101.1.69 || ip.dst==151.101.193.69 || ip.dst==151.101.129.69 || ip.dst==151.101.65.69" -Tfields -e ip.src
$ tshark -r HTTPS_traffic.pcap -Y "dns && dns.flags.response==0" -Tfields -e ip.dst
$ tshark -r HTTPS_traffic.pcap -Y "ip contains avast" -Tfields -e ip.src

References#