Wireshark in the Command Line

Learning to use Wireshark’s Command Line Tool: TShark

Wireshark is the world’s most widely used network protocol analyzer. It lets you dive into captured traffic and analyze what is going on within a network. Today, let’s talk about how you can use Wireshark’s command-line interface, Tshark, to accomplish similar results.

We will go through some example commands, so feel free to use a PCAP file to follow along! You can find some sample capture files here: SampleCaptures.

Getting started

Without an input file, Tshark simply acts like Tcpdump. It will capture traffic from the first available network and display its packets to standard output. Alternatively, you can use the “-r” flag to specify the network capture file.

tshark -r network.pcap

This way, Tshark will display the packets of the capture file in standard output. Let’s take a look at a line of the output!

35 29.947879 192.168.0.55 → 192.168.0.91 HTTP 423 HTTP/1.1 200 OK

This may seem complicated, but remember that the command line output of Tshark mirrors the Wireshark interface. The fields from left to right in the command line output are:

Packet number, Time, Source, Destination, Protocol, Length, Info\
35, 29.947879, 192.168.0.55, 192.168.0.91, HTTP, 423, HTTP/1.1 200 OK

The “Time” field shows when the packet was captured. The “Source” and “Destination” fields show the source IP and destination IP of that packet. The “Protocol” field displays the protocol used. The “Length” field shows the length of the packet. And finally, the “Info” field displays any additional info about the packet.

You can filter these packet summaries by piping Tshark’s output into grep. For example, this command will output the packets with a “200 OK” HTTP status code.

tshark -r network.pcap | grep "200 OK"

Exporting interesting packets

You can examine packet contents by exporting its objects. Object exporting in Tshark enables you to extract different types of packet data, such as HTTP and SMB objects. The syntax for exporting objects is as follows.

tshark -r network.pcap --export-objects PROTOCOL,DESTINATION_DIR

The PROTOCOL specifies the export object type, while the DESTINATION_DIR is the directory Tshark will use to store the exported files. For example, this command will export the files that have been transported through the network and store them in the “exported_files_dir” directory.

tshark -r network.pcap --export-objects http,exported_files_dir

Using packet filters

Just like in Wireshark, you can also filter packets based on certain criteria. You can simply put your filters in quotes at the end of the command.

tshark -r network.pcap "http.request.method == POST and http.file_data contains password"

The format of the filters that can be applied is identical to that in Wireshark. You can find a list of available filters here: DisplayFilters.

You can also specify the output format for the decoded packet data using the “-T” flag. For example, this command will display all HTTP GET requests in the JSON format.

tshark -r network.pcap -T json "http.request.method==GET"

Finally, you can process the output from Tshark by piping it into other command-line tools such as grep.

Conclusion

This post only introduces a small fraction of what Wireshark and Tshark can do. They are versatile tools that are capable of performing many different types of analysis.

If you are interested in learning more about these tools, visit their documentation here: Wireshark Wiki, tshark Man Page.