A Quick Tutorial on Using Tshark

Listen to this Post

🐢▶️ Listen🚀

Tshark is the command-line version of Wireshark, a powerful network protocol analyzer. Originally known as Ethereal, Wireshark (and by extension, Tshark) is widely used for network troubleshooting, analysis, and cybersecurity investigations. Below is a detailed guide on using Tshark effectively.

You Should Know:

1. Installing Tshark

Tshark comes pre-installed with Wireshark on most Linux distributions. If not, install it using:

sudo apt-get install tshark  Debian/Ubuntu 
sudo yum install wireshark  CentOS/RHEL 

2. Basic Packet Capture

To capture packets on a specific interface (e.g., eth0):

sudo tshark -i eth0 

3. Save Captured Packets to a File

Save output to a `.pcap` file for later analysis:

sudo tshark -i eth0 -w capture.pcap 

4. Filter Traffic by Protocol

Capture only HTTP traffic:

sudo tshark -i eth0 -Y "http" 

5. Read from a PCAP File

Analyze a previously captured file:

tshark -r capture.pcap 

6. Extract Specific Fields

Display only source, destination IPs, and protocol:

tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e ip.proto 

1. Capture Only a Specific Number of Packets

Limit capture to 100 packets:

sudo tshark -i eth0 -c 100 

1. Decrypt SSL/TLS Traffic (If Keys Are Available)

   tshark -r encrypted.pcap -o "tls.keylog_file:ssl-key.log" 
   

9. Advanced Filtering with Display Filters

Show only DNS queries:

tshark -i eth0 -Y "dns" 

10. Extract HTTP URLs from Traffic

tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri 

11. Monitor Live Traffic with Statistics

Get real-time packet statistics:

sudo tshark -i eth0 -qz io,phs 

12. Detect Malicious Traffic (e.g., Port Scanning)

Filter SYN scans:

tshark -i eth0 -Y "tcp.flags.syn==1 and tcp.flags.ack==0" 

13. Extract Files Transferred over HTTP

tshark -r capture.pcap --export-objects http,/path/to/save/files 

1. Combine Tshark with Other Tools (e.g., grep)

Find suspicious IPs:

tshark -r capture.pcap | grep "192.168.1.100" 

15. Analyze VoIP Calls (SIP/RTP)

Extract SIP calls:

tshark -r voip.pcap -Y "sip" 

What Undercode Say

Tshark is an indispensable tool for network analysts, cybersecurity professionals, and sysadmins. Its ability to dissect live traffic and analyze stored captures makes it a must-have in any security toolkit. Mastering Tshark commands enhances capabilities in intrusion detection, forensics, and network diagnostics.

Expected Output:

Capturing on 'eth0' 
1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 443 → 54322 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 
2 0.000123 192.168.1.2 → 192.168.1.1 TCP 66 54322 → 443 [bash] Seq=1 Ack=1 Win=64240 Len=0 

Prediction

As encrypted traffic grows, Tshark’s role in SSL/TLS decryption and deep packet inspection will become even more critical in cybersecurity operations.

Relevant URLs:

• Wireshark Official Docs
• Tshark Man Page

References:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram