Packet Analysis with Tshark
Packet Analysis with Tshark
Navigation
Sections in This Note
Tshark
Tshark is a command line tool created by the Wireshark team, sharing the same parsing engine as Wireshark, but with the "from command line" advantage — ideal for batch analysis, offline processing, and routine automation of traffic analysis tasks.
# Version of Tshark
tshark -v
# Supported network interfaces for monitoring
tshark -D
# Sniff on eth0
tshark -i eth0
# Read a file and display packet list
tshark -r HTTP_traffic.pcap
# Total number of packets in the file
tshark -r HTTP_traffic.pcap | wc -l
# List of protocols
tshark -r HTTP_traffic.pcap -z io,phs -q
Filtering Basics: HTTP
HTTP is one of the most common protocols on the Internet. Unfortunately, HTTP is plain text, so an attacker with network access can sniff and read packet data effortlessly.
# Show only HTTP traffic
tshark -Y 'http' -r HTTP_traffic.pcap
# Show only IP packets from 192.168.252.128 to 52.32.74.91
tshark -r HTTP_traffic.pcap -Y 'ip.src==192.168.252.128 && ip.dst==52.32.74.91'
# Show only GET request packets
tshark -r HTTP_traffic.pcap -Y 'http.request.method==GET'
# Print source IP and URL for all GET requests
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri
# HTTP packets containing "password" string
tshark -r HTTP_traffic.pcap -Y "http contains password"
External Sources
Visual Diagram
flowchart TD A[PCAP]-->B[Protocol Summary] B-->C[Filters] C-->D[Fields] D-->E[Findings]