Although Wireshark is a mighty good tool, pure Linux folk just love the command line and are not great fans of GUI’s. So isn’t it great that when you install Wireshark it also installs the command live version as well! Learning tshark basics is an excellent way to improve your network skills for CTF challenges. In this write up I will go through some of the basics with tshark building on the command with each example.
What is Tshark?
For the uninitiated, tshark is the CLI component of Wireshark. Wireshark comes it many command line utilities but Tshark has the most features like Wireshark. Tshark is just as good as wireshark for most tasks and far better for scripting.
I will be using my BackArch system build that I created in previous blog post. However, You can use any Kali, BlackArch, Parrot or just standard Linux to proceed. Just use your package manager to install “tshark“. Also be sure to use the root account. Otherwise you will have to use sudo to run the commands.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.17 – This my test vm.
Using live traffic
Tshark can grab live traffic from network interfaces or it can use pcap files. So to get a list of network interfaces that can be used to capture traffic.
Connect to the interface enp0s8 and capture 2 packets.
tshark -i enp0s8 -c 2
Again Connect to the interface enp0s8 and capture 2 icmp packets.
tshark -i enp0s8 -c 2 -f "icmp"
Connect to the interface enp0s8 and capture 2 icmp packets from ip address 192.168.186.17
tshark -i enp0s8 -c 2 -f "icmp and src 192.168.186.17"
Connect to the interface enp0s8, capture 2 icmp packets from ip address 192.168.186.17 and display the hex output.
tshark -i enp0s8 -c 2 -f "icmp and src 192.168.186.17" -x
Tshark with pcap files
Capture 500 network packets into a file called /tmp/out.pcap.
tshark -i enp0s8 -c 500 -w /tmp/out.pcap
Read 10 packets from /tmp/out.pcap. Note that -c (packet count) and -Y (display filters) do not work well together. Because the packet count will be done before the filter is applied and might yield unexpected results.
tshark -r /tmp/out.pcap -c 10
When using pcap files you cant use “-f” as this is for capture filters. However, you must use “-Y” as the packets are already captured in the file. The “-Y option is called a display filter and works similar to wireshark filters.
This example displays “icmp” packets from host 18.104.22.168
tshark -r /tmp/out.pcap -Y "ip.src==192.168.186.150 and icmp"
Display Packets that don’t have the IP 192.168.186.150
tshark -r /tmp/out.pcap -Y "not ip.addr==192.168.186.150"