Skip to content
Tshark Basics

Tshark Basics Howto

Published by tomkraz on 17 March 2022

Although Wireshark is a mighty good tool, pure Linux folk just love the command line and are not great fans of GUI’s. So isn’t it great that when you install Wireshark it also installs the command live version as well! Learning tshark basics is an excellent way to improve your network skills for CTF challenges. In this write up I will go through some of the basics with tshark building on the command with each example.

What is Tshark?

For the uninitiated, tshark is the CLI component of Wireshark. Wireshark comes it many command line utilities but Tshark has the most features like Wireshark. Tshark is just as good as wireshark for most tasks and far better for scripting.

Setup

My Network

I will be using my BackArch system build that I created in previous blog post.  However, You can use any Kali, BlackArch, Parrot or just standard Linux to proceed. Just use your package manager to install “tshark“. Also be sure to use the root account. Otherwise you will have to use sudo to run the commands.

  • 192.168.186.150 – This is my BlackArch enumeration system.
  • 192.168.186.17 – This my test vm.

Using live traffic

Tshark can grab live traffic from network interfaces or it can use pcap files. So to get a list of network interfaces that can be used to capture traffic. 

tshark -D
TShark interfaces

Connect to the interface enp0s8 and capture 2 packets. 

tshark -i enp0s8 -c 2
2 packets

Again Connect to the interface enp0s8 and capture 2 icmp packets. 

tshark -i enp0s8 -c 2 -f "icmp"
icmp

Connect to the interface enp0s8 and capture 2 icmp packets from ip address 192.168.186.17

tshark -i enp0s8 -c 2 -f "icmp and src 192.168.186.17"
source capture

Connect to the interface enp0s8, capture 2 icmp packets from ip address 192.168.186.17 and display the hex output. 

tshark -i enp0s8 -c 2 -f "icmp and src 192.168.186.17" -x
Hex capture

Tshark with pcap files

Capture 500 network packets into a file called /tmp/out.pcap. 

tshark -i enp0s8 -c 500 -w /tmp/out.pcap

Read 10 packets from /tmp/out.pcap. Note that -c (packet count) and -Y (display filters) do not work well together. Because the packet count will be done before the filter is applied and might yield unexpected results. 

tshark -r /tmp/out.pcap -c 10

When using pcap files you cant use “-f” as this is for capture filters. However, you must use “-Y” as the packets are already captured in the file. The “-Y option is called a display filter and works similar to wireshark filters.

This example displays “icmp” packets from host 8.8.8.8

tshark -r /tmp/out.pcap -Y "ip.src==192.168.186.150 and icmp"

Display Packets that don’t have the IP 192.168.186.150

tshark -r /tmp/out.pcap -Y "not  ip.addr==192.168.186.150"

Final TIPs and Tricks

  • If you want to pipe the output into something like the grep command for live traffic, you need to close the connecting. Adding -c <number> to stop after a certain packet count is reached will do that.
  • List of display filters.
  • List of capture filters

Published inCTFGetting Started With CTF ChallengeskaliLinux

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *