Tshark Cheat Sheet

Tshark is a terminal-oriented version of Wireshark. It's a network protocol analyzer.

Basic Capture

tshark

# -i: interface (default: eth0)
tshark -i tun0
# --list-interface: List interfaces available
tshark --list-interfaces

# -r: Use a captured file
tshark -r example.pcapng

# Number of packets
tshark -r example.pcapng | wc -l

# Hex dump
tshark -r example.pcapng --hexdump all

Filtering

We can filter packets using -Y option.

Protocols

# HTTP
tshark -Y 'http'

# ICMP
tshark -Y 'icmp'

# TCP/UDP
tshark -Y 'tcp'
tshark -Y 'udp'

IP Address

tshark -Y 'ip.addr == 127.0.0.1'

# Source address
tshark -Y 'ip.src == 127.0.0.1'

# Destination address
tshark -Y 'ip.dst == 127.0.0.1'

Dump Transferred Data

tshark -r example.pcapng -T fields -e data -Y "ip.src == 10.0.0.2 and ip.dst == 10.0.0.3" > data.txt

PreviousWireshark Cheat Sheet NextMaster assessment mindmaps

Last updated 1 month ago

hashtagBasic Capture

hashtagFiltering

hashtagProtocols

hashtagIP Address

hashtagDump Transferred Data

Basic Capture

Filtering

Protocols

IP Address

Dump Transferred Data