Introducing the Wireshark command Line Interface: The TShark

TShark is designed as a CLI or command-line interface of Wireshark for capturing and analyzing packets right from the CLI. Most people are unaware of TShark as opposed to commonly used Wireshark. TShark comes included with Wireshark. This is particularly helpful when a GUI is not available. All the options used in Wireshark are also supported here. For e.g. captured packets can be stored in a file and later retrieved for analysis. The default capture file format is pcapng which is the same as used by Wireshark. The benefit of using TShark is that it can be included in scripts (it can be used inside a python script) and can be used on remote systems via SSH. The drawback is of course that it does not have a GUI.

Like Wireshark, TShark is available for major operating systems: Linux, Mac OS, Windows.

What will we cover here?

In this tutorial, we will explain to you about TShark and present you with some basic use cases. Let’s dive in with TShark. For this guide, we will be using Kali Linux which comes pre-shipped with both the WireShark and TShark.

What will you need?

In fact, you do need to have a deep understanding of concepts of computer networks and related protocols like TCP/IP etc. Also in some cases, administrative rights may be required.

Installation of TShark

TShark comes pre-installed on Kali Linux. For installing on Ubuntu/Debian system use the command:

$ sudo apt install tshark

For Other distributions, use the default installation way for installing TShark. To check the version of TShark on your system, open a terminal and enter:

$ tshark -v

TShark vs Tcpdump

TShark has the same capability as that of Wireshark. TShark works the same way as that of tcpdump when no option is used. Even TShark is capable of replacing tcpdump. Let us compare the two tools for a moment. Look at the screenshot below, we have run both the tools without any option:

TShark vs Tcpdump
If you observe carefully, you will notice that TShark output is more human-readable as compared to tcpdump. TShark uses the pcap library for capturing packets. By default it will write the output file in the pcapng format. If you want some other format, then use the '-F' option to list and select from available formats. 

Hands-on with TShark

Let us now turn to see some use cases for TShark. We first start with checking the available interface for TShark to capture on. Depending on your method of installation, you may need to have ‘sudo’ privileges. Run the below command to get the list of available interfaces:

$ tshark –D


Listing the interfaces

Choosing the Interface to Listen on

By default, TShark captures on the first interface it sees. Hence from the list above, TShark will set its target on ‘eth0’. Therefore if we do not specify the interface it will automatically use the ‘eth0’ interface. However we want to explicitly define the interface, we will need to use the ‘-i’ option:

$ tshark -i eth0

In this way, TShark will capture everything going through it. If we want we can limit the capture limit to few packets, say to 10 packets, by using the ‘-c’ or packet count option:

$ tshark -i eth0 -c 10

Storing the Capture Files

One good thing that TShark has is that we can save the captures to a file for later use. In the above command use a ‘-w’ option to save the capture to a file, say mycapture.pcap:

$ tshark -c 500 -w mycapture.pcap

Saving the capture file

To read the above file, use the command:

$ tshark -r mycapture.pcap

The output of the above command will be displayed on the terminal.

Specifying a Target Host

We can set TShark to filter traffic going to and coming from a specific host, for e.g. google.com. To demonstrate this, let us send a ping request to ‘google.com’ 

$ ping google.com

Now we run the TShark command to capture on the above traffic:

$ tshark -i eth0 -c 10 host google.com


Specifying a host for TShark

Note: We can also use the IP address of the host instead of the hostname. 

The above command contains all the ping requests sent to and from the host(google.com). To filter out the incoming traffic, use the command:

$ tshark -i eth0 src host google.com

Applying a source filter on the host
In the same way, use the below command to filter out outgoing traffic:

$ tshark -i eth0 dst host google.com


Applying a destination filter on the host

Similar to a ping request, we can also run a Nmap scan and save our results to a file or analyze it directly with TShark.

Conclusion

TShark is a very essential tool for security analyzers.  This article is just touching the surface to let you know what you can do with TShark. There is a whole world of great possibilities with TShark. To explore more about TShark go to https://www.wireshark.org/docs/ where you will find training videos, guides etc. Man pages for TShark also store huge information sources.

Share this page:

Suggested articles

0 Comment(s)

Add comment