Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool

EH-Net - Chappell - TsharkIf your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the ‘Expert’ complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark!

When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.

Why use Tshark? When capturing on a busy network interface, you may find that Wireshark can’t keep up with the packet rate. Many factors affect Wireshark’s capture capabilities. If you are running lots of processes on your host, Wireshark may just not be able to keep up with the capture process. If this happens, Wireshark may display “Dropped: [number/percentage]” on the Status Bar, as shown below.

EH-Net - Chappell - Tshark - Dropped Packets

Dropped Packets… Nooooooo!!!!

Interestingly, Tshark can’t capture traffic itself. It calls another Wireshark CLI tool, Dumpcap, to capture the traffic. You could use Dumpcap to capture the traffic, but Dumpcap doesn’t have all the features that Tshark offers. In this article, we’ll work with Tshark as our capture tool.

Tip 1: Add the Wireshark Program Directory to Your Path

First – you want to add the Wireshark program directory to your path, so you don’t have to type “[drive/directory]:\tshark” each time you run the commands.

On Windows, add the Wireshark program directory to your System Properties | Advanced | Environment Variables | System Variables | Path settings.  For other operating systems and OS versions, I suggest you just look up the latest complete steps to add a directory to your path.

Tip 2: Run -h to List All Tshark Parameters

No, I don’t expect you to memorize all the Tshark parameters by the end of this article… all you need to know is the -h parameter at this time.

EH-Net - Chappell - Tshark

-h Lists All Parameters

Tip 3: Run the tshark -D Parameter to View Your Interface List

Since all of our systems have more than one interface these days, we need to find out the number of the interface before we begin capture.

Note: I’ve created a directory called TsharkTips in which my capture files will be saved when I choose to save to disk. Since I’ve added Wireshark to my path, I can simply type the tshark command while inside that directory. I don’t need to precede the tshark command with the directory location of the executable.

Type tshark -D and press Enter. Wireshark lists your available interfaces. If you don’t see an interface listed, there’s something wrong with your packet capture library (libpcap, Npcap, USBPcap, or the old WinPcap). You can’t capture traffic unless one of those packet capture libraries is running. They are typically installed during the Wireshark install process.

EH-Net - Chappell - Tshark - Tip 3

-D Lists Available Interfaces

On my system, I will be capturing on interface number 3 – my primary Ethernet interface.

Tip 4: Use -i to Define Your Interface Number During Your Capture

Let’s just do a quick capture to test your interface selection.

Replace my “-i3” with your interface information. You’ll need to manually stop the capture using Ctrl+C (or equivalent).

EH-Net - Chappell - Tshark - Tip 4

-i Defines Interface to Capture Traffic

Well… that’s interesting. I’m writing this article from my home on a Sunday – my AT&T Uverse TV is tuned into the Saints/Titans football game. My host is capturing all the multicast traffic for the NFL game.

I really don’t want to see that traffic in my capture. This is a perfect example of why you may want to use a capture filter during your command-line capture.

Tip 5: Use -f to Apply a Capture Filter

Tshark supports the Berkeley Capture Filter (BPF) format for capture filters. That’s the same filter format used by tcpdump, so if you need help with these, check out https://www.tcpdump.org/manpages/pcap-filter.7.html.

In my example, I want to filter out all of that multicast traffic during the capture process. Rather than filter on the target multicast address, I’m going to filter based on the source IP address, since all traffic from that source will be AT&T Uverse traffic.

Here are some common capture filter examples:

host 10.1.1.1 all to/from IP address 10.1.1.1
host www.google.com all to/from www.google.com*
net 10.1.0.0/16 all to/from IP subnet 10.1
port 53 all to/from port 53 (UDP/TCP)
tcp portrange 1-25 TCP traffic on ports 1-25
not broadcast all except broadcast traffic
!arp all except ARP traffic
tcp and not port 80 all TCP traffic except traffic to/from port 80

I’m going to use “not host 71.157.125.1349” during my capture.

EH-Net - Chappell - Tshark - Tip 5

-f Applies a Capture Filter

That’s a lot better! Now I’m only watching the NFL and able to see the other traffic in my capture.

So far, our captures have only been displayed on the screen. We want to capture our traffic to a .pcapng file, so we can analyze our traffic inside Wireshark.

Note: Capturing from inside Wireshark is often not the best method. Wireshark itself can’t actually capture traffic – Wireshark calls tcpdump to perform the capture.

Tip 6: Use -w to Write to a File

The -w parameter is used to write your capture to a file (or files if you are capturing to file sets, which we will do next).

We use the -w parameter to save to a file.

EH-Net - Chappell - Tshark - Tip 6a

-w Writes Capture to a File

Notice that when you save to a file using just the -w parameter, Tshark just provides a capture packet count. You don’t see the packets listed on the screen as you have before this step.

Tip 6b: Use -O , -P, -V, -S to View Information While Writing to a File

Here are four interesting parameters to use when you want to see those packets during the capture process while writing to a file:

-O <protocols> shows packet details of listed protocol(s), comma-separated
-P show packet summary even when writing to a file
-V shows the packet tree (Packet Details window information)
-S <separator> add a line separator between packets

WARNING: If you don’t change the file name, Tshark overrides your previous file – there is no warning whatsoever. In my examples, I don’t care. I’ll just keep overwriting my noNFL.pcapng trace file as I move along.

My preferred parameter is -P as that simply gives me the Packet Information pane information that I saw before using the -w parameter.

EH-Net - Chappell - Tshark - Tip 6b

Options to View Data While Writing to a File

Tip 7: Use the Tshark Autostop Condition

If you, like me, would rather watch the football game and not focus on stopping the capture manually anymore, let’s check out Tshark’s autostop options.

Tshark offers two autostop options:

-c <packet count> stop after n number of packets
-a <autostop cond.>… stop after n number of packets
duration: NUM – stop after NUM seconds
filesize: NUM – stop this file after NUM KB
files: NUM – ringbuffer: replace after NUM files

In my example below, I will automatically stop after 20 seconds by using the -a duration:20 parameter.

EH-Net - Chappell - Tshark - Tip 7a

Autostop Options

How can you check to see if you truly captured just 20 seconds of traffic? Try out the Capinfos tool, another CLI tool included with Wireshark.

Type capinfos <filename> and press Enter. The <filename> parameter is optional if you only have one file in your directory or you want to see the capture information of all files in the current directory.

EH-Net - Chappell - Tshark - Tip 7b

Capinfos Example

Capinfos indicates that my file is 19.273186 seconds. Tshark will not capture for exactly 20 seconds if a packet is arriving on the 20-second threshold. It will capture the packets that arrive within the defined time only.

Excellent! You now know why we use Tshark (the Wireshark “dropped” issue), and you’ve mastered these key skills to use Tshark! Spend some time checking out the parameters available with Tshark. It is a full-functioned capture tool that should be in everyone’s tool chest.

Until next time…

 

Author Bio

EH-Net - ChappellLaura Chappell is the Founder of Protocol Analysis Institute, Inc., Founder of Chappell University, and the creator of the WCNA Certification program (formerly known as the Wireshark Certified Network Analyst certification program). Laura teaches Wireshark courses online and offers on-demand training through the All Access Pass (www.chappell.talentlms.com).

Since 1991, Laura has been living, eating, and breathing in the packet-level world. Besides being the author of numerous best-selling books on network analysis, troubleshooting, and network forensics, Laura is hailed as a top-notch, entertaining presenter who can detail the most effective methods to locate network issues.

Laura Chappell can be reached via www.chappell-university.com, www.wcnacertification.com, and on Twitter, LinkedIn, and Facebook. Get the latest information on Laura’s research, writing, and presentations by signing up for her “In Laura’s Lab” Newsletter at www.chappell-university.com.

All articles by Laura Chappell

Tags:

Tagged: 

Viewing 1 reply thread
  • Author
    Posts
    • #174737
      Laura Chappell
      Participant

      EH-Net - Chappell - TsharkIf your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the ‘Expert’ complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark!

      When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.

      [See the full article at: Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool]

    • #178117
      markwell
      Participant

      The quick and easy way to make safe and secure one-time bill payments. quick pay portal which is also known as the patient portal is designed and made for patients only to ease their life and save them form a lot of difficulties. QuickPayPortal is an online payment portal which is launched by Athena health which benefits the patients a lot. The primary goal of making this website was to accept payment, but there are many other things you can do with the help of this website quickpayportal.com

Viewing 1 reply thread
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?