If your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the ‘Expert’ complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark!
When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.
Why use Tshark? When capturing on a busy network interface, you may find that Wireshark can’t keep up with the packet rate. Many factors affect Wireshark’s capture capabilities. If you are running lots of processes on your host, Wireshark may just not be able to keep up with the capture process. If this happens, Wireshark may display “Dropped: [number/percentage]” on the Status Bar, as shown below.
Interestingly, Tshark can’t capture traffic itself. It calls another Wireshark CLI tool, Dumpcap, to capture the traffic. You could use Dumpcap to capture the traffic, but Dumpcap doesn’t have all the features that Tshark offers. In this article, we’ll work with Tshark as our capture tool.
Tip 1: Add the Wireshark Program Directory to Your Path
First – you want to add the Wireshark program directory to your path, so you don’t have to type “[drive/directory]:\tshark” each time you run the commands.
On Windows, add the Wireshark program directory to your System Properties | Advanced | Environment Variables | System Variables | Path settings. For other operating systems and OS versions, I suggest you just look up the latest complete steps to add a directory to your path.
Tip 2: Run -h to List All Tshark Parameters
No, I don’t expect you to memorize all the Tshark parameters by the end of this article… all you need to know is the -h parameter at this time.
Tip 3: Run the tshark -D Parameter to View Your Interface List
Since all of our systems have more than one interface these days, we need to find out the number of the interface before we begin capture.
Note: I’ve created a directory called TsharkTips in which my capture files will be saved when I choose to save to disk. Since I’ve added Wireshark to my path, I can simply type the tshark command while inside that directory. I don’t need to precede the tshark command with the directory location of the executable.
Type tshark -D and press Enter. Wireshark lists your available interfaces. If you don’t see an interface listed, there’s something wrong with your packet capture library (libpcap, Npcap, USBPcap, or the old WinPcap). You can’t capture traffic unless one of those packet capture libraries is running. They are typically installed during the Wireshark install process.
On my system, I will be capturing on interface number 3 – my primary Ethernet interface.
Tip 4: Use -i to Define Your Interface Number During Your Capture
Let’s just do a quick capture to test your interface selection.
Replace my “-i3” with your interface information. You’ll need to manually stop the capture using Ctrl+C (or equivalent).
Well… that’s interesting. I’m writing this article from my home on a Sunday – my AT&T Uverse TV is tuned into the Saints/Titans football game. My host is capturing all the multicast traffic for the NFL game.
I really don’t want to see that traffic in my capture. This is a perfect example of why you may want to use a capture filter during your command-line capture.
Tip 5: Use -f to Apply a Capture Filter
Tshark supports the Berkeley Capture Filter (BPF) format for capture filters. That’s the same filter format used by tcpdump, so if you need help with these, check out https://www.tcpdump.org/manpages/pcap-filter.7.html.
In my example, I want to filter out all of that multicast traffic during the capture process. Rather than filter on the target multicast address, I’m going to filter based on the source IP address, since all traffic from that source will be AT&T Uverse traffic.
Here are some common capture filter examples:
|host 10.1.1.1||all to/from IP address 10.1.1.1|
|host www.google.com||all to/from www.google.com*|
|net 10.1.0.0/16||all to/from IP subnet 10.1|
|port 53||all to/from port 53 (UDP/TCP)|
|tcp portrange 1-25||TCP traffic on ports 1-25|
|not broadcast||all except broadcast traffic|
|!arp||all except ARP traffic|
|tcp and not port 80||all TCP traffic except traffic to/from port 80|
I’m going to use “not host 184.108.40.2069” during my capture.
That’s a lot better! Now I’m only watching the NFL and able to see the other traffic in my capture.
So far, our captures have only been displayed on the screen. We want to capture our traffic to a .pcapng file, so we can analyze our traffic inside Wireshark.
Note: Capturing from inside Wireshark is often not the best method. Wireshark itself can’t actually capture traffic – Wireshark calls tcpdump to perform the capture.
Tip 6: Use -w to Write to a File
The -w parameter is used to write your capture to a file (or files if you are capturing to file sets, which we will do next).
We use the -w parameter to save to a file.
Notice that when you save to a file using just the -w parameter, Tshark just provides a capture packet count. You don’t see the packets listed on the screen as you have before this step.
Tip 6b: Use -O , -P, -V, -S to View Information While Writing to a File
Here are four interesting parameters to use when you want to see those packets during the capture process while writing to a file:
|-O <protocols>||shows packet details of listed protocol(s), comma-separated|
|-P||show packet summary even when writing to a file|
|-V||shows the packet tree (Packet Details window information)|
|-S <separator>||add a line separator between packets|
WARNING: If you don’t change the file name, Tshark overrides your previous file – there is no warning whatsoever. In my examples, I don’t care. I’ll just keep overwriting my noNFL.pcapng trace file as I move along.
My preferred parameter is -P as that simply gives me the Packet Information pane information that I saw before using the -w parameter.
Tip 7: Use the Tshark Autostop Condition
If you, like me, would rather watch the football game and not focus on stopping the capture manually anymore, let’s check out Tshark’s autostop options.
Tshark offers two autostop options:
|-c <packet count>||stop after n number of packets|
|-a <autostop cond.>…||stop after n number of packets|
|duration: NUM – stop after NUM seconds|
|filesize: NUM – stop this file after NUM KB|
|files: NUM – ringbuffer: replace after NUM files|
In my example below, I will automatically stop after 20 seconds by using the -a duration:20 parameter.
How can you check to see if you truly captured just 20 seconds of traffic? Try out the Capinfos tool, another CLI tool included with Wireshark.
Type capinfos <filename> and press Enter. The <filename> parameter is optional if you only have one file in your directory or you want to see the capture information of all files in the current directory.
Capinfos indicates that my file is 19.273186 seconds. Tshark will not capture for exactly 20 seconds if a packet is arriving on the 20-second threshold. It will capture the packets that arrive within the defined time only.
Excellent! You now know why we use Tshark (the Wireshark “dropped” issue), and you’ve mastered these key skills to use Tshark! Spend some time checking out the parameters available with Tshark. It is a full-functioned capture tool that should be in everyone’s tool chest.
Until next time…
Laura Chappell is the Founder of Protocol Analysis Institute, Inc., Founder of Chappell University, and the creator of the WCNA Certification program (formerly known as the Wireshark Certified Network Analyst certification program). Laura teaches Wireshark courses online and offers on-demand training through the All Access Pass (www.chappell.talentlms.com).
Since 1991, Laura has been living, eating, and breathing in the packet-level world. Besides being the author of numerous best-selling books on network analysis, troubleshooting, and network forensics, Laura is hailed as a top-notch, entertaining presenter who can detail the most effective methods to locate network issues.
Laura Chappell can be reached via www.chappell-university.com, www.wcnacertification.com, and on Twitter, LinkedIn, and Facebook. Get the latest information on Laura’s research, writing, and presentations by signing up for her “In Laura’s Lab” Newsletter at www.chappell-university.com.chappell cli highlight pcap tcpdump tshark tutorial wireshark