Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool

EH-Net - Chappell - TsharkIf your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the ‘Expert’ complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark!

When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.

Why use Tshark? When capturing on a busy network interface, you may find that Wireshark can’t keep up with the packet rate. Many factors affect Wireshark’s capture capabilities. If you are running lots of processes on your host, Wireshark may just not be able to keep up with the capture process. If this happens, Wireshark may display “Dropped: [number/percentage]” on the Status Bar, as shown below.

EH-Net - Chappell - Tshark - Dropped Packets

Dropped Packets… Nooooooo!!!!

Interestingly, Tshark can’t capture traffic itself. It calls another Wireshark CLI tool, Dumpcap, to capture the traffic. You could use Dumpcap to capture the traffic, but Dumpcap doesn’t have all the features that Tshark offers. In this article, we’ll work with Tshark as our capture tool.

Tip 1: Add the Wireshark Program Directory to Your Path

First – you want to add the Wireshark program directory to your path, so you don’t have to type “[drive/directory]:\tshark” each time you run the commands.

On Windows, add the Wireshark program directory to your System Properties | Advanced | Environment Variables | System Variables | Path settings.  For other operating systems and OS versions, I suggest you just look up the latest complete steps to add a directory to your path.

Tip 2: Run -h to List All Tshark Parameters

No, I don’t expect you to memorize all the Tshark parameters by the end of this article… all you need to know is the -h parameter at this time.

EH-Net - Chappell - Tshark

-h Lists All Parameters

Tip 3: Run the tshark -D Parameter to View Your Interface List

Since all of our systems have more than one interface these days, we need to find out the number of the interface before we begin capture.

Note: I’ve created a directory called TsharkTips in which my capture files will be saved when I choose to save to disk. Since I’ve added Wireshark to my path, I can simply type the tshark command while inside that directory. I don’t need to precede the tshark command with the directory location of the executable.

Type tshark -D and press Enter. Wireshark lists your available interfaces. If you don’t see an interface listed, there’s something wrong with your packet capture library (libpcap, Npcap, USBPcap, or the old WinPcap). You can’t capture traffic unless one of those packet capture libraries is running. They are typically installed during the Wireshark install process.

EH-Net - Chappell - Tshark - Tip 3

-D Lists Available Interfaces

On my system, I will be capturing on interface number 3 – my primary Ethernet interface.

Tip 4: Use -i to Define Your Interface Number During Your Capture

Let’s just do a quick capture to test your interface selection.

Replace my “-i3” with your interface information. You’ll need to manually stop the capture using Ctrl+C (or equivalent).

EH-Net - Chappell - Tshark - Tip 4

-i Defines Interface to Capture Traffic

Well… that’s interesting. I’m writing this article from my home on a Sunday – my AT&T Uverse TV is tuned into the Saints/Titans football game. My host is capturing all the multicast traffic for the NFL game.

I really don’t want to see that traffic in my capture. This is a perfect example of why you may want to use a capture filter during your command-line capture.

Tip 5: Use -f to Apply a Capture Filter

Tshark supports the Berkeley Capture Filter (BPF) format for capture filters. That’s the same filter format used by tcpdump, so if you need help with these, check out https://www.tcpdump.org/manpages/pcap-filter.7.html.

In my example, I want to filter out all of that multicast traffic during the capture process. Rather than filter on the target multicast address, I’m going to filter based on the source IP address, since all traffic from that source will be AT&T Uverse traffic.

Here are some common capture filter examples:

host 10.1.1.1 all to/from IP address 10.1.1.1
host www.google.com all to/from www.google.com*
net 10.1.0.0/16 all to/from IP subnet 10.1
port 53 all to/from port 53 (UDP/TCP)
tcp portrange 1-25 TCP traffic on ports 1-25
not broadcast all except broadcast traffic
!arp all except ARP traffic
tcp and not port 80 all TCP traffic except traffic to/from port 80

I’m going to use “not host 71.157.125.1349” during my capture.

EH-Net - Chappell - Tshark - Tip 5

-f Applies a Capture Filter

That’s a lot better! Now I’m only watching the NFL and able to see the other traffic in my capture.

So far, our captures have only been displayed on the screen. We want to capture our traffic to a .pcapng file, so we can analyze our traffic inside Wireshark.

Note: Capturing from inside Wireshark is often not the best method. Wireshark itself can’t actually capture traffic – Wireshark calls tcpdump to perform the capture.

Tip 6: Use -w to Write to a File

The -w parameter is used to write your capture to a file (or files if you are capturing to file sets, which we will do next).

We use the -w parameter to save to a file.

EH-Net - Chappell - Tshark - Tip 6a

-w Writes Capture to a File

Notice that when you save to a file using just the -w parameter, Tshark just provides a capture packet count. You don’t see the packets listed on the screen as you have before this step.

Tip 6b: Use -O , -P, -V, -S to View Information While Writing to a File

Here are four interesting parameters to use when you want to see those packets during the capture process while writing to a file:

-O <protocols> shows packet details of listed protocol(s), comma-separated
-P show packet summary even when writing to a file
-V shows the packet tree (Packet Details window information)
-S <separator> add a line separator between packets

WARNING: If you don’t change the file name, Tshark overrides your previous file – there is no warning whatsoever. In my examples, I don’t care. I’ll just keep overwriting my noNFL.pcapng trace file as I move along.

My preferred parameter is -P as that simply gives me the Packet Information pane information that I saw before using the -w parameter.

EH-Net - Chappell - Tshark - Tip 6b

Options to View Data While Writing to a File

Tip 7: Use the Tshark Autostop Condition

If you, like me, would rather watch the football game and not focus on stopping the capture manually anymore, let’s check out Tshark’s autostop options.

Tshark offers two autostop options:

-c <packet count> stop after n number of packets
-a <autostop cond.>… stop after n number of packets
duration: NUM – stop after NUM seconds
filesize: NUM – stop this file after NUM KB
files: NUM – ringbuffer: replace after NUM files

In my example below, I will automatically stop after 20 seconds by using the -a duration:20 parameter.

EH-Net - Chappell - Tshark - Tip 7a

Autostop Options

How can you check to see if you truly captured just 20 seconds of traffic? Try out the Capinfos tool, another CLI tool included with Wireshark.

Type capinfos <filename> and press Enter. The <filename> parameter is optional if you only have one file in your directory or you want to see the capture information of all files in the current directory.

EH-Net - Chappell - Tshark - Tip 7b

Capinfos Example

Capinfos indicates that my file is 19.273186 seconds. Tshark will not capture for exactly 20 seconds if a packet is arriving on the 20-second threshold. It will capture the packets that arrive within the defined time only.

Excellent! You now know why we use Tshark (the Wireshark “dropped” issue), and you’ve mastered these key skills to use Tshark! Spend some time checking out the parameters available with Tshark. It is a full-functioned capture tool that should be in everyone’s tool chest.

Until next time…

 

Author Bio

EH-Net - ChappellLaura Chappell is the Founder of Protocol Analysis Institute, Inc., Founder of Chappell University, and the creator of the WCNA Certification program (formerly known as the Wireshark Certified Network Analyst certification program). Laura teaches Wireshark courses online and offers on-demand training through the All Access Pass (www.chappell.talentlms.com).

Since 1991, Laura has been living, eating, and breathing in the packet-level world. Besides being the author of numerous best-selling books on network analysis, troubleshooting, and network forensics, Laura is hailed as a top-notch, entertaining presenter who can detail the most effective methods to locate network issues.

Laura Chappell can be reached via www.chappell-university.com, www.wcnacertification.com, and on Twitter, LinkedIn, and Facebook. Get the latest information on Laura’s research, writing, and presentations by signing up for her “In Laura’s Lab” Newsletter at www.chappell-university.com.

All articles by Laura Chappell

Tags:
Viewing 4 reply threads
  • Author
    Posts
    • #174737
      Laura Chappell
      Participant

      EH-Net - Chappell - TsharkIf your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the ‘Expert’ complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark!

      When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.

      [See the full article at: Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool]

    • #178117
      markwell
      Participant

      The quick and easy way to make safe and secure one-time bill payments. quick pay portal which is also known as the patient portal is designed and made for patients only to ease their life and save them form a lot of difficulties. QuickPayPortal is an online payment portal which is launched by Athena health which benefits the patients a lot. The primary goal of making this website was to accept payment, but there are many other things you can do with the help of this website quickpayportal.com

    • #181183
      nearby-stores
      Participant

      Yes, indeed you are right. I will try it out. If you wanted to search local stores use fyndhere app. it is a great platform and i worked as security provider as part of IT services

    • #181386
      Dalan
      Participant

      Thanks!!

    • #181387
      Dalan
      Participant

      Common Instagram copywriting mistakes
      Now that we have talked a little about the rules for writing posts for Instagram, it’s time to move on to common mistakes.

      Excessive self-promotion – self-admiration and self-praise causes irritation, envy and anger of readers. You always need to understand that an overabundance of narcissism will sooner or later scare away subscribers from you. Read more about social media marketing, catch the right trends, and learn to “sell yourself” without overdoing it. To avoid such a mistake, contact the legit essay writing service reddit – they will definitely help you to make high-quality text.

      Aggressive advertising – outright vaping leads to an undesirable effect: it scares away potential buyers, causes distrust of the product and your personality. There are quite effective copywriting formulas for Instagram that work much better than aggressive sales.

      Abstract concepts, abstractions, epithets – write simply, as if telling a friend / girlfriend about the advantages of the product, list the functions, tell about additional features. Do not use words that have long been imposed on your teeth – accessory, functionality, practical, high-quality, etc. – they often mean nothing and refer to semantic stamps.

      Bulky sentences are fraught with punctuation errors, hard to read, difficult to scan with a glance. They not only violate the rules of Instagram posts, but also scare off the mass reader with their “globality”. This is a social network, everything should be simple here.

      Superlative adjectives – words such as “beautiful” and “most beautiful” (smartphone / cat) are highly undesirable. To sell equipment, indicate the purpose, additional features, components, their purpose and work. The animal is characterized by size, color, genus.

      Moreover, superlatives are too subjective. And yet – they cause distrust among readers.

      Wrong classification – classify according to one criterion (color / shape / material / style), so that there is something like “shoes are loafers, brown and dermantine”.

      Violation of logical connections in the text – there is no need to create opuses from the series “in the garden of an elder, but in Kiev, uncle”. Remember not to “skip” the post, confusing the reader. The material should have a clear logical thread.

      Pleonasms and tautology – the phrases “free gift” and “final results” burn out the reader’s brain. The adjectives should be removed, the meaning will not suffer, and the text will benefit.

      The same applies to tautologies, when the same words or similar meanings are repeated in the material. I recommend using a dedicated service for detecting and removing duplicates.

      Professional terms, especially with insufficient immersion in the topic, are wrong. Special terms and professional slang scare away not too dedicated subscribers.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?