Tshark Cheatsheet
About Tshark
TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.
Table of Contents
- Basic Capture Commands
- Display Filters
- Capture Filters
- Output Options
- Interface Options
- Advanced Analysis
- Statistics
Basic Capture Commands
-
Starting a Capture
Terminal window tshark # Basic capture on default interfacetshark -i eth0 # Capture on specific interfacetshark -c 100 # Capture only 100 packetstshark -a duration:30 # Capture for 30 seconds -
Basic Filtering
Terminal window tshark -f "port 80" # Capture HTTP traffictshark -f "host 192.168.1.1" # Capture traffic from/to specific hosttshark -Y "http" # Display only HTTP packets -
File Operations
Terminal window tshark -w capture.pcap # Write capture to filetshark -r capture.pcap # Read from capture filetshark -R "http" -r file.pcap # Read with display filter
Display Filters
tshark -Y "tcp" # Show only TCP traffictshark -Y "udp" # Show only UDP traffictshark -Y "dns" # Show only DNS traffictshark -Y "http" # Show only HTTP traffictshark -Y "ssl" # Show only SSL/TLS traffictshark -Y "ip.addr == 192.168.1.1" # Traffic from/to specific IPtshark -Y "tcp.port == 443" # HTTPS traffictshark -Y "http.request.method == GET" # HTTP GET requeststshark -Y "frame.len > 1000" # Large packetsCapture Filters
tshark -f "port not 22" # Exclude SSH traffictshark -f "net 192.168.1.0/24" # Capture subnet traffictshark -f "broadcast" # Capture broadcast packetstshark -f "port 53 or port 80" # Capture DNS or HTTPOutput Options
-
Format Options
Terminal window tshark -T fields # Output specific fieldstshark -T ek # Elastic Search JSON formattshark -T json # JSON outputtshark -T pdml # PDML XML format -
Field Selection
Terminal window tshark -T fields -e frame.time # Show packet timestampstshark -T fields -e ip.src -e ip.dst # Show source and destination IPstshark -T fields -e http.host # Show HTTP hosts -
Statistics Output
Terminal window tshark -z io,stat,1 # IO statistics every secondtshark -z conv,tcp # TCP conversation statisticstshark -z http,tree # HTTP statistics
Interface Options
tshark -D # List available interfacestshark -i any # Capture on all interfacestshark -i lo # Capture on loopbacktshark -i eth0 -p # Capture in non-promiscuous modetshark -i eth0 -s 96 # Snap length of 96 bytestshark -i eth0 -B 64 # Buffer size of 64 MBtshark -i eth0 -I # Monitor mode (if supported)Advanced Analysis
-
Protocol Analysis
Terminal window tshark -O http # Detailed HTTP protocol infotshark -O dns # Detailed DNS protocol infotshark -V # Verbose packet details -
Expert Info
Terminal window tshark -G fields # List all field namestshark -G protocols # List supported protocolstshark -G values # List value strings -
Decryption
Terminal window tshark -o ssl.keys_list:"KEY_FILE" # Decrypt SSL traffictshark -o http.ssl.port:443 # Set SSL/TLS ports
Statistics
tshark -q -z io,stat,1 # IO statisticstshark -q -z conv,ip # IP conversationstshark -q -z endpoints,ip # IP endpointstshark -q -z expert # Expert informationtshark -q -z http,tree # HTTP statisticsBest Practices
- Always specify capture filters to reduce load
- Use display filters for post-capture analysis
- Save captures to files for later analysis
- Monitor buffer statistics to avoid packet drops
- Use appropriate snap lengths for your analysis
- Consider privacy and security implications
- Document your capture configurations
Common Workflows
-
Basic Traffic Analysis
- Start with broad capture
- Apply display filters
- Identify interesting traffic
- Export relevant packets
- Generate statistics
-
Network Troubleshooting
- Capture specific host/protocol
- Monitor error packets
- Check response times
- Analyze retransmissions
- Generate conversation statistics