With the default installation of Wireshark, there are couple of command-line tools that get installed. These command-line tools are some sort of protocol analyzers, which can be taken advantage of when you don't have a GUI interface to work with or you don't have an option to install the GUI. There are good number of tools available in Wireshark to do this, which are Capinfos, Dumpcap, Editcap, Mergecap, Rawshark, Reordercap, Text2pcap, and Tshark.
The most common and widely used command-line tool for protocol analysis purposes is Tshark, which is capable of capturing data through listening to a live wire, and it can even analyze your already saved trace files. The captured packets are translated into an understandable form and printed to the standard output, or you can save them to the file of your choice. Dissectors that are used by Wireshark the same Tshark utilizes.
Tshark uses the pcap library to capture and translate the packets from the live wire or from the already saved files. Just like Wireshark's filtering option, we can enable filters in Tshark. There are multiple customizable options present in Tshark that can be leveraged to use it in a more advanced fashion.
Wireshark has a CLI version, which is almost similar to Tshark in terms of the syntax and various options that both of them support equally. Let's understand this topic better with an example. Say, for instance, we have an Apache web server and FTP running on a Windows XP box located at 172.16.136.128
and a Macintosh client running at 172.16.136.1
. Using our custom infrastructure, we will generate some network packets and try to use Tshark for capturing and analysis purposes.
When working on a Windows PC, you might have to create the environment variable before you can start using Tshark. The following screenshot belongs to Tshark, displaying tshark –h (help options)
within the CLI:
We will start with the basics and eventually move toward the creation of filters, and then we will collect statistics using the CLI-based tool Tshark:
tshark -D
:If you do not specify any interface for capturing, tshark
will choose the first interface that is available on its own. Interfaces can be chosen by their names and also by the sequence number they appear in. Refer to the preceding screenshot, which shows all the interfaces that are available.
pktap0
that will listen to the connection between my client and the server. So, the command to initiate the capture process will be tshark –i pktap0 or tshark –i 5
:curl
command-line tool for browsing purpose):tshark
on the pktap0
interface. And a summary of translated packets for better understandability can be seen. Refer to the following screenshot that illustrates the same:If you want to stop the capture process at any point, press Ctrl + C.
–w
switch, along with the command that will save the raw data packets to the specified file:A total of 11 packets have been captured, and a text file is being created on the desktop with the name http.txt
, which will contain raw data as shown in the following screenshot:
As you can see, 11
packets are captured and redirected to the text file http2
. Let's see what is stored in the http2.txt
file:
Hopefully, by now you must have clearly understood the difference between both ways of saving the raw data packets and translated packets. Both of the techniques can be used in multiple scenarios.
–f
switch is used; –R
is used for the Read filter; and –Y
is used for the display filter. Now, I am going to capture only FTP packets using the following syntax:While applying a filter, there is a restriction that the filter expression must be specified as a single argument if it has spaces in between. Then, we need to write the expression within double quotes. Refer to the preceding screenshot that illustrates the same.
http.pcap
file. I want to filter all packets originating from the web server located at 172.16.136.128
using the http
protocol.HTTP.pcap
.Once I have enough packets to work with, I will apply display filters, as shown in the following screenshot:
http.pcap
file. For such a requirement, we can use this command: tshark –r <file-name> -q –z <expression>
The -q
switch keeps it silent over the standard output (this is generally used while working with statistics in Wireshark) and the –z
switch for activating various statistics options available. Both of these switches are often used together.
Here, you learned about the basic theoretical and practical concepts of the CLI utility Tshark, along with how to capture and filter data as per our requirements. With the help of Tshark, it becomes really easy to understand how protocols work; we saw various techniques to collect and analyze the packets. Statistical features in Tshark are rich, which helps a moderate user become advanced with an better understanding of how to analyze network packets.