Wireshark

A Guide to the Wireshark Command Line Interface “tshark”

In the earlier tutorials for Wireshark, we have covered fundamental to advanced level topics. In this article, we will understand and cover a command-line interface for Wireshark, i.e., tshark. The terminal version of Wireshark supports similar options and is a lot useful when a Graphical User Interface (GUI) isn’t available.

Even though a graphical user interface is, theoretically, a lot easier to use, not all environments support it, especially server environments with only command-line options. Hence, at some point in time, as a network administrator or a security engineer, you will have to use a command-line interface. Important to note that tshark is sometimes used as a substitute for tcpdump. Even though both tools are almost equivalent in traffic capturing functionality, tshark is a lot more powerful.

The best you can do is to use tshark to set up a port in your server that forwards information to your system, so you can capture traffic for analysis using a GUI. However, for the time being, we will learn how it works, what are its attributes, and how you can utilize it to the best of its capabilities.

Type the following command to install tshark in Ubuntu/Debian using apt-get:

[email protected]:~$ sudo apt-get install tshark -y

Now type tshark –help to list out all the possible arguments with their respective flags that we can pass to a command tshark.

[email protected]:~$ tshark --help | head -20

TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

Dump and analyze network traffic.

See https://www.wireshark.org for more information.

Usage: tshark [options] ...

Capture interface:

-i <interface> name or idx of interface (def: first non-loopback)

-f <capture filter> packet filter in libpcap filter syntax

-s <snaplen> packet snapshot length (def: appropriate maximum)

-p don't capture in promiscuous mode

-I capture in monitor mode, if available

-B <buffer size> size of kernel buffer (def: 2MB)

-y <link type> link layer type (def: first appropriate)

--time-stamp-type <type> timestamp method for interface

-D print list of interfaces and exit

-L print list of link-layer types of iface and exit

--list-time-stamp-types print list of timestamp types for iface and exit

Capture stop conditions:

You can notice a list of all available options. In this article, we will cover most of the arguments in detail, and you will understand the power of this terminal oriented Wireshark version.

Selecting Network Interface:

To conduct live capture and analysis in this utility, we first need to figure out our working interface. Type tshark -D and tshark will list all the available interfaces.

[email protected]:~$ tshark -D

1. enp0s3

2. any

3. lo (Loopback)

4. nflog

5. nfqueue

6. usbmon1

7. ciscodump (Cisco remote capture)

8. randpkt (Random packet generator)

9. sshdump (SSH remote capture)

10. udpdump (UDP Listener remote capture)

Note that not all the listed interfaces will be working. Type ifconfig to find working interfaces on your system. In my case, it’s enp0s3.

Capture Traffic:

To start the live capture process, we will use the tshark command with the “-i” option to begin the capture process from the working interface.

[email protected]:~$ tshark -i enp0s3

Use Ctrl+C to stop the live capture. In the above command, I have piped the captured traffic to the Linux command head to display the first few captured packets. Or you can also use the “-c <n>” syntax to capture the “n” number of packets.

[email protected]:~$ tshark -i enp0s3 -c 5

If you only enter tshark, by default, it will not start capturing traffic on all available interfaces nor will it listen to your working interface. Instead, it will capture packets on the first listed interface.

You can also use the following command to check on multiple interfaces:

[email protected]ubuntu:~$ tshark -i enp0s3 -i usbmon1 -i lo

In the meantime, another way to live capture traffic is to use the number alongside the listed interfaces.

[email protected]:~$ tshark -i interface_number

However, in the presence of multiple interfaces, it’s hard to keep track of their listed numbers.

Capture Filter:

Capture filters significantly reduce the captured file size. Tshark uses Berkeley Packet Filter syntax -f<filter>”, which is also used by tcpdump. We will use the “-f” option to only capture packets from ports 80 or 53 and use “-c” to display only the first 10 packets.

[email protected]:~$ tshark -i enp0s3 -f "port 80 or port 53" -c 10

Saving Captured Traffic to a File:

The key thing to note in the above screenshot is that the information displayed isn’t saved, hence it’s less useful. We use the argument “-w” to save the captured network traffic to test_capture.pcap in /tmp folder.

[email protected]:~$ tshark -i enp0s3 -w /tmp/test_capture.pcap

Whereas, .pcap is the Wireshark file type extension. By saving the file, you can review and analyze the traffic in a machine with Wireshark GUI later.

It’s a good practice to save the file in /tmp as this folder doesn’t require any execution privileges. If you save it to another folder, even if you are running tshark with root privileges, the program will deny permission due to security reasons.

Let’s dig into all the possible ways through which you can:

  • apply limits to capturing data, such that exiting tshark or auto-stopping the capture process, and
  • output your files.

Autostop Parameter:

You can use the “-a” parameter to incorporate available flags such as duration file size and files. In the following command, we use the autostop parameter with the duration flag to stop the process within 120 seconds.

[email protected]:~$ tshark -i enp0s3 -a duration:120 -w /tmp/test_capture.pcap

Similarly, if you don’t need your files to be extra-large, filesize is a perfect flag to stop the process after some KB’s limits.

[email protected]:~$ tshark -i enp0s3 -a filesize:50 -w /tmp/test_capture.pcap

Most importantly, files flag allows you to stop the capture process after a number of files. But this can only be possible after creating multiple files, which requires the execution of another useful parameter, capture output.

Capture Output Parameter:

Capture output, aka ringbuffer argument “-b“, comes along with the same flags as autostop. However, the usage/output is a bit different, i.e., the flags duration and filesize, as it allows you to switch or save packets to another file after reaching a specified time limit in seconds or file size.

The below-command shows that we capture the traffic through our network interface enp0s3, and capture traffic using the capture filter “-f” for tcp and dns. We use ringbuffer option “-b” with a filesize flag to save each file of size 15 Kb, and also use the autostop argument to specify the number of files using files option such that it stops the capture process after generating three files.

[email protected]:~$ tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a files:2 -w /tmp/test_capture.pcap

I have split my terminal into two screens to actively monitor the creation of three .pcap files.

Go to your /tmp folder and use the following command in the second terminal to monitor updates after every one second.

[email protected]:~$ watch -n 1 "ls -lt"

Now, you do not need to memorize all these flags. Instead, type a command tshark -i enp0s3 -f “port 53 or port 21” -b filesize:15 -a in your terminal and press Tab. The list of all available flags will be available on your screen.

[email protected]:~$ tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a
duration: files: filesize:
[email protected]:~$ tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a

Reading .pcap Files:

Most importantly, you can use a “-r” parameter to read the test_capture.pcap files and pipe it to the head command.

[email protected]:~$ tshark -r /tmp/test_capture.pcap | head

The information displayed in the output file can be a bit overwhelming. To avoid unnecessary details and get a better understanding of any specific destination IP address, we use the -r option to read the packet captured file and use an ip.addr filter to redirect the output to a new file with the “-w” option. This will allow us to review the file and refine our analysis by applying further filters.

[email protected]:~$ tshark -r /tmp/test_capture.pcap -w /tmp/redirected_file.pcap ip.dst==216.58.209.142
[email protected]:~$ tshark -r /tmp/redirected_file.pcap|head
1 0.000000000 10.0.2.15 → 216.58.209.142 TLSv1.2 370 Application Data
2 0.000168147 10.0.2.15 → 216.58.209.142 TLSv1.2 669 Application Data
3 0.011336222 10.0.2.15 → 216.58.209.142 TLSv1.2 5786 Application Data
4 0.016413181 10.0.2.15 → 216.58.209.142 TLSv1.2 1093 Application Data
5 0.016571741 10.0.2.15 → 216.58.209.142 TLSv1.2 403 Application Data
6 0.016658088 10.0.2.15 → 216.58.209.142 TCP 7354 [TCP segment of a reassembled PDU]
7 0.016738530 10.0.2.15 → 216.58.209.142 TLSv1.2 948 Application Data
8 0.023006863 10.0.2.15 → 216.58.209.142 TLSv1.2 233 Application Data
9 0.023152548 10.0.2.15 → 216.58.209.142 TLSv1.2 669 Application Data
10 0.023324835 10.0.2.15 → 216.58.209.142 TLSv1.2 3582 Application Data

Selecting Fields to Output:

The commands above output a summary of each packet that includes various header fields. Tshark also allows you to view specified fields. To specify a field, we use “-T field” and extract fields as per our choice.

After the “-T field” switch, we use the “-e” option to print the specified fields/filters. Here, we can use Wireshark Display Filters.

[email protected]:~$ tshark -r /tmp/test_capture.pcap -T fields -e frame.number -e ip.src -e ip.dst | head

1 10.0.2.15 216.58.209.142
2 10.0.2.15 216.58.209.142
3 216.58.209.142 10.0.2.15
4 216.58.209.142 10.0.2.15
5 10.0.2.15 216.58.209.142
6 216.58.209.142 10.0.2.15
7 216.58.209.142 10.0.2.15
8 216.58.209.142 10.0.2.15
9 216.58.209.142 10.0.2.15
10 10.0.2.15 115.186.188.3

Capture Encrypted Handshake Data:

So far, we have learned to save and read output files using various parameters and filters. We will now learn how HTTPS initializes session tshark. The websites accessed via HTTPS instead of HTTP ensures a secure or encrypted data transmission over the wire. For secure transmission, a Transport Layer Security encryption starts a handshake process to kick off communication between the client and the server.

Let’s capture and understand the TLS handshake using tshark. Split your terminal into two screens and use a wget command to retrieve an html file from https://www.wireshark.org.

[email protected]:~$ wget https://www.wireshark.org
--2021-01-09 18:45:14-- https://www.wireshark.org/
Connecting to www.wireshark.org (www.wireshark.org)|104.26.10.240|:443... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 46892 (46K), 33272 (32K) remaining [text/html]
Saving to: ‘index.html’
index.html 100%[++++++++++++++==================================>] 45.79K 154KB/s in 0.2s
2021-01-09 18:43:27 (154 KB/s) - ‘index.html’ saved [46892/46892]

In another screen, we will use tshark to capture the first 11 packets by using the “-c” parameter. While performing analysis, timestamps are important to reconstruct events, hence we use “-t ad”, in a way that tshark adds timestamp alongside each captured packet. Lastly, we use the host command to capture packets from the shared host ip address.

This handshake is quite similar to the TCP handshake. As soon as the TCP three-way handshake concludes in the first three packets, the fourth to ninth packets follow a somewhat similar handshake ritual and include TLS strings to ensure encrypted communication between both parties.

[email protected]:~$ tshark -i enp0s3 -c 11 -t ad host 104.26.10.240
Capturing on 'enp0s3'
1 2021-01-09 18:45:14.174524575 10.0.2.15 → 104.26.10.240 TCP 74 48512443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2488996311 TSecr=0 WS=128
2 2021-01-09 18:45:14.279972105 104.26.10.240 → 10.0.2.15 TCP 60 44348512 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
3 2021-01-09 18:45:14.280020681 10.0.2.15 → 104.26.10.240 TCP 54 48512443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
4 2021-01-09 18:45:14.280593287 10.0.2.15 → 104.26.10.240 TLSv1 373 Client Hello
5 2021-01-09 18:45:14.281007512 104.26.10.240 → 10.0.2.15 TCP 60 44348512 [ACK] Seq=1 Ack=320 Win=65535 Len=0
6 2021-01-09 18:45:14.390272461 104.26.10.240 → 10.0.2.15 TLSv1.3 1466 Server Hello, Change Cipher Spec
7 2021-01-09 18:45:14.390303914 10.0.2.15 → 104.26.10.240 TCP 54 48512443 [ACK] Seq=320 Ack=1413 Win=63540 Len=0
8 2021-01-09 18:45:14.392680614 104.26.10.240 → 10.0.2.15 TLSv1.3 1160 Application Data
9 2021-01-09 18:45:14.392703439 10.0.2.15 → 104.26.10.240 TCP 54 48512443 [ACK] Seq=320 Ack=2519 Win=63540 Len=0
10 2021-01-09 18:45:14.394218934 10.0.2.15 → 104.26.10.240 TLSv1.3 134 Change Cipher Spec, Application Data
11 2021-01-09 18:45:14.394614735 104.26.10.240 → 10.0.2.15 TCP 60 44348512 [ACK] Seq=2519 Ack=400 Win=65535 Len=0
11 packets captured

Viewing Entire Packet:

The only disadvantage of a command-line utility is that it doesn’t have a GUI, as it becomes very handy when you need to search a lot of internet traffic, and it also offers a Packet Panel that displays all the packet details within an instant. However, it’s still possible to inspect the packet and dump the entire packet information displayed in GUI Packet Panel.

To inspect an entire packet, we use a ping command with the “-c” option to capture a single packet.

[email protected]:~$ ping -c 1 104.26.10.240
PING 104.26.10.240 (104.26.10.240) 56(84) bytes of data.
64 bytes from 104.26.10.240: icmp_seq=1 ttl=55 time=105 ms
--- 104.26.10.240 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 105.095/105.095/105.095/0.000 ms

In another window, use the tshark command with an additional flag to display the entire packet details. You can notice various sections, displaying Frames, Ethernet II, IPV, and ICMP details.

[email protected]:~$ tshark -i enp0s3 -c 1 -V host 104.26.10.240
Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Interface id: 0 (enp0s3)
Interface name: enp0s3
Encapsulation type: Ethernet (1)
Arrival Time: Jan 9, 2021 21:23:39.167581606 PKT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1610209419.167581606 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:data]
Ethernet II, Src: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6), Dst: RealtekU_12:35:02 (52:54:00:12:35:02)
Destination: RealtekU_12:35:02 (52:54:00:12:35:02)
Address: RealtekU_12:35:02 (52:54:00:12:35:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
Address: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
Interface id: 0 (enp0s3)
Interface name: enp0s3
Encapsulation type: Ethernet (1)
Arrival Time: Jan 9, 2021 21:23:39.167581606 PKT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1610209419.167581606 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:data]
Ethernet II, Src: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6), Dst: RealtekU_12:35:02 (52:54:00:12:35:02)
Destination: RealtekU_12:35:02 (52:54:00:12:35:02)
Address: RealtekU_12:35:02 (52:54:00:12:35:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
Address: PcsCompu_17:fc:a6 (08:00:27:17:fc:a6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.2.15, Dst: 104.26.10.240
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 84
Identification: 0xcc96 (52374)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don'
t fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64

Protocol: ICMP (1)
Header checksum: 0xeef9 [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.2.15
Destination: 104.26.10.240
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x0cb7 [correct]
[Checksum Status: Good]
Identifier (BE): 5038 (0x13ae)
Identifier (LE): 44563 (0xae13)
Sequence number (BE): 1 (0x0001)
Sequence number (LE): 256 (0x0100)
Timestamp from icmp data: Jan 9, 2021 21:23:39.000000000 PKT
[Timestamp from icmp data (relative): 0.167581606 seconds]
Data (48 bytes)
0000 91 8e 02 00 00 00 00 00 10 11 12 13 14 15 16 17 ................
0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 ........ !"#$%&'
0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 ()*+,-./01234567
Data: 918e020000000000101112131415161718191a1b1c1d1e1f...
[Length: 48]

Conclusion:

The most challenging aspect of packet analysis is finding the most relevant information and ignoring the useless bits. Even though graphical interfaces are easy, they cannot contribute to automated network packet analysis. In this article, you have learned the most useful tshark parameters for capturing, displaying, saving, and reading network traffic files.

Tshark is a very handy utility that reads and writes the capture files supported by Wireshark. The combination of display and capture filters contributes a lot while working on advanced level use cases. We can leverage tshark ability to print fields and manipulate data as per our requirements for in-depth analysis. In other words, it’s capable of doing virtually everything that Wireshark does. Most importantly, it’s perfect for packet sniffing remotely using ssh, which is a topic for another day.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14