<![CDATA[Stories by Gavandeparmeshwar on Medium]]> https://medium.com/@gavandeparmeshwar100?source=rss-601a7b9cb8bd------2 https://cdn-images-1.medium.com/fit/c/150/150/0*-wJz1yMhTdxfmDTv Stories by Gavandeparmeshwar on Medium https://medium.com/@gavandeparmeshwar100?source=rss-601a7b9cb8bd------2 Medium Tue, 19 May 2026 19:06:34 GMT <![CDATA[Tshark: The Basic]]> https://medium.com/@gavandeparmeshwar100/tshark-the-basic-da9cf2e43de8?source=rss-601a7b9cb8bd------2 https://medium.com/p/da9cf2e43de8 Fri, 23 May 2025 03:59:43 GMT 2025-05-23T03:59:43.717Z TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark.

Command-Line Packet Analysis Hints

TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools. The most common tools used in packet analysis are listed below.

1.Find the task files on the Desktop in the “exercise-files” folder.

2. What is the “RIPEMD160” value?

Ans: 6ef5f0c165a1db4a3c1ad3116b0c5bcc0cf6b9ab7

3. What is the installed TShark version in the given VM?

Ans : Use command > sudo tshark -v

4. What is the number of available interfaces in the given VM?

Ans: use command > sudo tshark -D

Both Answers are present in below picture

5.What are the assigned TCP flags in the 29th packet?

For that I have used a command > sudo tshark -r demo.pcapng -c 29 -V

Ans: PSH , ACK

I can find the answer without verbose mode also .

6. What is the “Ack” value of the 25th packet?

Ans:12421

for this I used without verbose mode which direct necessary info in single line

Command> sudo tshark -r demo.pcapng -c 25

7.What is the “Window size value” of the 9th packet?

Ans: 9660

Capture Condition Parameters

As a network sniffer and packet analyser, TShark can be configured to count packets and stop at a specific point or run in a loop structure. The most common parameters are explained below.

Packet Filtering Parameters | Capture & Display Filters

There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets.

8.What is the number of packets with SYN bytes?

Ans : 2

I have used command >tshark -r demo.pcapng -Y “tcp.flags.syn == 1” | wc -l

9. What is the number of packets sent to the IP address “10.10.10.10”?

Ans: 7

I have used command >tshark -r demo.pcapng -Y “ip.dst == 10.10.10.10” | wc -l

10.What is the number of packets with ACK bytes?

Ans: 8

I have used this command > tshark -r demo.pcapng -Y “tcp.flags.ack == 1” | wc -l

11. What is the number of packets with a “65.208.228.223” IP address?

Command:

tshark -r demo.pcapng -Y “ip.addr == 65.208.228.223” | wc -l

Answer 15: 34

Question 16: What is the number of packets with a “TCP port 3371”?

Command:

tshark -r demo.pcapng -Y “tcp.port == 3371” | wc -l

Answer 16: 7

Question 17: What is the number of packets with a “145.254.160.237” IP address as a source address?

Command:

tshark -r demo.pcapng -Y “ip.src == 145.254.160.237” | wc -l

Answer 17: 20

Rerun the previous query and look at the output.

Question 18: What is the packet number of the “Duplicate” packet?

Command:

tshark -r demo.pcapng -Y ‘ip.src == 145.254.160.237 and udp.analysis.duplicate’ -T fields -e frame.number

Answer 18: 37.

]]>