Wireshark in the Command Line
Learning to use Wireshark’s Command Line Tool: TShark
Wireshark is the world’s most widely used network protocol analyzer. It lets you dive into captured traffic and analyze what is going on within a network. Today, let’s talk about how you can use Wireshark’s command-line interface, Tshark, to accomplish similar results.
We will go through some example commands, so feel free to use a PCAP file to follow along! You can find some sample capture files here.
Getting started
Without an input file, Tshark simply acts like Tcpdump. It will capture traffic from the first available network and display its packets to standard output. Alternatively, you can use the “-r” flag to specify the network capture file.
tshark -r network.pcap
This way, Tshark will display the packets of the capture file in standard output. Let’s take a look at a line of the output!
35 29.947879 192.168.0.55 → 192.168.0.91 HTTP 423 HTTP/1.1 200 OK