Deals

Oneplus Bullets Z2 Bluetooth Wireless in Ear Earphones with Mic, Bombastic Bass - 12.4 mm Drivers, 10 Mins Charge - 20 Hrs Music, 30 Hrs Battery Life, IP55 Dust and Water Resistant (Magico Black) Tukzer Universal Stylus Pen for Smartphone/Tablet/iPad/Pro/Air/iPhone/iOS boAt Type-C C600 Tangle-Free, Sturdy Cable w/ 100W/5A Fast Charging & 10Gbps Data Transmission, 10000+ Bends Lifespan and Extended 1.5m Length JBL Go 4, Wireless Ultra Portable Bluetooth Speaker, Pro Sound, Vibrant Colors, Water & Dust Proof, Type C (Without Mic, Black) CELLBELL Desire C104 Mesh Mid Back Ergonomic Office Chair/Study Chair/Revolving Chair/Computer Chair for Work from Home Metal Base Seat Height Adjustable Chair (Grey)
Slide 2
Slide 3
Slide 4
Slide 5

Tshark - TShark is the command-line version of Wireshark

Tshark -  TShark is the command-line version of Wireshark

It performs similar network packet capture and analysis functions but without a graphical user interface. It is widely used for network monitoring, troubleshooting, and security analysis, especially in environments where a GUI is not available.

 

Examples :

Capture packets on an interface: 

tshark -i eth0

Capture and display only HTTP traffic: 

tshark -i eth0 -f "tcp port 80"

Capture packets and save to a file:

tshark -i eth0 -w capture.pcap

Display DNS queries:

tshark -i eth0 -Y "dns"

Output capture to JSON format:

tshark -i eth0 -T json


Key Options:

-i -> interface selection : Specifies the network interface to capture packets

 Example: tshark -i eth0


-D -> Get list of interfaces we get output , that you get all list of interfaces

 Example: tshark -D


-f -> capture filter : Specifies a filter for the packets captured at the interface level.

 Example : tshark -i eth0 -f "tcp port 80"


-Y -> display filter :  Filters the packets after capture (similar to Wireshark's display filters).

 Example : tshark -i eth0 -Y "http"

-w -> write output to the fileWrites the captured packets to a file in PCAP format, which can be opened later in Wireshark.

 Example : tshark -i eth0 -w capture.pcap


-r -> Read from file : Reads a PCAP file and displays its contents.

Example : tshark -r capture.pcap


-T -> Output Format : Specifies the output format for the captured data. Common options include text, json, xml, or fields.

 Example : tshark -i eth0 -T json


-e -> Display Fields : Displays specific fields from the packet data. You can use multiple -e options to display multiple fields.

 Example : tshark -i eth0 -e ip.src -e ip.dst -e tcp.port


-c -> Set Output Limit : Captures a specific number of packets before stopping.

Example : tshark -i eth0 -c 100


-f -> Capture on a Specific Port Capture only packets on a specific port.

 Example : tshark -i eth0 -f "tcp port 443"


-z -> Show Statistics Displays different kinds of statistics about the capture, such as packet summaries, protocol hierarchies, or flow data.

 Example : tshark -i eth0 -z io,stat,0


-t -> Print Timestamp : Controls how timestamps are displayed. Common values are a (absolute), d (delta), r (relative), u (unix time), etc

 Example : tshark -i eth0 -t ad


-B -> Sets the packet buffer size for capturing packets.

Example : tshark -B 10


-n -> Disable Name Resolution : Prevents TShark from resolving IP addresses to hostnames, which can speed up the capture.

Example : tshark -i eth0 -n


-V -> Show Only Summary : Displays detailed packet information (verbose output).

Example : tshark -i eth0 -V


-z protos -> Show Protocol Hierarchy : Displays the protocol hierarchy from the capture.

Example : tshark -i eth0 -z protos


-A and -B -> Filter by Time (-A and -B) :

-A: Used for capturing traffic for a specific time duration in seconds.

-B: Allows specifying a time duration for stopping the capture.

Example : tshark -i eth0 -A 30 -B 1000

 

Most used Tshark Field Names:

Here are some commonly used TShark field names (tags) for different protocols:

1. Ethernet

  • eth.src — Source MAC address
  • eth.dst — Destination MAC address
  • eth.type — Ethernet type field

2. IP (Internet Protocol)

  • ip.src — Source IP address
  • ip.dst — Destination IP address
  • ip.ttl — Time to Live (TTL)
  • ip.len — Total length of the IP packet

3. TCP (Transmission Control Protocol)

  • tcp.srcport — Source TCP port
  • tcp.dstport — Destination TCP port
  • tcp.flags — TCP flags (SYN, ACK, etc.)
  • tcp.seq — Sequence number
  • tcp.ack — Acknowledgment number

4. UDP (User Datagram Protocol)

  • udp.srcport — Source UDP port
  • udp.dstport — Destination UDP port
  • udp.length — Length of the UDP datagram

5. HTTP (Hypertext Transfer Protocol)

  • http.request.method — HTTP request method (GET, POST, etc.)
  • http.host — Host header field
  • http.user_agent — User-Agent string
  • http.response.code — HTTP response status code

6. DNS (Domain Name System)

  • dns.qry.name — DNS query name
  • dns.qry.type — DNS query type
  • dns.resp.name — DNS response name
  • dns.a — DNS A record (IPv4 address)

7. ARP (Address Resolution Protocol)

  • arp.src.proto_ipv4 — Sender's IPv4 address
  • arp.dst.proto_ipv4 — Target's IPv4 address
  • arp.opcode — ARP operation (1 = Request, 2 = Reply)

8. ICMP (Internet Control Message Protocol)

  • icmp.type — ICMP type
  • icmp.code — ICMP code
  • icmp.seq — ICMP sequence number

9. TLS/SSL

  • ssl.handshake.version — SSL/TLS version
  • ssl.record.version — Record layer version
  • ssl.handshake.type — Handshake message type

10. General Packet Info

  • frame.number — Frame number in the capture
  • frame.time — Timestamp of the frame
  • frame.len — Length of the frame
  • frame.protocols — List of protocols in the frame

 

Subscribe to: Posts (Atom)

Popular Posts

  • Windows | Multiple Login Failures from a Single User Analysis
    Multiple Login Failures from a Single User Objective: The objective of this use case is to identify brute force attacks that could be dictio...
  • Types of accounts in Windows | Windows Accounts
    Windows Account Types   References : Local and Domain Accounts Types of windows accounts
  • Multiple VPN Logins From Different Countries
    Multiple VPN Logins From Different Countries  means that the same user account is trying to log in from multiple geographical locations thro...
  • Malicious URL Access Detected
    Malicious URL access detected means  when a user or host attempts a connection to a malicious website, like phishing pages, malware, or comm...
  • Unfamiliar Sign-In
    Unfamiliar Sign-In means a security event where a login attempt is detected from a device, location, or IP address that was not previousl...
  • DNS Server basics, types, record types, query types
      The Basics of DNS: The Internet's Address Book Imagine if every time you wanted to call a friend, you had to remember their exact 10-d...
  • DNS Zones
    Zone files are plain text files that store information about a specific domain's DNS configuration. They are part of the Domain Name Sys...
  • Tshark
      T shark -   TShark  is the command-line version of  Wireshark It performs similar network packet capture and analysis functions but withou...
  • Querying DNS Records
    In the Windows operating system, the nslookup command is used to query DNS records. For example, to query the DNS A record for a domain, u...
  • How to play with DNS records
    Ramya is an intelligent and ambitious young woman with a deep passion for creating websites and a talent for crafting beautiful wool product...

Buy me coffee

Buy me coffee
#Fuel My Cybersecurity Journey with a Coffee!