Tshark Cheat Sheet
Manual Pages
The majority of DFIR Cheat Sheets can be found here. Offensive Operations. Windows Intrusion Discovery Cheat Sheet v3.0; Intrusion Discovery Cheat Sheet v2.0 (Linux).
Tcpdump cheat sheet. Tcpdump Cheat Sheet - Complete With Full Examples, The tcpdump cheat sheet covers: Installation commands; Packet capturing options; Logical operators; Display/Output options; Protocols; Common tcpdump Cheat Sheet A commonly used and priceless piece of software, tpcdump is a packet analyzer that packs a lot of punch for a free tool. Tshark used for packet analyze tracepath used for path tracking traceroute used for path tracking w used to check the current system activity wget used to download the content of the web servers whois checks the whois database and return with IP and Domain info LINUX COMMANDS CHEAT SHEET by Gokhan Kosem, www.ipcisco.com Networking Commands.
The following man pagesare part of the Wireshark distribution. They are available via theman
command onUNIX
androiddump
- Provide interfaces to capture from Android devices
capinfos
- Prints information about capture files
captype
- Prints the types of capture files
ciscodump
- Provide interfaces to capture from a remote Cisco router through SSH.
dftest
- Shows display filter byte-code, for debugging dfilter routines.
dumpcap
- Dump network traffic
editcap
- Edit and/or translate the format of capture files
extcap
- The extcap interface
idl2wrs
- CORBA IDL to Wireshark Plugin Generator
mergecap
- Merges two or more capture files into one
mmdbresolve
- Read IPv4 and IPv6 addresses and print their IP geolocation information.
randpkt
- Random packet generator
randpktdump
- Provide an interface to generate random captures using randpkt
rawshark
- Dump and analyze raw pcap data
reordercap
- Reorder input file by timestamp into output file
sshdump
- Provide interfaces to capture from a remote host through SSH using a remote capture binary.
text2pcap
- Generate a capture file from an ASCII hexdump of packets
tshark
- Dump and analyze network traffic
udpdump
- Provide an UDP receiver that gets packets from network devices (like Aruba routers) and exports them in PCAP format.
wireshark-filter
- Wireshark display filter syntax and reference
wireshark
- Interactively dump and analyze network traffic
Capture filtering is handled by libpcap, and its documentation is part of the libpcap distribution.
I have a lot of traffic...
ANSWER: SteelCentral™ AppResponse 11
- • Full stack analysis – from packets to pages
- • Rich performance metrics & pre-defined insights for fast problem identification/resolution
- • Modular, flexible solution for deeply-analyzing network & application performance
Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or a previously saved capture file. It enables you to see what's happening on your network at a microscopic level.
TShark is a terminal-oriented version of Wireshark designed to capture and display packets when an interactive user interface isn't necessary or available. It supports the same options as Wireshark. On its website, Wireshark describes its rich feature set as including the following:
- Deep inspection of hundreds of protocols, with more being added all the time
- Live capture and offline analysis
- Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
- The most powerful display filters in the industry
- Rich VoIP analysis
- Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Cisco Secure IDS iplog, Microsoft Network Monitor, and many others
- Capture files compressed with gzip can be decompressed on the fly
- Live data can be read from Ethernet, IEEE 802.11, Bluetooth, USB, and others (depending on your platform)
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Coloring rules can be applied to the packet list for quick, intuitive analysis
- Output can be exported to XML, PostScript, CSV, or plain text
More Linux resources
Installation
Wireshark can be installed with the standard simple commands.
On Red Hat Enterprise Linux (RHEL) 7:
On Red Hat Enterprise Linux (RHEL) 8:
Use cases
Without any options set, TShark works much like tcpdump. It uses the pcap library to capture traffic from the first available network interface and displays a summary line on each received packet's standard output.
Before we start any capture, we need define to which interfaces on our server TShark can use. You may need to use sudo
or root access in this case.
[ You might also like: My 5 favorite Linux sysadmin tools ]
To get this information, you will need to run the command below:
A sample output is below:
If we wanted to capture traffic on eth0, we could call it with this command:
Sample output:
The packets above are denoted by numbers at the beginning of the line.
These lines include two IP addresses on either side of an arrow—these are the hosts that are exchanging the packet. The arrow's direction indicates which direction the packet is going. Therefore, 41.242.139.31 -> 207.180.200.5 means the packet originated at host 41.242.139.31, which is my computer, and is headed for destination 207.180.200.5, which is the remote server where TShark is installed. My computer is trying to connect to this server, so it's going through the TCP handshake.
Here is a basic explanation of how TShark works: It captures all traffic that is initiated to and from the server where it's installed. With the power of TShark's filtering, we can display the traffic we are interested in.
We can also limit the output of the capture to specific lines. For example, if we want to limit the output to 10 lines, we will use the command below:
Capture traffic to and from one host
We can filter out traffic coming from a specific host. For example, to find traffic coming from and going to 8.8.8.8, we use the command:
For traffic coming from 8.8.8.8:
For traffic going to 8.8.8.8:
Sample output:
In the above output, we see traffic coming from and going to 8.8.8.8. The host 8.8.8.8 is giving responses to the server 207.180.229.97 about queries it has initiated earlier.
Capture traffic to and from a network
We can also capture traffic to and a specific network. To do this, we use the command below:
or
We can also filter based on source or destination.
Based on the source (traffic coming from):
Based on the destination (traffic going to):
Capture traffic to and from port numbers
Here are many other variations.
Capture only DNS port 53 traffic:
For a specific host:
Capture only HTTPS traffic:
Capture all ports except port 80 and 25:
Saving output to a file
We can save the output of our capture to a file to be read later. Later versions of Wireshark save the output in the pcapng by default. However, we can save in other formats as well. To check the supported format, run the command below:
To save the output, we use the -w
switch. Using the -w
switch provides raw packet data, not text. If you want text output, you need to redirect stdout (e.g., using >
). Don't use the -w
option for this.
To save a capture to a file name http_capture.pcapng
:
Wireshark Cheat Sheet Github
We can save in pcap format, which can be read by tcpdump and older versions of Wireshark:
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
Wireshark Cheat Sheet Pdf
Wrap up
Wireshark Cheat Sheet Sans
TShark is a comprehensive tool that sysadmins need to add to their toolset. This is part one of a two-part series. In part two, we will look at more advanced filters and how we can make the output more readable.