TShark Cheatsheet
Overview:
Wireshark provides a command line option called TShark. For those that are familiar with Tcpdump this solution is similar but uses Wireshark related syntax.
1️. Basic Capture Commands
tshark
Start capturing packets on the default interface.
tshark -i eth0
Capture packets on a specific interface (eth0).
tshark -D
List all available network interfaces.
tshark -c 10
Capture only 10 packets and then stop.
tshark -w capture.pcap
Save packets to a .pcap file.
tshark -r capture.pcap
Read packets from a saved .pcap file.
2️. Display Packet Details
tshark -V
Show verbose output with full packet details.
tshark -x
Show packet data in hex and ASCII.
tshark -O http
Show only HTTP packet details.
tshark -n
Disable hostname and port resolution (faster output).
tshark -T fields -e ip.src -e ip.dst
Display only source and destination IPs.
tshark -T json
Output packets in JSON format.
3️. Filtering Packets (Capture Filters)
tshark -i eth0 port 80
Capture only HTTP traffic.
tshark -i eth0 host 192.168.1.1
Capture packets to/from a specific host.
tshark -i eth0 net 192.168.1.0/24
Capture packets from a subnet.
tshark -i eth0 src host 192.168.1.1
Capture packets from a source IP.
tshark -i eth0 dst port 443
Capture packets destined for port 443 (HTTPS).
4️. Filtering Packets (Display Filters)
tshark -Y "ip.addr == 192.168.1.1"
Show all packets to/from an IP.
tshark -Y "tcp.port == 80"
Show only HTTP traffic.
tshark -Y "udp"
Show only UDP traffic.
tshark -Y "icmp"
Show only ICMP (ping) packets.
tshark -Y "dns"
Show only DNS traffic.
tshark -Y "http.request"
Show only HTTP requests.
tshark -Y "ssl.handshake"
Show only SSL handshake packets.
tshark -Y "tcp.flags.syn == 1"
Show only TCP SYN packets.
5️. Extracting Specific Fields
tshark -T fields -e ip.src -e ip.dst
Show only source and destination IPs.
tshark -T fields -e http.host
Extract HTTP hostnames.
tshark -T fields -e dns.qry.name
Extract DNS queries.
tshark -T fields -e frame.time -e ip.src -e ip.dst
Show timestamps with IP addresses.
tshark -T fields -e tls.handshake.ciphersuite
Show TLS cipher suites.
6️. Advanced Packet Analysis
tshark -Y "tcp.stream eq 5"
Show packets for a specific TCP stream.
tshark -z io,stat,1
Show packet statistics per second.
tshark -z conv,tcp
Show TCP conversations.
tshark -z endpoints,ip
List all unique IP addresses seen in traffic.
tshark -q -z expert
Show expert info (protocol errors, warnings, etc.).
7️. Extracting and Analyzing Data
tshark -r capture.pcap -Y "http.request" -T fields -e http.host
Extract HTTP hostnames.
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name
Extract all DNS queries.
tshark -r capture.pcap -Y "tcp.port == 443" -w https_traffic.pcap
Save only HTTPS traffic to a new file.
tshark -r capture.pcap -Y "tcp.analysis.retransmission"
Show TCP retransmissions.
tshark -r capture.pcap -Y "ip.geoip.country == 'United States'"
Filter traffic by country (if GeoIP is enabled).
8️. Wireshark-Compatible Filters
After capturing packets with tshark, you can analyze them in Wireshark using these filters:
http
Show only HTTP traffic.
tcp.flags.syn == 1
Show only SYN packets.
ip.addr == 192.168.1.1
Show all traffic to/from a specific IP.
dns.qry.name contains "google.com"
Show only DNS queries for "google.com".
ssl.handshake.type == 1
Show only SSL Client Hello messages.
Pro Tips
Run tshark as root for full packet capture:
sudo tshark -i eth0Stop capture after N packets:
tshark -c 100 -w sample.pcapAnalyze a specific protocol in a PCAP file:
tshark -r sample.pcap -Y "icmp"Extract unique IP addresses from a PCAP:
tshark -r sample.pcap -T fields -e ip.src -e ip.dst | sort | uniqLast updated