Basic Usage

1
2
3
4
5
6

tshark -i <interface>           # Capture on interface (e.g., eth0)
tshark -r <file.pcap>           # Read from capture file
tshark -w <file.pcap>           # Write capture to file
tshark -c <num>                 # Stop after capturing <num> packets
tshark -f "<capture filter>"    # Use a capture filter (tcp, udp, port 80, etc.)
tshark -Y "<display filter>"    # Use a display filter (http, ip.addr==1.2.3.4, etc.)

Common Options

OptionDescription
-i Interface to capture from
-w Write packets to file
-r Read packets from file
-c Capture packets then stop
-f Capture filter (BPF syntax)
-Y Display filter (Wireshark syntax)
-T fieldsOutput specific fields
-e Specify field to output (with -T fields)
-EOutput formatting (e.g., header=y, separator=,)
-VVerbose output (packet details)
-lLine-buffered output

Examples

  • Capture on eth0 and display live:

    1

    tshark -i eth0

  • Capture 100 packets to a file:

    1

    tshark -i eth0 -c 100 -w capture.pcap

  • Read and filter packets from a file:

    1

    tshark -r capture.pcap -Y "http"

  • Show only source and destination IPs:

    1

    tshark -i eth0 -T fields -e ip.src -e ip.dst

  • Use a capture filter (only TCP traffic):

    1

    tshark -i eth0 -f "tcp"

  • Use a display filter (only HTTP requests):

    1

    tshark -i eth0 -Y "http.request"

Useful Filters

  • IP address: ip.addr == 192.168.1.1
  • TCP port: tcp.port == 80
  • HTTP requests: http.request
  • DNS queries: dns.qry.name == "example.com"
  • Show only TCP packets: tcp

Output Formatting

  • CSV output:

    1

    tshark -r file.pcap -T fields -e frame.number -e ip.src -e ip.dst -E header=y -E separator=,

  • JSON output:

    1

    tshark -r file.pcap -T json

More Help

  • List interfaces:

    1

    tshark -D

  • List all fields:

    1

    tshark -G fields

  • Man page:

    1

    man tshark