How To Perform Network Sniffing With Tshark ( Network Sniffer )
Tshark, a powerful command-line network analyzer that comes with the well known Wireshark. It works like Tcpdump, but with powerful decoders and filters, capable to capture information of different network layers or protocols, and display in different format and layouts. how to perform network sniffing with Tshark
Used to analyze network traffic in real time or to read pcap / pcapng files to dig for information, to help identify network anomalies, problems or trends . Helping network and security professionals stay ahead of the user and their needs, prevent problems and security threats or resolve them before it is too late. network sniffer
Tshark is a terminal application capable of doing virtually anything you do with Wireshark, but with no need for clicks or screens. Tshark is a great fit for remote packet capture, on devices such as gateways, you just need to login ssh and use as you would do on localhost. sniffing meaning in computer
Capture, read and write packets
Our first Command run on Tshark try to call it with no parameters, this will start capturing packets on the default network interface. password sniffing in cyber security
tshark
There may be more than one interface on your machine and you may need to specify which one you want use. To get a list of available interfaces use the -D
tshark -D
Once you find out which interface to use, call Tshark with the -i option and an interface name or number reported by the -D option. packet sniffer meaning
tshark -i usb0
tshark -i 3
Now that you can capture the packets over the network, you may want to save them for later inspection, this can be done with the -w option.
tshark -i wlan0 -w /tmp/traffic.pcap
To analyze the packets from the previously saved traffic.pcap file, use the -r option, this will read packets from the instead of a network interface. Note also that you don't need superuser rights to read from files.
tshark -r /tmp/traffic.pcap
By default name resolution is performed, you may use -n and disable this for a best performance in some cases.
tshark -n
Filters
If you are on a busy network, you may have screen like on the Matrix movies, with all kind information, flowing too fast and almost impossible to read. To solve this problem Tshark provides two types of filters that will let you see beyond the chaos.
Capture filters
You can use the traditional pcap/bpf filter to select what to capture from your interface.
Search for packets relaated to the 192.168.1.100 host on port 80 or 53.
tshark -i 2 -f "host 192.168.1.100 and (dst port 53 or 80)"
Ignore packets on multicast and broadcast domains
tshark -i eth3 -f "not broadcast and not multicast"
Display filters
Display filters are set with -Y and have the following syntax
To see all connections from host 192.168.1.1
tshark -i eth0 -Y "ip.addr==192.168.1.1"
Display HTTP requests on TCP port 8800
tshark -i eth0 -Y "tcp.port== 8800 and http.request"
Display all but ICMP and ARP packets
tshark -i eth0 -Y "not arp or icmp"
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)
