how to perform network sniffing with Tshark

Hacking Truth

How To Perform Network Sniffing With Tshark ( Network Sniffer )

Tshark, a powerful command-line network analyzer that comes with the well known Wireshark. It works like Tcpdump, but with powerful decoders and filters, capable to capture information of different network layers or protocols, and display in different format and layouts. how to perform network sniffing with Tshark

Used to analyze network traffic in real time or to read pcap / pcapng files to dig for information, to help identify network anomalies, problems or trends  .  Helping network and security professionals stay ahead of the user and their needs, prevent problems and security threats or resolve them before it is too late. network sniffer

Tshark is a terminal application capable of doing virtually anything you do with Wireshark, but with no need for clicks or screens. Tshark is a great fit for remote packet capture, on devices such as gateways, you just need to login ssh and use as you would do  on localhost. sniffing meaning in computer

Capture, read and write packets

Our first Command run on Tshark try to call it with no parameters, this will start capturing packets on the default network interface. password sniffing in cyber security


There may be more than one interface on your machine and you may need to specify which one you want use. To get a list of available interfaces use the -D

tshark -D

Once you find out which interface to use, call Tshark with the -i option and  an interface name or number reported by the -D option. packet sniffer meaning

tshark -i usb0

tshark -i 3

Now that you can capture the packets over the network, you may want to save them for later inspection, this can be done with the -w option.

tshark -i wlan0 -w /tmp/traffic.pcap

To analyze the packets from the previously saved traffic.pcap file, use the -r option, this will read packets from the instead of a network interface. Note also that you don't need superuser rights to read from files.

tshark -r /tmp/traffic.pcap

By default name resolution is performed, you may  use -n and disable this for a best performance in some cases.

tshark -n


If you are on a busy network, you may have screen like on the Matrix movies, with all kind information, flowing too fast and almost impossible to read. To solve this problem Tshark provides two types of filters that will let you see beyond the chaos.

Capture filters

You can use the traditional pcap/bpf  filter to select what to capture from your interface.

Search for packets relaated to the host on port 80 or 53.

tshark -i 2 -f "host and (dst port 53 or 80)"

Ignore packets on multicast and broadcast domains

tshark -i eth3 -f "not broadcast and not multicast"

Display filters

Display  filters are  set with -Y  and have the following  syntax
To see all connections from  host

tshark -i eth0 -Y "ip.addr=="

Display HTTP requests on TCP port 8800

tshark -i eth0 -Y "tcp.port== 8800 and http.request"

Display all but ICMP and ARP packets

tshark -i eth0 -Y "not arp or icmp"

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)


Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !