Tshark is a complex and powerful tool. The manual page (man tshark) gives an exhaustive list of its many options. This page is intended to be an ultimate quick start to using tshark.
Select an Interface
Specify the interface on which you want to capture frames using the -i command line option. For example:
$ tshark -i em1
The above captures frames on the em1 interface.
Define a Capture Filter
Most interfaces have a lot of traffic that is not of direct interest. It is thus almost always appropriate to define a capture filter that causes tshark to only capture frames that are relevant to your needs. This greatly reduces the amount of spurious data captured. It also improves performance by reducing the amount of work tshark has to do and by saving disk space (if you are storing captured frames).
Tshark has a rich and powerful filter language that allows you to specify a capture filter in many ways. One basic filter expression that is often useful is just:
port 9001
This captures all traffic to and from the specified port (9001 in this example). The full command, with the interface specification is now:
$ tshark -i em1 -f 'port 9001'
Notice the single quotation marks around the capture filter expression. This is needed because the expression contains spaces which are normally used to separate (or "delimit") command line arguments.
Specify a Save File
It is typical to capture some frames and save them to a file. Then you can examine the saved frames later at your leisure. The work flow is: 1) set up an "experiment" on the network, 2) start a capture with an appropriate filter and save file, 3) run the experiment, 4) stop the capture, and finally 5) study the resulting "data" from your experiment. Use the -w option to specify a file in which to save the captured data. The full command is now:
$ tshark -i em1 -f 'port 9001' -w saved.pcap
Be aware that tshark can save a very large amount of data in some cases, depending on your capture filter. For example, if you capture all frames on a busy network, you are essentially saving everything that goes in and out of that busy interface to the save file. Be sure you have sufficient storage resources.
As the capture takes place you will see a count of the number of frames captured on the terminal. Use ^C (Ctrl+C) to abort the capture and stop tshark.
Analyze Captured Packets
Depending on your needs there are several ways of analyzing your captured data. Here are some examples:
$ tshark -r saved.pcap -x -Y 'frame.number == 4'
The command above reads (-r) the saved frames from saved.pcap and then uses a display filter (-Y) with a filter expression of frame.number == 4 to show you, in this case, the contents of frame #4 of your captured data. The display filter (also called a read filter) further refines the information by filtering previously captured data before displaying it. The -x option causes tshark to dump the raw frame contents as hex and ASCII.
The -V option can be used instead of -x to dissect the frame into its layers and decode the various layers:
$ tshark -r saved.pcap -V -Y 'frame.number == 4'
Last Revised: 2023-01-13
© Copyright 2023 by Peter Chapin
<pchapin@vtc.edu>