Terminal GuideWireshark & tshark: Network Protocol Analyzer Guide
Wireshark is the world's most widely used network protocol analyzer. Its CLI companion, tshark, provides the same deep inspection capabilities for terminal-based workflows, automation, and remote analysis. This guide focuses on tshark for hands-on packet analysis from the command line.
Dai Aoki
CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm
Quick Reference
Capture
tshark -i eth0Capture on interfacetshark -i eth0 -w out.pcapSave to filetshark -r file.pcapRead capture fileDisplay Filters
-Y "http"Filter HTTP traffic-Y "ip.addr == 10.0.0.1"Filter by IP-Y "tcp.port == 443"Filter by portCapture Filters
-f "host 10.0.0.1"Capture from host-f "port 80"Capture port 80-f "net 192.168.1.0/24"Capture subnetOutput
-T fields -e ip.srcExtract fields-VVerbose (all details)-q -z io,stat,1Statistics summaryAdvanced
-z follow,tcp,ascii,0Follow TCP stream-z conv,ipIP conversations-z endpoints,tcpTCP endpointsRing Buffer
-b filesize:1000010 MB per file-b files:5Keep 5 files-b duration:3600Rotate every hourDownloadable Image Preview
Overview
Wireshark (formerly Ethereal) is an open-source network protocol analyzer that captures and interactively examines network traffic. It supports over 3,000 protocols and can dissect packets at every layer of the network stack from Ethernet frames to application-layer data such as HTTP, DNS, TLS, and more.
The Wireshark suite includes two primary tools:
- Wireshark — the graphical interface for interactive packet analysis and visualization
- tshark — the terminal-based counterpart, ideal for scripting, automation, remote servers, and headless environments
Both tools share the same dissection engine, meaning every filter, protocol decoder, and analysis capability available in Wireshark is also available through tshark. This guide focuses primarily on tshark since it is the tool you will use in CLI workflows.
Installation
Wireshark and tshark are available in most Linux distribution repositories and through Homebrew on macOS.
# Debian / Ubuntu
sudo apt update && sudo apt install -y wireshark tshark
# Fedora / RHEL
sudo dnf install -y wireshark-cli
# Arch Linux
sudo pacman -S wireshark-cli
# macOS (Homebrew)
brew install wireshark
# Verify installation
tshark --versionwireshark group with sudo usermod -aG wireshark $USER, then log out and back in. This avoids the need to run tshark as root.tshark Basics
Listing Interfaces
Before capturing, identify which network interface to monitor.
# List all available capture interfaces
tshark -D
# Example output:
# 1. eth0
# 2. wlan0
# 3. lo (Loopback)
# 4. any (Pseudo-device that captures on all interfaces)Basic Capture
Start capturing packets on a specific interface. By default, tshark prints a summary line for each packet to stdout.
# Capture on eth0 (press Ctrl+C to stop)
tshark -i eth0
# Capture on all interfaces
tshark -i any
# Capture a specific number of packets
tshark -i eth0 -c 100
# Capture for a specific duration (seconds)
tshark -i eth0 -a duration:30Saving Captures
Save captured packets to a file for later analysis. The standard format is pcapng (the default) or the legacy pcap format.
# Save capture to a pcapng file
tshark -i eth0 -w capture.pcapng
# Save in legacy pcap format
tshark -i eth0 -F pcap -w capture.pcap
# Capture 500 packets and save
tshark -i eth0 -c 500 -w sample.pcapngReading Capture Files
Read and analyze previously captured traffic from a file.
# Read and display packets from a file
tshark -r capture.pcapng
# Read with verbose output (full protocol tree)
tshark -r capture.pcapng -V
# Read and apply a display filter
tshark -r capture.pcapng -Y "http.request"
# Count packets in a capture file
tshark -r capture.pcapng | wc -lCapture Filters vs Display Filters
Wireshark and tshark use two distinct filtering systems. Understanding when to use each is essential for efficient analysis.
Filter Type Comparison
| Feature | Description |
|---|---|
| Capture Filters (-f) | Applied during capture using BPF (Berkeley Packet Filter) syntax. Packets not matching the filter are never captured. Cannot be changed after capture starts. |
| Display Filters (-Y) | Applied after capture using Wireshark display filter syntax. Filter what you see without discarding data. Can be changed at any time on saved captures. |
Capture Filters (BPF Syntax)
Capture filters use BPF syntax (the same syntax as tcpdump) and are set with the -f flag. Use them to reduce capture file size and focus on relevant traffic.
# Capture only traffic to/from a specific host
tshark -i eth0 -f "host 192.168.1.100"
# Capture only HTTP traffic (port 80)
tshark -i eth0 -f "port 80"
# Capture traffic on a subnet
tshark -i eth0 -f "net 10.0.0.0/8"
# Capture only TCP SYN packets (connection initiations)
tshark -i eth0 -f "tcp[tcpflags] & (tcp-syn) != 0"
# Exclude SSH traffic to avoid noise during remote capture
tshark -i eth0 -f "not port 22"
# Combine filters: HTTP from a specific host
tshark -i eth0 -f "host 192.168.1.50 and port 80"Display Filters (Wireshark Syntax)
Display filters use Wireshark's powerful protocol-aware syntax and are set with the -Y flag. They provide far more granularity than capture filters.
# Show only HTTP requests
tshark -r capture.pcapng -Y "http.request"
# Show only DNS queries
tshark -r capture.pcapng -Y "dns.qr == 0"
# Filter by IP address
tshark -r capture.pcapng -Y "ip.addr == 10.0.0.1"
# Filter by source IP
tshark -r capture.pcapng -Y "ip.src == 192.168.1.100"
# Show only TCP packets with RST flag
tshark -r capture.pcapng -Y "tcp.flags.reset == 1"
# Show packets with HTTP status code 404
tshark -r capture.pcapng -Y "http.response.code == 404"
# Show TLS Client Hello packets
tshark -r capture.pcapng -Y "tls.handshake.type == 1"Combining Display Filters
Display filters support logical operators for building complex filter expressions.
# AND operator
tshark -r capture.pcapng -Y "http && ip.src == 10.0.0.5"
# OR operator
tshark -r capture.pcapng -Y "dns || http"
# NOT operator
tshark -r capture.pcapng -Y "!arp"
# Comparison operators
tshark -r capture.pcapng -Y "frame.len > 1000"
# Contains operator (search in string fields)
tshark -r capture.pcapng -Y 'http.host contains "example.com"'
# Matches operator (regex)
tshark -r capture.pcapng -Y 'http.user_agent matches "Mozilla.*Firefox"'Advanced Analysis
Extracting Specific Fields
Use the -T fields option to extract specific protocol fields into structured output suitable for scripting and data processing.
# Extract source IP, destination IP, and protocol
tshark -r capture.pcapng -T fields -e ip.src -e ip.dst -e _ws.col.Protocol
# Extract HTTP request methods and URIs
tshark -r capture.pcapng -Y "http.request" \
-T fields -e ip.src -e http.request.method -e http.request.full_uri
# Extract DNS queries
tshark -r capture.pcapng -Y "dns.qr == 0" \
-T fields -e ip.src -e dns.qname -e dns.qry.type
# Set field separator for CSV-like output
tshark -r capture.pcapng -T fields -E separator=, \
-e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport
# Output as JSON
tshark -r capture.pcapng -T json -Y "http.request" > http_requests.json
# Output as XML (PDML)
tshark -r capture.pcapng -T pdml -Y "dns" > dns_packets.xmlProtocol Statistics
The -z flag provides powerful built-in statistics without manual processing.
# Protocol hierarchy statistics
tshark -r capture.pcapng -q -z io,phs
# I/O statistics (1-second intervals)
tshark -r capture.pcapng -q -z io,stat,1
# I/O statistics with filters
tshark -r capture.pcapng -q -z io,stat,1,"COUNT(http.request)http.request"
# HTTP request/response statistics
tshark -r capture.pcapng -q -z http,tree
# HTTP request distribution
tshark -r capture.pcapng -q -z http_req,tree
# DNS statistics
tshark -r capture.pcapng -q -z dns,tree
# Expert information (warnings, errors, notes)
tshark -r capture.pcapng -q -z expertFollowing Streams
Reconstruct and display complete TCP, UDP, or HTTP streams to see the full conversation between client and server.
# Follow TCP stream 0 (ASCII output)
tshark -r capture.pcapng -q -z follow,tcp,ascii,0
# Follow TCP stream by filter (e.g., stream index 5)
tshark -r capture.pcapng -q -z follow,tcp,ascii,5
# Follow UDP stream
tshark -r capture.pcapng -q -z follow,udp,ascii,0
# Follow HTTP stream
tshark -r capture.pcapng -q -z follow,http,ascii,0
# Follow and save raw stream data
tshark -r capture.pcapng -q -z follow,tcp,raw,0 > stream_hex.txtConversation Analysis
Identify who is communicating with whom and how much data is being transferred.
# IP conversation list
tshark -r capture.pcapng -q -z conv,ip
# TCP conversation list
tshark -r capture.pcapng -q -z conv,tcp
# Ethernet conversation list
tshark -r capture.pcapng -q -z conv,eth
# Endpoint statistics (IP)
tshark -r capture.pcapng -q -z endpoints,ip
# TCP endpoint statistics
tshark -r capture.pcapng -q -z endpoints,tcpPractical Examples
HTTP Traffic Analysis
Capture and analyze HTTP requests and responses for debugging web applications and inspecting API calls.
# Capture HTTP traffic and show request details
tshark -i eth0 -Y "http.request" \
-T fields -e ip.src -e http.request.method -e http.host -e http.request.uri
# Monitor HTTP response codes
tshark -i eth0 -Y "http.response" \
-T fields -e ip.dst -e http.response.code -e http.content_type
# Find all unique URLs accessed
tshark -r capture.pcapng -Y "http.request" \
-T fields -e http.request.full_uri | sort -u
# Identify large HTTP responses
tshark -r capture.pcapng -Y "http.response && http.content_length > 1000000" \
-T fields -e ip.src -e http.content_length -e http.content_type
# Extract HTTP POST data
tshark -r capture.pcapng -Y "http.request.method == POST" \
-T fields -e http.host -e http.request.uri -e http.file_dataDNS Debugging
Analyze DNS queries and responses to troubleshoot name resolution issues.
# Monitor live DNS queries
tshark -i eth0 -Y "dns.qr == 0" \
-T fields -e ip.src -e dns.qname
# Show DNS responses with answers
tshark -r capture.pcapng -Y "dns.qr == 1" \
-T fields -e dns.qname -e dns.a -e dns.aaaa
# Find DNS queries with NXDOMAIN (non-existent domain)
tshark -r capture.pcapng -Y "dns.flags.rcode == 3" \
-T fields -e ip.src -e dns.qname
# Identify slow DNS responses (> 500ms)
tshark -r capture.pcapng -Y "dns.time > 0.5" \
-T fields -e dns.qname -e dns.time
# Top queried domains
tshark -r capture.pcapng -Y "dns.qr == 0" \
-T fields -e dns.qname | sort | uniq -c | sort -rn | head -20TLS Handshake Inspection
Examine TLS/SSL handshakes to debug certificate issues, cipher suite negotiation, and connection problems.
# Show TLS Client Hello with SNI (Server Name Indication)
tshark -r capture.pcapng -Y "tls.handshake.type == 1" \
-T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name
# Show TLS Server Hello with selected cipher suite
tshark -r capture.pcapng -Y "tls.handshake.type == 2" \
-T fields -e ip.src -e tls.handshake.ciphersuite
# Show TLS certificate information
tshark -r capture.pcapng -Y "tls.handshake.type == 11" \
-T fields -e tls.handshake.certificate
# Detect TLS version in use
tshark -r capture.pcapng -Y "tls.handshake.type == 1" \
-T fields -e ip.src -e tls.handshake.versionDetecting Port Scans
Use tshark to identify potential port scanning activity on your network.
# Detect SYN packets without ACK (potential SYN scan)
tshark -r capture.pcapng \
-Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
-T fields -e ip.src -e ip.dst -e tcp.dstport
# Count SYN packets per source IP (high counts may indicate scanning)
tshark -r capture.pcapng \
-Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
-T fields -e ip.src | sort | uniq -c | sort -rn | head -10
# Detect RST responses (closed ports)
tshark -r capture.pcapng -Y "tcp.flags.reset == 1" \
-T fields -e ip.src -e ip.dst -e tcp.srcport
# ICMP unreachable messages (filtered ports)
tshark -r capture.pcapng -Y "icmp.type == 3" \
-T fields -e ip.src -e ip.dst -e icmp.codeBandwidth and Throughput
Measure network throughput and identify bandwidth-heavy connections.
# I/O statistics in 5-second intervals
tshark -r capture.pcapng -q -z io,stat,5
# Bytes per IP conversation (sorted by total bytes)
tshark -r capture.pcapng -q -z conv,ip
# Top talkers by data volume
tshark -r capture.pcapng -T fields -e ip.src -e frame.len \
| awk '{a[$1]+=$2} END {for (i in a) print a[i], i}' | sort -rn | head -10
# Monitor live throughput (packets per second)
tshark -i eth0 -q -z io,stat,1Long-Running Captures with Ring Buffers
For monitoring or forensic purposes, use ring buffers to capture continuously without filling up disk space.
# Ring buffer: 10 files, 100 MB each (1 GB total max)
tshark -i eth0 -b filesize:100000 -b files:10 -w /var/captures/ring.pcapng
# Rotate every hour, keep 24 files (24 hours of history)
tshark -i eth0 -b duration:3600 -b files:24 -w /var/captures/hourly.pcapng
# Combine file size and count limits
tshark -i eth0 -b filesize:50000 -b files:20 \
-f "not port 22" -w /var/captures/filtered.pcapng
# Autostop after capturing 1 GB total
tshark -i eth0 -a filesize:1000000 -w /var/captures/limited.pcapng-b flag controls buffer behavior, while the -a flag sets autostop conditions.Key Filters Reference
The following table lists commonly used display filters organized by protocol.
Common Display Filters
| Filter | Description |
|---|---|
| ip.addr == x.x.x.x | Traffic to/from an IP address |
| ip.src == x.x.x.x | Traffic from a source IP |
| ip.dst == x.x.x.x | Traffic to a destination IP |
| tcp.port == 80 | TCP traffic on port 80 |
| udp.port == 53 | UDP traffic on port 53 (DNS) |
| http.request | HTTP request packets |
| http.response.code == 200 | HTTP 200 OK responses |
| dns.qr == 0 | DNS queries |
| dns.qr == 1 | DNS responses |
| tls.handshake | TLS handshake packets |
| tcp.flags.syn == 1 | TCP SYN packets |
| tcp.flags.reset == 1 | TCP RST packets |
| tcp.analysis.retransmission | Retransmitted TCP segments |
| tcp.analysis.zero_window | TCP zero window events |
| frame.len > 1500 | Frames larger than MTU |
| icmp | All ICMP traffic |
| arp | All ARP traffic |
| !(arp || dns) | Exclude ARP and DNS |
Common Capture Filters (BPF)
| Filter | Description |
|---|---|
| host 10.0.0.1 | Traffic to/from host |
| src host 10.0.0.1 | Traffic from source host |
| dst host 10.0.0.1 | Traffic to destination host |
| port 443 | Traffic on port 443 |
| portrange 8000-9000 | Traffic on port range |
| net 192.168.1.0/24 | Traffic on subnet |
| tcp | TCP traffic only |
| udp | UDP traffic only |
| not port 22 | Exclude SSH traffic |
| host A and port 80 | Combine host and port |
Tips & Best Practices
- Use capture filters for high-traffic networks. On busy networks, capturing everything generates massive files. Apply capture filters to reduce noise and focus on relevant traffic from the start.
- Exclude your own SSH session. When capturing on a remote server over SSH, always add
-f "not port 22"to avoid capturing your own management traffic. - Use ring buffers for continuous monitoring. Combine
-b filesizeand-b filesto capture indefinitely without running out of disk space. - Leverage field extraction for automation. Use
-T fields -eto extract specific data points and pipe them into scripts, databases, or monitoring tools. - Use JSON output for integration. The
-T jsonoutput format makes it easy to process captures with tools like jq, Python, or Elasticsearch. - Run as non-root when possible. Add your user to the
wiresharkgroup rather than running tshark as root. This limits the attack surface if tshark is compromised by a malformed packet. - Check the expert info. The
-z expertoption provides a quick summary of network issues including retransmissions, resets, and protocol errors. - Combine tshark with other tools. Pipe tshark field output to
sort,uniq,awk, andgrepfor powerful one-liner analysis. - Save raw captures first, filter later. When investigating an incident, capture all traffic to a file and then apply display filters during analysis. This ensures you do not miss important context.
- Use editcap and mergecap for file management. These companion tools let you split, merge, and convert capture files. For example,
editcap -c 1000 large.pcapng split.pcapngsplits a file into 1000-packet chunks.
Related Tools
Wireshark is part of a broader ecosystem of network analysis and security tools. Here are some commonly used companion tools:
Companion and Alternative Tools
| Tool | Description |
|---|---|
| tcpdump | Lightweight CLI packet capture tool using the same BPF filter syntax. Ideal when Wireshark is not installed. |
| editcap | Part of the Wireshark suite. Edit capture files: split, merge, filter by time range, or convert formats. |
| mergecap | Part of the Wireshark suite. Merge multiple capture files into one for unified analysis. |
| capinfos | Part of the Wireshark suite. Display summary information about capture files (packet count, duration, data rate). |
| nmap | Network scanner and security auditing tool. Often used alongside Wireshark to correlate scan results with packet-level data. |
| Zeek (Bro) | Network security monitoring framework that creates high-level logs from packet captures. |
| Suricata | Network IDS/IPS that can generate alerts alongside packet captures for incident analysis. |
| NetworkMiner | Network forensic analysis tool for extracting files, images, and credentials from pcap files. |
Official Documentation
For authoritative information, refer to the official documentation:
Related Articles
Nmap: Network Scanner & Security Auditing Tool Guide
Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.
Nikto: Web Server Vulnerability Scanner Guide
Complete guide to Nikto web server scanner. Learn vulnerability scanning, SSL testing, authentication bypass detection, and automated security assessments.
THC Hydra: Network Login Brute Force Guide
Complete guide to THC Hydra for network authentication testing. Learn protocol-specific attacks for SSH, FTP, HTTP, and more with practical examples.
Aircrack-ng: Wireless Network Security Audit Guide
Master the Aircrack-ng suite for wireless network security auditing. Learn monitor mode, packet capture, WPA/WPA2 testing, and wireless analysis.