Installing and using Tshark & Wireshark

Wireshark (formerly Ethereal) is a traffic analyzer program for computer networks. Tshark is the console version, wireshark is the GUI version.

Ubuntu/Debian installation example:

sudo apt-get install wireshark tshark

Help about tshark can be obtained with the command:

tshark -h

Example run command:

tshark -i eth0 -w 'log.txt' -S

We look at what network interfaces are:

tshark -D

After entering the above command, we will see a numbered list, in the following commands the interface can be indicated by the number in the list, for example: -i 2 instead of -i eth1.

I will give examples of filters:

tshark -i eth0 'tcp port 80'
UDP and TCP traffic on port 80:
tshark -i eth0 'port 80'
tshark -i eth0 'tcp port 110 or tcp port 25'
tshark -i eth0 'not broadcast and not multicast'
tshark -i eth0 icmp
tshark -i eth0 'host 192.168.0.3'
tshark -i eth0 'host domain.com'
tshark -i eth0 'not host 192.168.0.3'
tshark -r 'log.txt' -V | more
tshark -r 'log.txt' -w 'file.txt' -F visual
tshark -r 'log.txt' -V > 'output.txt'

In case of the error “You don’t have permission to capture on that device” or when tshark does not see network interfaces, you can run the following commands:

su
groupadd wireshark
usermod -a -G wireshark USERNAME
newgrp wireshark
chgrp wireshark /usr/bin/dumpcap
chmod 750 /usr/bin/dumpcap
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Leave a comment

Leave a Reply