Wireshark (formerly Ethereal) is a traffic analyzer program for computer networks. Tshark is the console version, wireshark is the GUI version.
Ubuntu/Debian installation example:
sudo apt-get install wireshark tshark
Help about tshark can be obtained with the command:
tshark -h
Example run command:
tshark -i eth0 -w 'log.txt' -S
We look at what network interfaces are:
tshark -D
After entering the above command, we will see a numbered list, in the following commands the interface can be indicated by the number in the list, for example: -i 2 instead of -i eth1.
I will give examples of filters:
tshark -i eth0 'tcp port 80'
UDP and TCP traffic on port 80:
tshark -i eth0 'port 80'
tshark -i eth0 'tcp port 110 or tcp port 25'
tshark -i eth0 'not broadcast and not multicast'
tshark -i eth0 icmp
tshark -i eth0 'host 192.168.0.3'
tshark -i eth0 'host domain.com'
tshark -i eth0 'not host 192.168.0.3'
tshark -r 'log.txt' -V | more
tshark -r 'log.txt' -w 'file.txt' -F visual
tshark -r 'log.txt' -V > 'output.txt'
In case of the error “You don’t have permission to capture on that device” or when tshark does not see network interfaces, you can run the following commands:
su
groupadd wireshark
usermod -a -G wireshark USERNAME
newgrp wireshark
chgrp wireshark /usr/bin/dumpcap
chmod 750 /usr/bin/dumpcap
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap