Wireshark (formerly Ethereal) is a traffic analyzer program for computer networks. Tshark is the console version, wireshark is the GUI version.
Ubuntu/Debian installation example:
sudo apt-get install wireshark tshark
Help about tshark can be obtained with the command:
Example run command:
tshark -i eth0 -w 'log.txt' -S
We look at what network interfaces are:
After entering the above command, we will see a numbered list, in the following commands the interface can be indicated by the number in the list, for example: -i 2 instead of -i eth1.
I will give examples of filters:
tshark -i eth0 'tcp port 80' UDP and TCP traffic on port 80: tshark -i eth0 'port 80' tshark -i eth0 'tcp port 110 or tcp port 25' tshark -i eth0 'not broadcast and not multicast' tshark -i eth0 icmp tshark -i eth0 'host 192.168.0.3' tshark -i eth0 'host domain.com' tshark -i eth0 'not host 192.168.0.3' tshark -r 'log.txt' -V | more tshark -r 'log.txt' -w 'file.txt' -F visual tshark -r 'log.txt' -V > 'output.txt'
In case of the error “You don’t have permission to capture on that device” or when tshark does not see network interfaces, you can run the following commands:
su groupadd wireshark usermod -a -G wireshark USERNAME newgrp wireshark chgrp wireshark /usr/bin/dumpcap chmod 750 /usr/bin/dumpcap setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap