Part 6: A practical guide to using Wireshark and tcpdump on local networks. (Command line packet analysis)

19 September 2023 27 minutes

Analysis of network packets in Wireshark and tcpdump: Fundamentals and techniques

Analyzing network packets from the command line using tools such as Wireshark and tcpdump is an essential component of understanding and monitoring network traffic. These tools provide network operators and system administrators with a deep understanding of what is happening on the local network and help identify problems and potential security threats. Wireshark, with its intuitive graphical interface, allows you to visualize network traffic in an easy-to-understand way. It allows filtering and sorting of packets, and provides the ability to analyze data in detail at different levels of the network stack. Wireshark is a useful tool for detecting traffic anomalies and tracking problems.

On the other hand, tcpdump is a command-line tool that provides the ability to capture, record, and analyze network traffic directly from the command line. It provides more flexibility to automate network analysis and monitoring and allows operators to develop their own scripts and filters for data processing. Network packet analysis from the command line is an essential component of maintaining network security and efficiency. These tools help identify problems, detect potential threats, and ensure stable network operation. An important advantage of network packet analysis from the command line is its ability to integrate with other tools and scripts to automate monitoring and analysis tasks. Network operators can create scripts that use the data collected by tcpdump to detect anomalies, generate reports, and make network optimization decisions. All of these command-line network packet analysis features contribute to the efficiency, security, and reliability of network infrastructures. Network operators and system administrators use these tools to find vulnerabilities, identify problems, and keep the network running smoothly.

Parsing packets from the command line

In many cases, packet sniffing can be done using a GUI, but sometimes command-line tools (such as TShark or tcpdump) are necessary and even preferred. Below are a few situations where you can use a command line tool instead of Wireshark.

  • Wireshark provides a lot of information at once. Using the command line tool, you can limit the displayed information to only the data you need, for example, show only 1P addresses in a row.

  • Command-line tools are best for filtering packets in a capture file and passing the results directly to another tool over Unix channels.

  • Working with very large capture files in Wireshark is often difficult because the entire file must be loaded into RAM. Thanks to the stream processing of capture files, command line tools make it possible to quickly select the required packets from the file.

  • If you have to work with a server where GUI tools are not available, then all you have to do is rely on command line tools.

This chapter demonstrates the capabilities of TShark and tcpdump, the most common command-line tools for packet analysis. It’s useful to familiarize yourself with them, although I personally use TShark on Windows systems and tcpdump on Unix systems. If you’re only using Windows, you can skip the tcpdump sections of this section.

Installing the TShcrk utility

The TShark utility, which is a terminal counterpart to Wireshark, is used for packet analysis and provides essentially the same functionality as Wireshark, but only in a command-line interface rather than a GUI. If you have Wireshark installed, you probably also have TShark, unless you have excluded it from your Wireshark installations. To check if TShark is installed, follow the steps below.

  1. Open a command prompt or terminal window by typing a command and clicking the appropriate button (the specific steps depend on the operating system you are using).

  2. Change to the directory where Wireshark is installed. If you installed it in the default location, type C:\Program Files\Wireshark at the command prompt.

  3. Start TShark and display the version information of the utility by typing tshark -v. If TShark is not installed, an error message will appear stating that the command entered is not recognized. And if TShark is installed on your system, you will see the following information about its versions:

C:\Program Files\Wireshark>tshark -v 
TShark (Wireshark) 2.6.1 (v2.6.1-0-g860a78b3) 
-- фрагмент --

If you have not installed the TShark utility but want to use it, re-install Wireshark by selecting TShark as part of the installed media, although this is done by default. And if you want to start exploring the capabilities of TShark, then run the command tshark -h as shown below to display its commands.

C:\Program Files\Wireshark>tshark -h

Like Wireshark, the TShark utility is suitable for working on different operating systems, but since it does not depend on the graphics libraries of a specific operating system, the experience of using it on different platforms is almost the same. Because of this, TShark runs very smoothly on Windows, Linux, and Mac OS X, although there are some differences on each platform. In this book, we will talk about working with TShark on Windows, since it is the main operating system for which this utility is intended.

Installing the tcpdump utility

While Wireshark is the world’s most popular graphical packet sniffer, tcpdump is the most popular command line packet sniffer. It is designed to run across operating systems and can be easily used with standard package management applications and even included in the packages of many Linux distributions.

Although most of this book is geared towards working in a Windows environment, it includes sections on tcpdump specifically for Unix users and specifically Ubuntu 14.04 LTS. If you want to use tcpdump on Windows, download and install its WinDump Windows counterpart, available at http://www.winpcap. org/windump/. Although the experience of using tcpdump and WinDump is not exactly the same, these packet sniffers function in a similar way. However, it should be borne in mind that WinDump is not as actively supported as tcpdump. As a result, a number of new functions can be simply eliminated, and at the same time vulnerabilities in protection appear. (This book does not cover WinDurnp.) Although tcpdump is not included in the Ubuntu distribution, installing it is not difficult at all thanks to the ART package management system.

To install tcpdump, follow these steps:

  1. Open a terminal window and run sudo apt-get update to update the package stores with the latest versions.

  2. Run sudo apt-get install

  3. You will be prompted to install a number of dependent packages required for tcpdump to run. Allow their installation by typing Y and pressing <Enter> when prompted.

  4. When the installation is complete, type tcpdt-h to run the license and display its version information. If this command is successful, you can start working with tcpdwnp. And the following message will appear in the terms window:

sanders@ppa:-$ tcpdump -h 
tcpdump version 4.9.2 
libpcap version 1.8.1 
Usage: tcpdump [ -aAЬdDefhНIJКlLnNOpqStuUvxX#] [ -В size ] [ -с count ] 
[ -С file_size ] [ -Е algo:secret ] [ -F file ] [ -G seconds 
-i interface ] [ -j tstamptype ] [ -М secret ] [ --numЬer ] 
-Q inloutlinout ] 
-r file J [ -s snaplen J [ --time-stamp-precision precision 
--immediate-mode ] [ -Т type ] [ --version ] -v file ] 
-w file ] [ -W filecount ] [ -у datalinktype 
-z postrotate-command ] 
-Z user ] [ expression ]

All commands available in tcpdump can be displayed by running the following command. We’ll look at some of these commands below:

sanders@ppa:-$ man tcpclump

Capturing and saving packets

First of all, you should intercept packets from the network and display them on the screen. To start capturing packets in TShark, all you need to do is run the tshark command. This command begins the process of capturing packets from the network interface and displaying them in a terminal window, similar to the example below.

C:\Program Files\Wireshark>tshark 
1 0.000000 -> ТСР 66 1606 80 [SYN] 
Seq=O Win=8192 Len=O MSS=1460 WS=4 SACK_PERМ=l 
2 0.030107 -> ТСР 66 80 1606 [SYN, АСК] 
Seq=O Ack=l Win=5720 Len=O MSS=l406 SACK_PERМ=l WS=64 
3 0.030182 -> ТСР 54 1606 80 [АСК] 
Seq=l Ack=l Win=l6872 Len=O 
4 0.030248 -> НТТР 681 GET / НТТР/1.1 
5 0.079026 -> ТСР 60 80 1606 [АСК] 
Seq=l Ack=628 Win=6976 Len=O

And in order to start intercepting packets, it is enough to execute the tcpdump command. After running this command, your terminal window should look something like this:

sanders@ppa:-$ tcpdump 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening оп ethO, link-type ЕNlОМВ (Ethernet), capture size 65535 bytes 
21:18:39.618072 IP > Flags [S], 
seq 2082691767, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length О 
21:18:39.648179 IP > 
Flags [S.], seq 2775577373, ack 2082691768, win 5720, options [mss 
1406,nop,nop,sackOK,nop,wscale 6], length О 
21:18:39.648254 IP > Flags [.], ack 1, 
win 4218, length О 
21:18:39.648320 IP > Flags [Р.], 
seq 1:628, ack 1, win 4218, length 627: НТТР: GET / НТТР/1.1 
21:18:39.697098 IP > Flags [.], ack 628, 
win 109, length О

Depending on your system configuration, TShark or tcpdump may not use the network interface from which you want to capture packets by default. In this case, you will have to specify it manually. The list of network interfaces available to TShark can be displayed using the tshark -D command as shown below.

C:\Program Files\Wireshark>tshark -D 
1. \Device\NPF_{1DE095C2-346D-47E6-B855-11917B74603A) (Local Area Connection 2) 
2. \Device\NPF_{lA494418-97D3-42E8-8COB-78D79AlF7545) (Ethernet 2)

To use a specific network interface, run the tshark -i command with the number assigned to the network interface listed above:

C:\Program Files\Wireshark>tshark -i 1

This command will capture packets only from the network interface Loca1 Area Connection 2, which is numbered 1 in the list of network interfaces. It is recommended to always specify the network interface from which you want to capture packets. After all, virtual machine or VPN tools very often add network interfaces, so you need to make sure that the packets are coming from the right source.

If you are running tcpdump on a Linux or Mac OS X system, display the list of available network interfaces using the ifconfig command as shown below.

sanders@ppa:-$ ifconfiq 
ethO Link encap:Ethernet HWaddr OO:Oc:29:1f:a7:55 
inet addr: Bcast: Mask: 
inetб addr: fe80::20c:29ff:felf:a755/64 Scope:Link 
RX packets:5119 errors:O dropped:O overruns:O frame:O 
ТХ packets:3088 errors:O dropped:O overruns:O carrier:O 
collisions:O txqueuelen:lOOO 
RX bytes:876746 (876.7 КВ} ТХ bytes:538083 (538.О КВ)

And specify a specific network interface. You can use below command. This command will only capture packets from the eth0 network interface.

sanders@ppa:-$ tcpdump -i ethO

So, when everything is configured correctly, you can start capturing packets. If the device from which the network traffic is intercepted is quite heavily loaded on the network, you will most likely notice that lines with individual packets appear so quickly that they are difficult to read. This can be fixed by saving the packages to a file first and then reading only a small number of them from that file.

To save the accumulated packets to a file, run the command (tshark or cpdump).—) with the -w argument in both utilities discussed here, followed by the filename. The packet sniffing will continue until you stop it by pressing <Ctrl+C>. The specified file will be saved in the directory from which the corresponding utility was executed, unless otherwise specified. Below is an example of how to run this command in TShark.

C:\Program Files\Wireshark>tshark -i 1 -w packets.pcap

Using this command, all packets intercepted from the network interface specified first in the interface list will be written to the packet capture file. The same command in tcpdump will look like this:

sanders@ppa:-$ tcpduшp -i ethO -w packets.pcap

To read packets from a saved capture file, run the following command with the –r argument, also specifying the file name:

C:\Program Files\Wireshark>tshark -r packetв.pcap

With this command, all packets from packets are intercepted in the packets file. rsar are read and displayed on the screen. A similar command in tcpdump looks like this:

sanders@ppa:-$ tcpdump -r packets.pcap

And according to the following command, only the first 10 packets from the capture file are displayed in TShark budug:

C:\Program Files\Wireshark>tshark -r packets.pcap -clO

A similar command in tcpdunp looks like this:

sanders@ppa:-$ tcpdump -r packets.pcap -clO

In the interception process, you can also specify the -s argument in the corresponding command. As a result, its execution was intercepted and only 10 packets were displayed for viewing on the screen. And if you add the -w argument, the intercepted packets can be saved to a file. Here’s what a similar team looks like at TShark.

C:\Program Files\Wireshark>tshark -i 1 -w packets.pcap -clO

A similar command in tcpdump looks like this:

sanders@ppa:-$ tcpdulllp -i ethO -w packets.pcap -clO

Manipulation of output results

The advantage of using command line packet sniffing tools is that the results are more specific. As a rule, the GUI displays everything, and you have to find exactly what you need yourself. And command-line tools usually display only the bare minimum, forcing you to use additional commands for more in-depth packet analysis. And in this respect, the TShark and tcpdump utilities are no different. Both display one line per packet, requiring additional commands to view more detailed information about network protocols or individual bytes from packets.

Each line output in TShark is a single packet, and its format depends on the protocols used in that packet. The TShark utility uses the same network protocol interpreters as Wireshark, and the resulting data is analyzed in the same way. So the results displayed in TShark mirror the contents of the Packet List panel in Wireshark if you compare them side by side. And since the interpreters in the TShark utility allow analyzing network protocols up to the seventh layer, it can provide much more information about packets containing headers than the tcpdump utility.

Each output in tcpdump is also a single packet that is formatted differently depending on the network protocol used. And since tcpdump does not use the same protocol interpreters as Wireshark, this utility does not analyze information about network protocols of the seventh level. And this is one of the main disadvantages of tcpdump. Instead, single-line packets are formatted based on the transport-layer network protocol they use, which can be either TCP or UDP (more on this in Chapter 8, “Transport Layer Protocols”).

TCP packets have the following format:

[Отметка времени] [Протокол третьего уровня] 
[IР-адрес отправителя]. [Порт отправителя] > 
[IР-адрес получателя]. [Порт получателя]: 
[Флаги протокола ТСР], [Порядковый номер в протоколе ТСР], 
[Номер подтверждения в протоколе ТСР], 
[Размеры окон в протоколе ТСР], [Длина данных]

UDP packets use the following format:

[Отметка времени] [Протокол третьего уровня] 
[IР-адрес отправителя]. [Порт отправителя] > 
[IР-адрес получателя]. [Порт получателя]: 
[Протокол четвертого уровня], [Длина данных]

These basic one-line summaries are great for quick package analysis, but eventually you’ll need to do more in-depth package analysis. In the Wireshark app, simply click on your favorite packet in the Packet List panel to display its details in the Packet Details and Packet Bytes panels. You can access the same information from the command line using multiple parameters.

The easiest way to get more information about each package is to make the output more verbose. The V parameter in TShark serves this purpose as shown below.

C:\Program Files\Wireshark>tshark -r packets.pcap -V

This command displays the same information about packets read from the packets.pcap capture file as in the Packet Details panel in Wireshark. Below are examples of packet analysis with normal verbosity (basic summaries) and extended verbosity (detailed summaries obtained with the -V argument).

First, here’s the standard output:

C:\Program Files\Wireshark>tshark -r packets.pcap -cl 
1 0.000000 -> ICMP Echo (piпg) request id=OxOOOl, 
seq=l7/4352, ttl=l28

And now here are some of the more detailed details obtained through advanced detailing.

C:\Program Files\Wireshark>tshark -r packets.pcap -V -cl 
Frame 1: 74 bytes оп wire (592 bits), 74 bytes captured (592 bits) оп iпterface О 
Iпterface id: О (\Device\NPF_(C30671Cl-579D-4F33-9CC0-73EFFFE85A54)) 
Eпcapsulatioп type: Etherпet (1) 
Arrival Time: Dec 21, 2015 12:52:43.116551000 
Easterп Staпdard Time 
[Time shift for this packet: 0.000000000 secoпds] 
фрагмент -

To increase the level of detail, the tcpdump utility uses the -v argument. But, unlike TShark, the tcpdump utility allows you to display each packet at several levels of detail. And if you specify several arguments v in the corresponding command, you can add the same number of levels of detail. The following example shows how to expand package information to three levels of detail.

sanders@ppa:-$ tcpdump -r packets.pcap -vvv

Below is an example of how to display information about the same package both at a normal level of detail and at an expanded level of detail. But even with full detail, the output does not come close to the details displayed in TShark.

sanders@ppa:-$ tcpdump -r packets.pcap -cl 
reading from file packets.pcap, link-type ENlOMB (Ethernet) 
13:26:25.265937 IP > 
ICMP echo request, id 1759, seq 150, length 64 
sanders@ppa:-$ tcpdump -r packets.pcap -cl -v 
reading from file packets.pcap, link-type ЕNlОМВ (Ethernet) 
13:26:25.265937 IP (tos ОхО, ttl 64, id 37322, offset О, 
flags (DF], proto ICMP (1), length 84) > ICMP echo request, 
id 1759, seq 150, length 64

Availability of granularity levels depends on the specific protocol in the analyzed packet. As useful as advanced detailing is, it doesn’t capture everything you can see. The TShark and tcpduap utilities store the entire contents of each packet, which can also be viewed in hex or ASCII.

For example, in TShark you can view the hexadecimal and ASCII representations of packets using the -x argument, which can be combined with the r argument to read and display the packet from the capture file, as shown below.

C:\Program Files\Wireshark>tshark -xr pacltets.pcap

Viewing intercepted packets using this command is the same as in the Packet Bytes panel of the Wireshark program (Fig. 6.1).

In the tcpdump utility, captured packets can be viewed in hexadecimal and ASCII using the -X argument. This argument can be combined with the r argument to read packets from a capture file, as in the example below.

anders@ppa: - $ tcpdump -Xr packets.pcap

The tcpdump utility also allows you to analyze packets in more detail than necessary. Analysis output can also be viewed in hexadecimal only using the -x argument, or in ASCII only using the –X argument

When you start experimenting with captured packet data, it’s easy to feel overwhelmed by the volume. In my opinion, it is most efficient to use the minimum amount of information when analyzing packets in command line mode. Start by viewing packages in their standard list view, going to additional levels of output detail when you want to narrow your analysis down to a few packages of particular interest. This approach will protect you from depression due to an excessive amount of analyzed data.

Name resolution

As with Wireshark, the TShark and tcpdunp utilities attempt to perform name resolution to display proper names instead of IP addresses and port numbers. If you’ve followed the previous examples closely, you may have noticed that this happens by default. But, as mentioned earlier, I usually prefer to disable name resolution mode to eliminate the possibility of generating additional packets on the network by analyzing existing packets.

To cancel name conversion in TShark, you can specify the -n argument on the command line. This argument, like many others, can be combined with other arguments to improve the readability of the output, as shown below.

:\Program Files\Wireshark>tshark -ni 1

Certain aspects of name conversion can be strengthened or weakened by using the –N argument. Specifying this argument on the command line will completely cancel the name conversion, except for any aspects of it that you explicitly run with the appropriate values. For example, the following command will enable port number broadcast only at the transport layer:

:\Program Files\Wireshark>tshark -i 1 -Nt

You can combine several argument values in one command. And the following command activates name translation at both the transport layer and the channel layer of MAC addresses:

C:\Program Files\Wireshark>tshark -i 1 -Ntm

Below are the values that can be used in conjunction with the -N argument.

In the utility, you can cancel IP address conversion using the -n argument, and port number conversion using the -nn argument.

This argument can also be combined with other command line arguments as shown below.

sanders@ppa:-$ tcpduшp -nni. ethl

The following examples show how to record packets by first enabling port number translation and then disabling port number translation (-n argument).

sanders@ppa:-$ tcpduшp -r tcp_;юrts.pcap -cl 
reading from file tcp_ports.pcap, link-type ЕNlОМВ (Ethernet) 
14:38:34.341715 IP > 
u http: Flags [S], seq 3691127924, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOK], length О 
sanders@ppa:-$ tcpdump -nr tcp_;юrts.pcap -cl 
reading from file tcp_ports.pcap, link-type ENlOMB (Ethernet) 
14:38:34.341715 IP > 
v 80: Flags [SJ, seq 3691127924, win 8192, 
options [mss 1460,nop,wscale 2,nop,nop,sackOKJ, length О

For both of the above commands, only the first packet from the .rsar capture file of tcp ports is read. The first command starts port number translation and converts port 80 to an http name, while the second command simply displays the v port number.

Application of filters

Filtering in the TShark and tcpdump utilities is very convenient because they use BPF interception filters. In addition, TShark applies display filters from Wireshark. As in Wireshark, capture filters can only be applied in TShark while capturing, and display filters can be applied both when capturing and when displaying packets that have already been captured. So, let’s start with applying filters in TShark.

Capture filters can be applied in the appropriate command by specifying the -f argument and the BPF filter syntax in double quotes. Therefore, the following command will capture and store only those packets that use the recipient port 80 and the network protocol TCP:

C:\Program Files\Wireshark>tshark -ni 1 -w packets.pcap 
~ -f "tcp port 80"

Display filters can be applied to the command by specifying the –Y argument and the Wireshark filter syntax in double quotes. They can also be used for interception as follows:

C:\Program Files\Wireshark>tshark -ni 1 -w packets.pcap -У "tcp.dstport = 80"

Display filters can be applied to packets that have already been captured by specifying the same argument in the corresponding command. For example, the following command will display only those packets from the packet capture file that match the criteria specified in the filter:

C:\Program Files\Wireshark>tshark -r packets.pcap -У "tcp.dstport = 80"

In the tcpdump utility, filters can be specified at the end of the command by enclosing them in single quotes. So the following command will also capture and store only packets with recipient port 80 and network protocol TCP:

sanders@ppa:-$ tcpdump -nni ethO -w packets.pcap 'tcp dst port 80'

Filters can also be applied when reading packets. For example, the following command packets. rsar, displays only those packets from the packet capture file that meet the criteria specified in the filter:

sanders@ppa:-$ tcpdump -r packets.pcap 'tcp dst port 80'

However, if the capture file was created without a filter, it will still contain other packets. So, according to the command above, the restriction is only imposed on what is displayed on the screen when reading from an existing capture file.

But what if you have a capture file that contains a wide variety of packets, but you only want to filter out a subset of them and keep them in a separate file? This can be done by specifying the –w and –r arguments together, as shown in the following command:

sanders@ppa: -$ tcpdump -r packets .рсар 'tcp dst port 80' -w http yackets .рсар

According to this command, only the network traffic that is sent to port 80 on the TCP protocol is read and filtered from the .rsar packet file, as it happens in the HTTP protocol, and the received packets are written to a new http packets .rsar file. This technique is often used if you want to keep a large source capture file, but analyze packets from it only in small portions. I personally use this technique to first flatten the contents of a very large capture file to a small subset of packets using tcpdump and analyze it in Wireshark. After all, it is much easier to process small intercept files.

In addition to specifying  filters directly on the command line, the utility allows you to access a BPF file that contains entire sequences of filters. This is very useful if you want to apply a very large or complex filter that would otherwise be very inconvenient to edit and maintain on the command line. The BPF file can be specified using the –F argument as shown below.

sanders@ppa:-$ tcpdulllp -nni ethO -F dns_servers.Ьpf

If the BPF file becomes too large, you may be tempted to add comments or notes to it so that you know the purpose of each part. It should be noted, however, that comments are not allowed in the BPF file, and anything other than filter statements found in it will result in an error. But since comments are very useful when decrypting large BPF files, I usually keep two copies of each such file: one without comments for use with the tcpdump utility, and one with comments for reference.

Time display formats in TShcrk

Those new to packet analysis are often confused by the default timestamp used in TShark. Packet timestamps are displayed in this utility relative to the start of packet sniffing. Sometimes it is better to assign timestamps, but often it is necessary to know the time when the packet was captured, as is done with timestamps in the tcpdump utility. The same result can be achieved in TShark by specifying the –t argument along with a declaration value that represents an absolute date, as shown below.

C:\Prograrn Files\Wireshark>tshark -r pacltets.pcap -t ad

The following command compares the same packets as before, but with relative (default) and absolute timestamps:

 С: \Program Files \Wireshark>tshark -r pacltets .рсар -с2 
1 0.000000 -> ICMP Echo (ping) 
request id=OxOOOl, seq=l7/4352, ttl=l28 
2 0.024500 -> ICMP Echo (ping) 
reply id=OxOOOl, seq=l7/4352, ttl=54 (request in 1) 
8 C:\Program Files\Wireshark>tshark -r packets.pcap -t ad -с2 
1 2015-12-21 12:52:43.116551 -> ICMP Echo (ping) 
request id=OxOOOl, seq=l7/4352, tt1=128 
2 2015-12-21 12:52:43.141051 -> ICMP Echo (ping) 
reply id=OxOOOl, seq=17/4352, ttl=54 (request in 1)

The –t argument can be used to specify any time display format available in Wireshark. The list of these formats is given in the table. 6.1.

Unfortunately, the tcpdump utility does not have this level of control for manipulating the display of timestamps.

Summary statistics in TShark

Another useful feature that distinguishes the TShark utility from tcpdump is the generation of a subset of statistics from the capture file. The process of generating statistics is very similar to what Wireshark has, but is easily accessible from the command line. To generate statistical data, it is enough to specify the -z argument in the corresponding command together with the name of the output option. So, the full list of available statistics can be viewed using the following command:

C:\Program Files\Wireshark>tshark -z help

Many of the features of TShark discussed above are available with the -z argument, including the ability to display statistics about endpoints and network conversations. For example, the following command displays a table of statistics for the 110 IR network protocol dialogs detected in the packet capture file. RSAR (Fig. 6.3).

The –z argument can also be used to view information about a specific network protocol. As shown below and in fig. 6.4, to view the ra(:d efinition of HTTP requests and responses in tabular form, along with this argument, it is enough to specify the output option http, tree.

Another useful feature of TShark is the ability to view the reassembled output stream. We did this earlier in Wireshark when we right-clicked on a packet and chose Follow TCP Stream from the context menu. To get such a report, we must set the f0ll0w option on the command line and specify the stream type, output mode, and which of the stream numbers we want to display. Flows are identified by numbers that are displayed in the left column when displaying statistical data about network conversations (see Fig. 6.3). The command to get the report is shown below.

C: \ Program Files\Wireshark>tshark -r http_gooqle.pcap -z follow,tcp,ascii,O

And according to the following command, the zero stream using the TSR protocol will be displayed on the screen in ASCII code from the http _google interception file. rsar, the result displayed by this command is shown right here:

C:\Program Files\Wireshark tзhark -r http_google .pcap -z 
-- фрагмент --
Follow: tcp,ascii 
Filter: eq О 
Node О: 172.16 . 16 . 128:1606 
Node 1: 
GET / НТТР/1.1 
User-Agent: Mozilla / 5.0 (Windows; U; Windows NT 6. 1; 
~ en-US; rv:l.9.1.7 ) 
Gecko/20091221 Firefox/3.5.7 
Accept: text/html,application/xhtml+xml,application/ xml; 
~ q=O. 9, * / *; q=O. 8 
Accept- Language: en- us, en;q=0. 5 
Accept-Encoding: gzip,deflate 
Accept-Charset: IS0-8859-l,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 300 
Connection: keep-alive 
Cookie: PREF=ID=2579 3a938eбc2 48:U=267c896b5f3 fb0b:FF=4:LD=e 
n:NR l0:TM l26073065 :1М l265479336:GМ=l:S hlUBG nTuWU3D23L; 
NID 3l nhwMjUP63e tYМTp-3TligMSPnNSleMlkNl 
~ DUrn02zWlcPM4JE3AJec9b vG-
~ FibFXszOApfЬhBAlBOX4dКx4L8ZDdeiKwqekgP5 
~ kzELtC2mUHx7RHx3PittcuZ 
НТТР/1.1 200 ОК 
Date: Tue, 09 Feb 2010 01:18:37 GMT 
Expires: -1 
Cache-Control: private, max-age=O 
Content-Type: text/html; charset=UTF-8 
Content-Encoding: gzip 
Server: gws 
Content-Length: 4633 
X-XSS-Protection: О

You can also specify the broadcast you want to watch by providing address details. For example, the following command will extract the UDP stream from a packet capture .rsar file for the specified endpoints and ports. Specifically, this command will output the UDP stream from the specified intercept file for endpoint on port 23429 and endpoint on port 53.

C:\Program Files\Wireshark>tshark -r packets.pcap -z 
~ follow,udp,ascii, 0, 8

Several of the most common (including by me) options for displaying statistical data from the capture file are listed below.

There are many other useful options to use with the –z argument, but unfortunately there is not enough space to describe them fully. However, if you intend to use TShark ugilita frequently, you should consult the official documentation to learn all the available options for displaying statistics about intercepted network traffic. This documentation can be found at the following address: (

Comparison of TShcrk and tcpdump utilities

Both of the command-line packet analysis utilities discussed earlier in this chapter are well suited for their respective tasks, and either will solve any pressing problem with varying degrees of effort. Listed below are some significant differences between TShark utilities and what should be kept in mind when choosing the most suitable one for a particular task.

  • Operating system: The tcpdump utility is only available on Unix-based operating systems, while the TShark utility can function on both Windows and operating systems.

  • Protocol support. Both utilities support network protocols of layer III and fourth layer. Although tcpdump’s support for layer 7 network protocols is limited, it is quite complete in TShark as it provides network protocol interpreters in Wireshark.

  • Package sniffing tools. Both utilities rely heavily on human ability to analyze and produce the same tangible results as Wireshark. This can greatly assist in packet analysis in the absence of a GUI.

The availability of suitable packet analysis tools and personal preferences are usually decisive factors in their selection. True, these tools have such similar capabilities that by studying one of them, you can learn a lot about the other. This makes your capabilities more versatile while expanding your arsenal of packet analysis tools.

We used materials from the book “PRACTICAL RACKET ANALYSIS” written by Chris Sanders.

Found an error?
If you find an error, take a screenshot and send it to the bot.