tshark is the command-line version of Wireshark, the world’s most popular network protocol analyzer. It captures and analyzes network traffic directly from the terminal, making it perfect for remote servers, headless systems, and automated packet analysis. With the same powerful dissection engine as Wireshark, tshark can decode hundreds of protocols.
📑 Table of Contents
System administrators and security professionals rely on tshark for deep packet inspection, troubleshooting network issues, and security analysis. Its ability to read and write capture files in various formats, combined with powerful filtering capabilities, makes it an indispensable tool for network forensics.
Key Features
- Protocol Decoding – Supports hundreds of network protocols
- Capture Filters – BPF syntax for selective capture
- Display Filters – Powerful Wireshark filter expressions
- Statistics – Protocol hierarchy, conversations, endpoints
- Multiple Formats – Read/write pcap, pcapng, and more
- Scripting Ready – Perfect for automated analysis
Installation
sudo apt install tshark # Debian/Ubuntu
sudo dnf install wireshark-cli # Fedora/RHEL
# Allow non-root capture (optional)
sudo usermod -aG wireshark $USERBasic Usage Examples
# Capture on interface
sudo tshark -i eth0
# Capture with filter
sudo tshark -i eth0 -f "port 80"
# Write to file
sudo tshark -i eth0 -w capture.pcap
# Read capture file
tshark -r capture.pcap
# Display filter
tshark -r capture.pcap -Y "http.request"
# Show specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port
# Statistics
tshark -r capture.pcap -qz io,stat,1
tshark -r capture.pcap -qz conv,tcpUse Cases
- Network Troubleshooting – Diagnose connectivity issues
- Security Analysis – Detect malicious traffic patterns
- Protocol Development – Debug custom protocols
- Performance Analysis – Identify network bottlenecks
- Compliance Auditing – Verify encrypted communications
Was this article helpful?