Home Download Ubuntu

Dump and analyze network traffic with tshark in Ubuntu

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

Without any options set, TShark will work much like tcpdump. TShark is able to detect, read and write the same capture files that are supported by Wireshark.

Some examples:

Display all the traffic in CLI:

sudo tshark -i eth1

To write all the traffic to a file in txt format from a network interface:

sudo tshark -i eth1 > /home/ftp/speedy/tshark.txt

The following example displays only IP packets that are issued by or in destination to the IP address

sudo tshark -i eth1 -R "ip.addr ==" > /home/ftp/speedy/tshark.txt

In the following example, only IP packets that are coming from or going to UDP port 1812 are captured.

sudo tshark -i eth1 -f "udp port 1812" > /home/ftp/speedy/tshark.txt

All the available command lines are found here.

Resources: Ubuntu.com


Shaik Jafer Ali said...

When i redirect to a file i get bash:/home/tshark: Permission denied. any help will be appreciated

Post a Comment