Home Download Ubuntu

Dump and analyze network traffic with tshark in Ubuntu

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

Without any options set, TShark will work much like tcpdump. TShark is able to detect, read and write the same capture files that are supported by Wireshark.

Some examples:

Display all the traffic in CLI:

sudo tshark -i eth1


To write all the traffic to a file in txt format from a network interface:

sudo tshark -i eth1 > /home/ftp/speedy/tshark.txt


The following example displays only IP packets that are issued by or in destination to the IP address 192.168.0.1

sudo tshark -i eth1 -R "ip.addr == 192.168.0.1" > /home/ftp/speedy/tshark.txt


In the following example, only IP packets that are coming from or going to UDP port 1812 are captured.

sudo tshark -i eth1 -f "udp port 1812" > /home/ftp/speedy/tshark.txt


All the available command lines are found here.

Resources: Ubuntu.com

1 comments:

Shaik Jafer Ali said...

When i redirect to a file i get bash:/home/tshark: Permission denied. any help will be appreciated

Post a Comment