search
githubEdit

T-Shark User Guide

hashtag
Installation

  • See if tshark is installed.

tshark
apt list tshark

  • If it is not installed.

sudo apt install tshark

  • Help menu

tshark -h

hashtag
Capture Packets with Tshark

tshark -i wlan0 -w capture-output.pcap

hashtag
Reading a File

tshark -r [file-name.cap]

  • When used with wc -l we cann see how mnay packets are in a capture

tshark -r [file-name.cap | wc -l]

hashtag
Filters

  • Tshark filters are different than bpf syntax.

  • If we are interested in DNS A records only we can use:

  • Display filters are added with the -Y switch.

  • View all DNS A records:

  • DNS requests only in a file:

hashtag
Extracted data

  • One way to extract data is using -T and -e [field name] switches.

  • Extract the A records in the pcap, we would use -T fields -e dns.query.name.

  • An easy way to identify field names in Wireshark is to navigate to the Packet Details in the capture, highlight the interesting field, then view the bottom left corner.

hashtag
Queries

  • See who queried for a particular domain:

  • List all queries

PrevioustcpdumpNexttmux

Last updated