shellspells beta

tshark

see tshark manpage for options

tshark is the command line version of wireshark, the network protocol analyzer. Without any options set it will work much like tcpdump.

Whilst wireshark is a great GUI for analyzing network traffic, it does suffer from many of the same faults as other GUI applications; speed, bloat, etc. tshark is much snappier at certain tasks and benefits from the strengths of all command line apps such as the ability to grep, filter and manipulate the data more easily. Even if you're a big wireshark fan I urge you to give tshark a try.

Examples

Capture all traffic on the default interface, much like tcpdump or snoop.

$ sudo tshark

Output to a file (file must have correct permissions)

$ touch diameter.cap && chmod 666 diameter.cap
$ sudo tshark -w diameter.cap

Filter all packets with a diameter command code of 271

$ tshark -r diameter.cap -R 'diameter.cmd.code == 271'

Output in full markup langage (-Tpdml)

$ tshark -r diameter.cap -R 'diameter.cmd.code == 271' -Tpdml

Output in summary markup langage (-Tpsml)

$ tshark -r diameter.cap -R 'diameter.cmd.code == 271' -Tpsml

Filter on specific diameter fields and output certain fields

$ tshark -r diameter.cap \
-R 'diameter.cmd.code == 271 and diameter.flags.request==1' \
-Tfields \
    -ediameter.cmd.code \
    -ediameter.Value-Digits \
    -ediameter.Exponent \
    -ediameter.Currency-Code \