Skip to main content

Packet analysis tool, CLI version of wireshark.

# To monitor everything on localhost:
tshark

# To only capture packets matching a specific capture filter:
tshark -f '<udp port 53>'

# To only show packets matching a specific output filter:
tshark -Y '<http.request.method == "GET">'

# To decode a TCP port using a specific protocol (e.g. HTTP):
tshark -d tcp.port==<8888>,<http>

# To specify the format of captured output:
tshark -T <json|text|ps|...>

# To select specific fields to output:
tshark -T <fields|ek|json|pdml> -e <http.request.method> -e <ip.src>

# To write captured packet to a file:
tshark -w <path/to/file>

# To analyze packets from a file:
tshark -r <file_name>.pcap