You might have heard about tool called Wireshark which is a popular network analyser. While whileshark gives you the user interface to do most of the tasks, tshark is a twin brother that lets you achieve the same functionality on the command line. Everything on terminal sounds interesting right? Lets get started.
1. Installing tshark
Installing tshark is quite simple, on macos if you have brew you could just do
$ brew install wireshark
This should install entire wireshark bundle including tshark. To confirm:
$ tshark -version
Copyright 1998-2020 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ... Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.17).
For other operating systems, respective package manager should help or just google 😀
2. Exercise1: Lets inspect all packets going out from a particular interface
$ tshark -i en0
Lets spin up a browser and visit google.com You will probably see something like this
71 25.104586 104.244.42.2 → 192.168.0.5 TLSv1.2 112 Application Data 72 25.104668 192.168.0.5 → 104.244.42.2 TCP 66 63957 → 443 [ACK] Seq=580 Ack=352 Win=2047 Len=0 TSval=175629019 TSecr=551370166 73 26.215174 fe10::501:22ff:gea3:cd3g → ff02::1 ICMPv6 86 Neighbor Solicitation
3. Exercise2: Lets filter out packets for http
The above command filters out all packets thats going out and coming into the interface you are interested in, lets filter down by protocol and see if we can narrow down what happens when you visit google.com
$ tshark -i en0 -Y http Capturing on 'USB 10/100/1000 LAN: en5' 21 1.013199 192.168.0.3 → 216.58.208.110 HTTP 140 GET / HTTP/1.1
Aha, the capture number 21 shows there is a get request from 192.168.0.3 to google’s server for http get call.
4. Lets go even deeper and add some verbosity
Verbosity can be added using -V flag.
$ sudo tshark -V -i en5 -Y http.request
Capturing on 'USB 10/100/1000 LAN: en5' Frame 18: 140 bytes on wire (1120 bits), 140 bytes captured (1120 bits) on interface en5, id 0 Interface id: 0 (en5) Interface name: en5 ... ... Hypertext Transfer Protocol GET / HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n] [GET / HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: GET Request URI: / Request Version: HTTP/1.1 Host: google.com\r\n User-Agent: curl/7.54.0\r\n Accept: */*\r\n \r\n [Full request URI: http://google.com/] [HTTP request 1/1]
The above is a minimal output that shows verbose details of the packet for the get http request, as you can see there are layers for the frame including ethernet,tcp/ip,applayer. If you scroll below, you could see the section Hypertext Transfer Protocol which tells you about but not limited to host, user-agent and even the response body.
Theres another flag -O option is much like the -V option, however this will show details of a specific protocol
$ tshark -i eth2 -O icmp
5. Okay, can we save this capture to a file?
Yes, there is way you could save the capture to a file and you can do this by
$ tshark -i eth0 -w /tmp/capture.pcap
Later you could read by
$ tshark -r /tmp/capture.pcap
6. Trying out more filters
There are few interesting things that you could do with the display filters -Y flag. Here are some examples
$ tshark -i eth0 -Y "ip.addr==192.168.1.1"
Display packets where the tcp port is 80 and for all http request types
$ tshark -i eth0 -Y "tcp.port==80 and http.request"
Display all icmp packets
$ tshark -i eth0 -Y "icmp"
Discard all broadcast and multicast packets
$ tshark -i eth3 -f "not broadcast and not multicast"
While this is a quick and short tutorial on tshark, you should be willing to explore tshark more and if you do, feel free to write me an email [email protected].
Leave a Reply