TShark is able to detect, read and write the same capture files that are supported by Wireshark.
To use TShark first you need to install Wireshark, After installation if you are in windows machine then open Command Prompt then go to Wireshark installation directory and type
C:\Program Files\Wireshark>tshark
- Get list of interface to capture network traffic
First interface is default interface to capture network, we can change it as per our requirement.
- For capturing packets
tshark -i 2 -w C:\capture-output.pcap
- Read a pcap with Tshark
- Read a pcap, don't resolve names (layers 3 or 4)
- Read a pcap, use the display filter "http.request.method==GET"
tshark -r capture-output.pcap -Y "http.request.method==GET"
- Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names
- Print TCP conversations in a pcap
tshark -nr capture-output.pcap -q -z conv,tcp
- HTTP Analysis with Tshark
tshark -i 2 -Y http.request -T fields -e http.host -e http.user_agent
- DNS Analysis with Tshark
tshark -i 2 -f "src port 53" -n -T fields -e dns.qry.name -e dns.a
- Add time and source / destination IP addresses -e frame.time -e ip.src -e ip.dst to your output.
tshark -i 2 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.a
There many simpler & complex filters we can apply to tshark as well as Wireshark. Administration can use various filters to extract & find exact information which transmitted through network. If administrator have implemented this filter in very nicely manner then these filters also helps to detect network attack and security breach.
Always remember Wireshark / Tshark is only use for analyzing network activity purpose, it can not stop or prevent anything.
Share this post & Comment below your suggestion
No comments:
Post a Comment