Skip to content

Files

Latest commit

n4itr0-07n4itr0-07
Wireshark CLI Guide
Jan 27, 2025
2fc637b · Jan 27, 2025

History

History

Wireshark CLI

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
Jan 27, 2025

README.md

Complete Guide to TShark and Dumpcap

Welcome to this comprehensive guide on TShark and Dumpcap, two powerful command-line tools for network packet analysis and capturing. Whether you're into penetration testing, bug hunting, or just learning about network protocols, mastering these tools will give you a deep understanding of network traffic. This guide covers everything from installation to advanced usage, with commands for both Kali Linux and Windows PowerShell.

Table of Contents

  1. What is TShark?
  2. What is Dumpcap?
  3. Difference Between TShark and Dumpcap
  4. Installation
  5. TShark Commands
  6. Dumpcap Commands
  7. Options Table
  8. Conclusion

What is TShark?

TShark is the command-line version of Wireshark, a popular network protocol analyzer. It allows you to capture, decode, and analyze network traffic in real-time or from saved capture files. TShark is highly versatile and supports a wide range of protocols, making it a go-to tool for network troubleshooting, security analysis, and penetration testing.

What is Dumpcap?

Dumpcap is a lightweight packet capture tool designed to efficiently capture network traffic and save it to a file. Unlike TShark, Dumpcap does not decode or analyze packets; it focuses solely on capturing packets with minimal resource usage. It is often used as the backend capture engine for Wireshark and TShark.

Difference Between TShark and Dumpcap

Feature TShark Dumpcap
Purpose Packet capture and analysis Packet capture only
Packet Decoding Yes No
Display Packets Yes (in real-time or from a file) No
Output Formats Can display or save to file Saves to file (e.g., .pcap, .pcapng)
Resource Usage More resource-intensive Lightweight, minimal overhead
Use Case Capturing and analyzing packets High-performance capturing

Installation

Both TShark and Dumpcap are included with Wireshark. You can install them by downloading Wireshark from the official website:

Installation on Kali Linux

Kali Linux comes pre-installed with Wireshark, TShark, and Dumpcap. If not, you can install them using:

sudo apt update
sudo apt install wireshark

Installation on Windows

Download and install Wireshark from the official website. During installation, ensure that the TShark and Dumpcap components are selected.

TShark Commands

TShark Commands: Kali Linux

1. Capture Packets on an Interface

tshark -i eth0
  • Use: Captures packets on the eth0 interface in real-time.

2. Capture Packets and Save to a File

tshark -i eth0 -w capture.pcap
  • Use: Captures packets on eth0 and saves them to capture.pcap.

3. Read a Capture File

tshark -r capture.pcap
  • Use: Reads and displays packets from capture.pcap.

4. Filter Packets

tshark -r capture.pcap -Y "tcp.port == 80"
  • Use: Displays only HTTP traffic (port 80) from capture.pcap.

5. Capture Specific Number of Packets

tshark -i eth0 -c 10
  • Use: Captures 10 packets and stops.

6. Capture for a Specific Duration

tshark -i eth0 -a duration:30
  • Use: Captures packets for 30 seconds.

7. Display Packet Details

tshark -r capture.pcap -V
  • Use: Displays detailed information about each packet.

TShark Commands: Windows PowerShell

1. Capture Packets on an Interface

tshark -i "Ethernet"
  • Use: Captures packets on the Ethernet interface.

2. Capture Packets and Save to a File

tshark -i "Ethernet" -w capture.pcap
  • Use: Captures packets on Ethernet and saves them to capture.pcap.

3. Read a Capture File

tshark -r capture.pcap
  • Use: Reads and displays packets from capture.pcap.

4. Filter Packets

tshark -r capture.pcap -Y "tcp.port == 80"
  • Use: Displays only HTTP traffic (port 80) from capture.pcap.

Dumpcap Commands

Dumpcap Commands: Kali Linux

1. Capture Packets on an Interface

dumpcap -i eth0
  • Use: Captures packets on the eth0 interface.

2. Capture Packets and Save to a File

dumpcap -i eth0 -w capture.pcap
  • Use: Captures packets on eth0 and saves them to capture.pcap.

3. Capture Specific Number of Packets

dumpcap -i eth0 -c 100 -w capture.pcap
  • Use: Captures 100 packets and saves them to capture.pcap.

4. Capture for a Specific Duration

dumpcap -i eth0 -a duration:60 -w capture.pcap
  • Use: Captures packets for 60 seconds.

Dumpcap Commands: Windows PowerShell

1. Capture Packets on an Interface

dumpcap -i "Ethernet"
  • Use: Captures packets on the Ethernet interface.

2. Capture Packets and Save to a File

dumpcap -i "Ethernet" -w capture.pcap
  • Use: Captures packets on Ethernet and saves them to capture.pcap.

3. Capture Specific Number of Packets

dumpcap -i "Ethernet" -c 100 -w capture.pcap
  • Use: Captures 100 packets and saves them to capture.pcap.

Options Table

TShark Options

Option Description
-i <interface> Specify the network interface to capture on.
-w <file> Save captured packets to a file.
-r <file> Read packets from a file.
-Y <filter> Apply a display filter.
-c <count> Capture a specific number of packets.
-a duration:<seconds> Capture for a specific duration.
-V Display detailed packet information.

Dumpcap Options

Option Description
-i <interface> Specify the network interface to capture on.
-w <file> Save captured packets to a file.
-c <count> Capture a specific number of packets.
-a duration:<seconds> Capture for a specific duration.
-f <filter> Apply a capture filter.

Conclusion

By mastering TShark and Dumpcap, you can efficiently capture and analyze network traffic, making them indispensable tools for penetration testing, bug hunting, and network troubleshooting. This guide provides a solid foundation, but the best way to learn is by experimenting with these tools in real-world scenarios. Happy hunting!

Note: If you found this guide helpful, feel free to star this repository and share it with others! Contributions and feedback are always welcome. 😊