Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

TShark

What is the purpose of TShark?

TShark is the command-line network protocol analyzer from the Wireshark project. It captures packets from network interfaces, reads packet capture files, applies Wireshark display filters, extracts protocol fields, and exports decoded packet data in automation-friendly formats.

TShark is useful because it brings Wireshark's dissectors and filtering language to terminals, servers, CI jobs, incident response workflows, and repeatable analysis scripts. It is commonly used for packet triage, protocol debugging, traffic extraction, forensics, malware lab analysis, and service-specific evidence collection.

Note: TShark has two different filter concepts. Use -f for capture filters that reduce what is captured at packet collection time. Use -Y for Wireshark display filters that select decoded packets while reading or printing results.

Here are the primary uses of TShark:

  • Live Packet Capture: TShark captures traffic from interfaces and writes it to pcap or pcapng files for later analysis.

  • Packet Capture Triage: The tool reads existing captures, applies display filters, and prints packet summaries or detailed protocol trees without opening Wireshark.

  • Field Extraction: TShark can extract selected fields such as source IP, destination IP, DNS query name, HTTP host, TLS SNI, frame time, and protocol-specific values.

  • Protocol-Specific Investigation: The tool supports Wireshark display filters for protocols such as DNS, HTTP, TLS, SMB, Kerberos, DHCP, SIP, MQTT, RADIUS, and many others.

  • Statistics and Conversation Analysis: TShark can generate protocol hierarchy, endpoint, conversation, I/O, and service response time statistics from capture files.

  • Automation and Reporting: The tool exports fields, JSON, Elastic-compatible JSON, PDML, PSML, tabs, and text output for scripts and pipelines.

  • Wireless and Monitor Mode Workflows: When supported by the adapter and operating system, TShark can capture in monitor mode for wireless packet analysis.

Core Features

  • Command-line packet capture and PCAP analysis
  • Wireshark display filters and protocol dissection
  • Field extraction and structured output formats
  • Interface, capture filter, ring buffer, and duration controls
  • Conversation, endpoint, IO, and protocol statistics
  • TLS key log and decode-as support
  • Automation-friendly text, JSON, and EK output

Data sources

  • Live network interfaces
  • PCAP and PCAPNG capture files
  • Packet headers, payloads, and protocol fields
  • Capture and display filters
  • TLS key log files and decode preferences
  • Extracted fields, conversations, and statistics

Common TShark Commands

1. Install TShark with Homebrew

  • This command installs Wireshark command-line tools on macOS through Homebrew.
brew install wireshark

2. Install TShark on Debian or Ubuntu

  • This command installs TShark from apt repositories.
sudo apt install tshark

3. Check TShark Version

  • This command prints the installed TShark and Wireshark library version information.
tshark --version

4. Show Help

  • This command displays TShark options.
tshark --help

5. List Capture Interfaces

  • This command lists interfaces that TShark can capture from.
tshark -D
  • This command lists link-layer types supported by the selected interface.
tshark -i en0 -L

7. Capture 100 Packets

  • This command captures 100 packets from an interface and prints packet summaries.
tshark -i en0 -c 100

8. Capture to a File

  • This command captures packets and writes raw packet data to a pcapng file.
tshark -i en0 -w capture.pcapng

9. Capture with a Packet Count Limit

  • This command writes 1,000 packets to a capture file and then stops.
tshark -i en0 -c 1000 -w capture.pcapng

10. Capture for a Fixed Duration

  • This command stops the capture after 60 seconds.
tshark -i en0 -a duration:60 -w capture.pcapng

11. Capture with a Capture Filter

  • This command captures only TCP port 443 traffic at collection time.
tshark -i en0 -f "tcp port 443" -w tls.pcapng

12. Capture with a Ring Buffer

  • This command rotates capture files every 50 MB and keeps five files.
tshark -i en0 -b filesize:51200 -b files:5 -w rolling.pcapng

13. Capture Quietly

  • This command suppresses packet summaries while writing to a file.
tshark -i en0 -q -w capture.pcapng

14. Print Summaries While Saving

  • This command writes packets to a file and also prints packet summaries.
tshark -i en0 -P -w capture.pcapng

15. Read a Capture File

  • This command prints packet summaries from an existing capture file.
tshark -r capture.pcapng

16. Apply a Display Filter

  • This command prints only packets that match a Wireshark display filter.
tshark -r capture.pcapng -Y "dns or http"

17. Show Full Packet Details

  • This command prints full protocol details for matching packets.
tshark -r capture.pcapng -Y "http" -V

18. Show Details for Selected Protocols

  • This command prints full details only for selected protocols.
tshark -r capture.pcapng -Y "tls" -O tls,ip,tcp

19. Extract DNS Queries

  • This command extracts frame time, client IP, and DNS query name.
tshark -r capture.pcapng -Y "dns.qry.name" -T fields -e frame.time -e ip.src -e dns.qry.name

20. Extract HTTP Requests

  • This command extracts HTTP host, request method, and URI.
tshark -r capture.pcapng -Y "http.request" -T fields -e ip.src -e http.host -e http.request.method -e http.request.uri

21. Extract TLS SNI Values

  • This command extracts TLS server names from ClientHello packets when present.
tshark -r capture.pcapng -Y "tls.handshake.extensions_server_name" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name

22. Extract TCP Conversations as Fields

  • This command prints source and destination addresses and ports for TCP packets.
tshark -r capture.pcapng -Y "tcp" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

23. Print CSV-Style Output

  • This command includes a header and comma-separated quoted field values.
tshark -r capture.pcapng -T fields -E header=y -E separator=, -E quote=d -e frame.number -e ip.src -e ip.dst -e _ws.col.Protocol

24. Export JSON

  • This command exports decoded packet data as JSON.
tshark -r capture.pcapng -T json > packets.json

25. Export JSON for Selected Protocols

  • This command limits JSON output to selected protocol trees.
tshark -r capture.pcapng -T json -j "ip tcp http" > http.json

26. Export Elastic-Compatible JSON

  • This command writes newline-delimited JSON for bulk indexing workflows.
tshark -r capture.pcapng -T ek -j "ip tcp http" > packets.ndjson

27. Export PDML

  • This command exports packet details as XML-based PDML.
tshark -r capture.pcapng -T pdml > packets.pdml

28. Export Packet Summaries as PSML

  • This command exports packet summaries as XML-based PSML.
tshark -r capture.pcapng -T psml > packets.psml

29. Print Hex and ASCII Dump

  • This command includes packet bytes with the decoded packet output.
tshark -r capture.pcapng -Y "tcp" -x

30. List Available Field Names

  • This command prints filterable field names that can be used with -e.
tshark -G fields

31. List Protocols

  • This command lists protocol abbreviations known to TShark.
tshark -G protocols

32. Show Protocol Hierarchy Statistics

  • This command summarizes protocol usage in a capture.
tshark -r capture.pcapng -q -z io,phs

33. Show IPv4 Conversations

  • This command prints IPv4 conversation statistics.
tshark -r capture.pcapng -q -z conv,ip

34. Show TCP Conversations

  • This command prints TCP conversation statistics.
tshark -r capture.pcapng -q -z conv,tcp

35. Show Endpoint Statistics

  • This command prints endpoint statistics for IPv4 addresses.
tshark -r capture.pcapng -q -z endpoints,ip

36. Show I/O Statistics

  • This command summarizes packet counts and bytes in 10-second intervals.
tshark -r capture.pcapng -q -z io,stat,10

37. Count Packets Matching a Field

  • This command counts HTTP requests per interval.
tshark -r capture.pcapng -q -z io,stat,10,"COUNT(http.request)http.request"

38. Analyze DHCP Traffic

  • This command displays DHCP packets with full details.
tshark -r capture.pcapng -Y "dhcp" -V

39. Analyze SMB Traffic

  • This command extracts SMB command names when present.
tshark -r capture.pcapng -Y "smb2" -T fields -e frame.time -e ip.src -e ip.dst -e smb2.cmd

40. Analyze Kerberos Traffic

  • This command prints Kerberos packet summaries.
tshark -r capture.pcapng -Y "kerberos"

41. Analyze NTLMSSP Traffic

  • This command filters for NTLMSSP authentication messages.
tshark -r capture.pcapng -Y "ntlmssp"

42. Decode Traffic on a Non-Standard Port

  • This command decodes TCP port 8080 traffic as HTTP for this run.
tshark -r capture.pcapng -d tcp.port==8080,http -Y "http"

43. Disable Name Resolution

  • This command keeps addresses and ports numeric for repeatable output.
tshark -r capture.pcapng -n

44. Enable Monitor Mode

  • This command captures in wireless monitor mode when supported.
tshark -i wlan0 -I -w wifi.pcapng

45. Read Packets from Standard Input

  • This command reads capture data from standard input.
tcpdump -i en0 -w - | tshark -r -

Output Examples

CommandDescriptionExample Output
tshark -DLists capture interfaces.1. en0 (Wi-Fi)
2. lo0 (Loopback)
tshark -i en0 -c 3Captures three packets and prints summaries.1 0.000000 192.168.1.10 -> 1.1.1.1 DNS Standard query
tshark -r capture.pcapng -Y "dns"Filters decoded packets with a display filter.DNS Standard query 0x1234 A example.com
tshark -T fields -e ip.src -e dns.qry.nameExtracts selected fields.192.168.1.10 example.com
tshark -r capture.pcapng -q -z conv,tcpPrints TCP conversation statistics.TCP Conversations
Address A Port A Address B Port B Frames Bytes
tshark -r capture.pcapng -T jsonExports decoded packet data as JSON.[{ "_index": "packets-..." }]
tshark -r capture.pcapng -xPrints packet bytes.0000 45 00 00 3c ...