Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

TShark

What is the purpose of TShark?

TShark is the command-line network protocol analyzer from the Wireshark project. It captures packets from network interfaces, reads packet capture files, applies Wireshark display filters, extracts protocol fields, and exports decoded packet data in automation-friendly formats.

TShark is useful because it brings Wireshark's dissectors and filtering language to terminals, servers, CI jobs, incident response workflows, and repeatable analysis scripts. It is commonly used for packet triage, protocol debugging, traffic extraction, forensics, malware lab analysis, and service-specific evidence collection.

Note: TShark has two different filter concepts. Use -f for capture filters that reduce what is captured at packet collection time. Use -Y for Wireshark display filters that select decoded packets while reading or printing results.

Here are the primary uses of TShark:

Live Packet Capture: TShark captures traffic from interfaces and writes it to pcap or pcapng files for later analysis.
Packet Capture Triage: The tool reads existing captures, applies display filters, and prints packet summaries or detailed protocol trees without opening Wireshark.
Field Extraction: TShark can extract selected fields such as source IP, destination IP, DNS query name, HTTP host, TLS SNI, frame time, and protocol-specific values.
Protocol-Specific Investigation: The tool supports Wireshark display filters for protocols such as DNS, HTTP, TLS, SMB, Kerberos, DHCP, SIP, MQTT, RADIUS, and many others.
Statistics and Conversation Analysis: TShark can generate protocol hierarchy, endpoint, conversation, I/O, and service response time statistics from capture files.
Automation and Reporting: The tool exports fields, JSON, Elastic-compatible JSON, PDML, PSML, tabs, and text output for scripts and pipelines.
Wireless and Monitor Mode Workflows: When supported by the adapter and operating system, TShark can capture in monitor mode for wireless packet analysis.

Core Features

Live Packet Capture
PCAP and PCAPNG Reading
PCAP and PCAPNG Writing
Interface Listing
Capture Filters
Display Filters
Wireshark Protocol Dissection
Packet Summary Output
Packet Detail Output
Field Extraction
CSV-Style Field Output
JSON Output
Elastic-Compatible JSON Output
PDML and PSML Output
Hex Dump Output
Ring Buffer Capture
Autostop Conditions
Protocol-Specific Statistics
Endpoint and Conversation Statistics
I/O Statistics
Name Resolution Controls
Monitor Mode Support
Multiple Interface Capture
Custom Columns
Protocol Preference Overrides

Data sources

Live Network Interfaces
Loopback Interfaces
Wireless Monitor Mode Interfaces
PCAP Files
PCAPNG Files
Compressed Capture Files
Named Pipes
Standard Input
Remote Capture Streams
TCP Capture Streams
Wireshark Display Filters
Libpcap Capture Filters
Protocol Dissectors
Protocol Fields
Wireshark Preferences
Name Resolution Files
Capture Profiles
Packet Metadata
Frame Timestamps

Common TShark Commands

1. Install TShark with Homebrew

This command installs Wireshark command-line tools on macOS through Homebrew.

brew install wireshark

2. Install TShark on Debian or Ubuntu

This command installs TShark from apt repositories.

sudo apt install tshark

3. Check TShark Version

This command prints the installed TShark and Wireshark library version information.

tshark --version

4. Show Help

This command displays TShark options.

tshark --help

5. List Capture Interfaces

This command lists interfaces that TShark can capture from.

tshark -D

6. List Data Link Types for an Interface

This command lists link-layer types supported by the selected interface.

tshark -i en0 -L

7. Capture 100 Packets

This command captures 100 packets from an interface and prints packet summaries.

tshark -i en0 -c 100

8. Capture to a File

This command captures packets and writes raw packet data to a pcapng file.

tshark -i en0 -w capture.pcapng

9. Capture with a Packet Count Limit

This command writes 1,000 packets to a capture file and then stops.

tshark -i en0 -c 1000 -w capture.pcapng

10. Capture for a Fixed Duration

This command stops the capture after 60 seconds.

tshark -i en0 -a duration:60 -w capture.pcapng

11. Capture with a Capture Filter

This command captures only TCP port 443 traffic at collection time.

tshark -i en0 -f "tcp port 443" -w tls.pcapng

12. Capture with a Ring Buffer

This command rotates capture files every 50 MB and keeps five files.

tshark -i en0 -b filesize:51200 -b files:5 -w rolling.pcapng

13. Capture Quietly

This command suppresses packet summaries while writing to a file.

tshark -i en0 -q -w capture.pcapng

14. Print Summaries While Saving

This command writes packets to a file and also prints packet summaries.

tshark -i en0 -P -w capture.pcapng

15. Read a Capture File

This command prints packet summaries from an existing capture file.

tshark -r capture.pcapng

16. Apply a Display Filter

This command prints only packets that match a Wireshark display filter.

tshark -r capture.pcapng -Y "dns or http"

17. Show Full Packet Details

This command prints full protocol details for matching packets.

tshark -r capture.pcapng -Y "http" -V

18. Show Details for Selected Protocols

This command prints full details only for selected protocols.

tshark -r capture.pcapng -Y "tls" -O tls,ip,tcp

19. Extract DNS Queries

This command extracts frame time, client IP, and DNS query name.

tshark -r capture.pcapng -Y "dns.qry.name" -T fields -e frame.time -e ip.src -e dns.qry.name

20. Extract HTTP Requests

This command extracts HTTP host, request method, and URI.

tshark -r capture.pcapng -Y "http.request" -T fields -e ip.src -e http.host -e http.request.method -e http.request.uri

21. Extract TLS SNI Values

This command extracts TLS server names from ClientHello packets when present.

tshark -r capture.pcapng -Y "tls.handshake.extensions_server_name" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name

22. Extract TCP Conversations as Fields

This command prints source and destination addresses and ports for TCP packets.

tshark -r capture.pcapng -Y "tcp" -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

23. Print CSV-Style Output

This command includes a header and comma-separated quoted field values.

tshark -r capture.pcapng -T fields -E header=y -E separator=, -E quote=d -e frame.number -e ip.src -e ip.dst -e _ws.col.Protocol

24. Export JSON

This command exports decoded packet data as JSON.

tshark -r capture.pcapng -T json > packets.json

25. Export JSON for Selected Protocols

This command limits JSON output to selected protocol trees.

tshark -r capture.pcapng -T json -j "ip tcp http" > http.json

26. Export Elastic-Compatible JSON

This command writes newline-delimited JSON for bulk indexing workflows.

tshark -r capture.pcapng -T ek -j "ip tcp http" > packets.ndjson

27. Export PDML

This command exports packet details as XML-based PDML.

tshark -r capture.pcapng -T pdml > packets.pdml

28. Export Packet Summaries as PSML

This command exports packet summaries as XML-based PSML.

tshark -r capture.pcapng -T psml > packets.psml

29. Print Hex and ASCII Dump

This command includes packet bytes with the decoded packet output.

tshark -r capture.pcapng -Y "tcp" -x

30. List Available Field Names

This command prints filterable field names that can be used with -e.

tshark -G fields

31. List Protocols

This command lists protocol abbreviations known to TShark.

tshark -G protocols

32. Show Protocol Hierarchy Statistics

This command summarizes protocol usage in a capture.

tshark -r capture.pcapng -q -z io,phs

33. Show IPv4 Conversations

This command prints IPv4 conversation statistics.

tshark -r capture.pcapng -q -z conv,ip

34. Show TCP Conversations

This command prints TCP conversation statistics.

tshark -r capture.pcapng -q -z conv,tcp

35. Show Endpoint Statistics

This command prints endpoint statistics for IPv4 addresses.

tshark -r capture.pcapng -q -z endpoints,ip

36. Show I/O Statistics

This command summarizes packet counts and bytes in 10-second intervals.

tshark -r capture.pcapng -q -z io,stat,10

37. Count Packets Matching a Field

This command counts HTTP requests per interval.

tshark -r capture.pcapng -q -z io,stat,10,"COUNT(http.request)http.request"

38. Analyze DHCP Traffic

This command displays DHCP packets with full details.

tshark -r capture.pcapng -Y "dhcp" -V

39. Analyze SMB Traffic

This command extracts SMB command names when present.

tshark -r capture.pcapng -Y "smb2" -T fields -e frame.time -e ip.src -e ip.dst -e smb2.cmd

40. Analyze Kerberos Traffic

This command prints Kerberos packet summaries.

tshark -r capture.pcapng -Y "kerberos"

41. Analyze NTLMSSP Traffic

This command filters for NTLMSSP authentication messages.

tshark -r capture.pcapng -Y "ntlmssp"

42. Decode Traffic on a Non-Standard Port

This command decodes TCP port 8080 traffic as HTTP for this run.

tshark -r capture.pcapng -d tcp.port==8080,http -Y "http"

43. Disable Name Resolution

This command keeps addresses and ports numeric for repeatable output.

tshark -r capture.pcapng -n

44. Enable Monitor Mode

This command captures in wireless monitor mode when supported.

tshark -i wlan0 -I -w wifi.pcapng

45. Read Packets from Standard Input

This command reads capture data from standard input.

tcpdump -i en0 -w - | tshark -r -

Output Examples

Command	Description	Example Output
`tshark -D`	Lists capture interfaces.	`1. en0 (Wi-Fi)` `2. lo0 (Loopback)`
`tshark -i en0 -c 3`	Captures three packets and prints summaries.	`1 0.000000 192.168.1.10 -> 1.1.1.1 DNS Standard query`
`tshark -r capture.pcapng -Y "dns"`	Filters decoded packets with a display filter.	`DNS Standard query 0x1234 A example.com`
`tshark -T fields -e ip.src -e dns.qry.name`	Extracts selected fields.	`192.168.1.10 example.com`
`tshark -r capture.pcapng -q -z conv,tcp`	Prints TCP conversation statistics.	`TCP Conversations` `Address A Port A Address B Port B Frames Bytes`
`tshark -r capture.pcapng -T json`	Exports decoded packet data as JSON.	`[{ "_index": "packets-..." }]`
`tshark -r capture.pcapng -x`	Prints packet bytes.	`0000 45 00 00 3c ...`

Want to Practice These Techniques?

TShark

What is the purpose of TShark?​

Core Features​

Data sources​

Common TShark Commands​

1. Install TShark with Homebrew​

2. Install TShark on Debian or Ubuntu​

3. Check TShark Version​

4. Show Help​

5. List Capture Interfaces​

6. List Data Link Types for an Interface​

7. Capture 100 Packets​

8. Capture to a File​

9. Capture with a Packet Count Limit​

10. Capture for a Fixed Duration​

11. Capture with a Capture Filter​

12. Capture with a Ring Buffer​

13. Capture Quietly​

14. Print Summaries While Saving​

15. Read a Capture File​

16. Apply a Display Filter​

17. Show Full Packet Details​

18. Show Details for Selected Protocols​

19. Extract DNS Queries​

20. Extract HTTP Requests​

21. Extract TLS SNI Values​

22. Extract TCP Conversations as Fields​

23. Print CSV-Style Output​

24. Export JSON​

25. Export JSON for Selected Protocols​

26. Export Elastic-Compatible JSON​

27. Export PDML​

28. Export Packet Summaries as PSML​

29. Print Hex and ASCII Dump​

30. List Available Field Names​

31. List Protocols​

32. Show Protocol Hierarchy Statistics​

33. Show IPv4 Conversations​

34. Show TCP Conversations​

35. Show Endpoint Statistics​

36. Show I/O Statistics​

37. Count Packets Matching a Field​

38. Analyze DHCP Traffic​

39. Analyze SMB Traffic​

40. Analyze Kerberos Traffic​

41. Analyze NTLMSSP Traffic​

42. Decode Traffic on a Non-Standard Port​

43. Disable Name Resolution​

44. Enable Monitor Mode​

45. Read Packets from Standard Input​

Output Examples​