Tshark - Install and Configure on Ubuntu/CentOS

In this chapter, you will learn

  1. What is Tshark?
  2. How to install it on Ubuntu and CentOS?
  3. How to capture network packets using Tshark?
  4. Tshark useful commands

Tshark is a command-line network analyzer tool that functions similarly to WireShark . While Wireshark is a GUI-based application, Tshark is the command-line version of Wireshark. You can also think of Tshark as a Wireshark Command Line Interface (CLI).

If you are seeking a network analyzer tool that operates within the terminal, install Tshark on your Linux distribution. In this article, I will guide you on how to install and configure Tshark on Ubuntu and CentOS distributions.

Installation

Ubuntu

Step 1: Add the Wireshark and TShark repository
sudo add-apt-repository -y ppa:wireshark-dev/stable
Step 2: Install Tshark.
sudo apt install -y tshark

CentOS

Just install CLI version of Wireshark and start using Tshark as follows:

sudo yum install wireshark

Check the installation:

tshark -v
Running as user "root" and group "root". This could be dangerous.
TShark (Wireshark) 2.6.2 (v2.6.2)
Step 3: Add current user to Wireshark group.
sudo usermod -a -G wireshark $USER
Note

If you are getting the error "usermod: group 'wireshark' does not exist", allow non root user to capture packets using Wireshark. Execute the following command and select Yes.

sudo dpkg-reconfigure wireshark-common
Tshark configuration

Now, add current user to Wireshark group using the Step 3.

Step 4: Check Tshark installation.
tshark -version
TShark (Wireshark) 4.2.2 (Git v4.2.2 packaged as 4.2.2-1~ubuntu22.04.0~ppa2).

Capture packets:

After installing Tshark, you can capture network packets as follows:

tshark
Capturing on 'eth0'

1 0.000000000      0.0.0.0 → 255.255.255.255 HIP 102 HIP I1 (HIP Initiator Packet)
2 29.024847406 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
3 30.031838599 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
4 31.032901902 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
5 32.033311006 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1  
^C5 packets captured

Some important Tshark commands:

1 List all the available network interfaces:

sudo tshark -D
Running as user "root" and group "root". This could be dangerous.
1. eth0
2. any
3. lo (Loopback)
4. bluetooth-monitor
5. nflog
6. nfqueue
7. dbus-system
8. dbus-session
9. ciscodump (Cisco remote capture)
10. dpauxmon (DisplayPort AUX channel monitor capture)
11. randpkt (Random packet generator)
12. sdjournal (systemd Journal Export)
13. sshdump (SSH remote capture)
14. udpdump (UDP Listener remote capture)
15. wifidump (Wi-Fi remote capture)

2 Scan selected network interfaces:

sudo tshark -i eth0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
    1 0.000000000 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    2 1.006092154 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    3 2.007759990 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    4 3.013243026 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
^C4 packets captured

3 Save output to a file

Following commands will captures 300 network packets and saves them into a file "tshark_scanned_packets.pcap".

tshark -c 3 -w tshark_scanned_packets.pcap

4 Read the captured file.

tshark -r tshark_scanned_packets.pcap

5 Capture only 10 packets.

sudo tshark -c 10
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
    1 0.000000000      0.0.0.0 → 255.255.255.255 HIP 102 HIP I1 (HIP Initiator Packet)
    2 18.938362969 fe80::215:5dff:feaf:257e → ff02::2      ICMPv6 70 Router Solicitation from 00:15:5d:af:25:7e
    3 47.049327788 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    4 48.054810848 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    5 49.059101515 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    6 50.060323583 172.17.224.1 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
    7 56.133175074 172.17.235.107 → 172.17.224.1 DNS 76 Standard query 0xb126 AAAA api.snapcraft.io
    8 56.133174974 172.17.235.107 → 172.17.224.1 DNS 76 Standard query 0xf2d9 A api.snapcraft.io
    9 56.211258977 172.17.224.1 → 172.17.235.107 DNS 156 Standard query response 0xf2d9 A api.snapcraft.io A 185.125.188.54 A 185.125.188.59 A 185.125.188.58 A 185.125.188.55
   10 56.353044181 172.17.224.1 → 172.17.235.107 DNS 204 Standard query response 0xb126 AAAA api.snapcraft.io AAAA 64:ff9b::b97d:bc37 AAAA 64:ff9b::b97d:bc3b AAAA 64:ff9b::b97d:bc3a AAAA 64:ff9b::b97d:bc36
10 packets captured

Summary

In this chapter, I aim to explain how to install and configure Tshark, a network analyzer tool, on Ubuntu and CentOS servers.

Tshark serves as the command-line counterpart to the Wireshark GUI. Some users opt not to utilize GUIs and instead prefer capturing packets directly from the terminal using command-line interfaces.




Print