Table of Contents for
Mastering Wireshark 2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Mastering Wireshark 2 by Andrew Crouthamel Published by Packt Publishing, 2018
  1. Mastering Wireshark 2
  2. Title Page
  3. Copyright and Credits
  4. Mastering Wireshark 2
  5. Packt Upsell
  6. Why subscribe?
  7. PacktPub.com
  8. Contributor
  9. About the author
  10. Packt is searching for authors like you
  11. Table of Contents
  12. Preface
  13. Who this book is for
  14. What this book covers
  15. To get the most out of this book
  16. Download the color images
  17. Conventions used
  18. Get in touch
  19. Reviews
  20. Installing Wireshark 2
  21. Installation and setup
  22. Installing Wireshark on Windows
  23. Installing Wireshark on macOS
  24. Installing Wireshark on Linux
  25. Summary
  26. Getting Started with Wireshark
  27. What's new in Wireshark 2?
  28. Capturing traffic
  29. How to capture traffic
  30. Saving and exporting packets
  31. Annotating and printing packets
  32. Remote capture setup
  33. Prerequisites
  34. Remote capture usage
  35. Summary
  36. Filtering Traffic
  37. Berkeley Packet Filter (BPF) syntax
  38. Capturing filters
  39. Displaying filters
  40. Following streams
  41. Advanced filtering
  42. Summary
  43. Customizing Wireshark
  44. Preferences
  45. Appearance
  46. Layout
  47. Columns
  48. Fonts and colors
  49. Capture
  50. Filter buttons
  51. Name resolution
  52. Protocols
  53. Statistics
  54. Advanced
  55. Profiles
  56. Colorizing traffic
  57. Examples of colorizing traffic
  58. Example 1
  59. Example 2
  60. Summary
  61. Statistics
  62. TCP/IP overview
  63. Time values and summaries
  64. Trace file statistics
  65. Resolved addresses
  66. Protocol hierarchy
  67. Conversations
  68. Endpoints
  69. Packet lengths
  70. I/O graph
  71. Load distribution
  72. DNS statistics
  73. Flow graph
  74. Expert system usage
  75. Summary
  76. Introductory Analysis
  77. DNS analysis
  78. An example for DNS request failure
  79. ARP analysis
  80. An example for ARP request failure
  81. IPv4 and IPv6 analysis
  82. ICMP analysis
  83. Using traceroute
  84. Summary
  85. Network Protocol Analysis
  86. UDP analysis
  87. TCP analysis I
  88. TCP analysis II
  89. Graph I/O rates and TCP trends
  90. Throughput
  91. I/O graph
  92. Summary
  93. Application Protocol Analysis I
  94. DHCP analysis
  95. HTTP analysis I
  96. HTTP analysis II
  97. FTP analysis
  98. Summary
  99. Application Protocol Analysis II
  100. Email analysis
  101. POP and SMTP
  102. 802.11 analysis
  103. VoIP analysis
  104. VoIP playback
  105. Summary
  106. Command-Line Tools
  107. Running Wireshark from a command line
  108. Running tshark
  109. Running tcpdump
  110. Running dumpcap
  111. Summary
  112. A Troubleshooting Scenario
  113. Wireshark plugins
  114. Lua programming
  115. Determining where to capture
  116. Capturing scenario traffic
  117. Diagnosing scenario traffic
  118. Summary
  119. Other Books You May Enjoy
  120. Leave a review - let other readers know what you think

Running tshark

In this section, we'll take a look at how to run the terminal version of Wireshark, so that it only has a command-line interface instead of opening up the GUI.

In order to run tshark, you have to open up the command window, and once it's up, we have to browse to where Wireshark is installed because as I've explained, unless you have it in your system path, it'll not be available. So we'll browse again to where Wireshark lives, and we'll do a directory listing. We'll see that we have tshark.exe. This is installed by default with Wireshark. In order to run tshark, all you have to do is, of course, run tshark.exe. If you do so, it automatically begins capturing on your default interface:

You'll notice that it shows the packets that it's capturing directly to the command-line interface, directly to stdout. It does so because it does not have a graphical interface; there's nothing for it to display except for the screen that it's currently using, which is the command interface. You'll see that the output provides a similar display as you would see in Wireshark in the GUI. We have the packet number, the time since the packet capture started, the time difference between the last two packets, the source IP and the source port, the destination IP, the destination port, and so on. If you take a look at tshark.exe -h, just like Wireshark.exe, it'll look very similar. If we scroll up, we have the same arguments that we can use:

We have -D to display the list of interfaces again and -i for the interface that we want to use. We don't have to define -k so that it automatically starts capturing because tshark doesn't have a GUI for us to do anything in, so it automatically starts capturing anyway. We can set the ring buffer as before; we can define output files; we can do all sorts of things.

For an example, we can type tshark -D just to display all of our interfaces again. To confirm that we want to use interface number 1, we'll type tshark.exe -i 1, which ensures the use of the first interface. Then, we can define an output file as well, so we'll write this out to C:\Users\sayalit\test.pcapng, and now it begins capturing:

You'll see that it's showing us how many packets it's captured as it runs. In order to stop the capture, simply press Ctrl + C, and it will stop whatever it's doing. Just like with the Wireshark example, we can enhance this line that we've already created and we can define a ring buffer, for example, and say the duration is every 100 seconds. Then, it will do exactly that; every 100 seconds, it'll create a new file:

Tshark is very useful for things that you want to script. If you want to write a batch script or a bash script that will do a capture, and you want to ensure that it uses all the functionality that Wireshark is capable of, and it saves to the pcapng format, and you want to make sure that it does everything just like you would in Wireshark itself, using tshark is a great idea, as well as on systems that have low resources. If you're running this on a Command Prompt, need to do a packet capture on some old system like a Windows 2000 system, or something like that that's barely scraping by, you can run tshark, and it will eliminate a lot of the overheads that you have with running Wireshark, especially if the interface is automatically updating and scrolling with the packets. This gets rid of all of that, and it just gets the data that we need. In our next section, we'll take a look at tcpdump, which is available on almost every Unix or Linux system out there.