This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!

---

tshark

Reference(s)

• https://tshark.dev/

• https://github.com/gcla/termshark

• https://www.wireshark.org/docs/man-pages/wireshark-filter.html

• https://www.wireshark.org/docs/wsug_html_chunked/
• https://gitlab.com/wireshark/wireshark/-/wikis/home
• https://ask.wireshark.org/questions/
• https://www.tcpdump.org/manpages/pcap-filter.7.html

---

Table of contents

• Install
• Config
• Use

---

Install

apkaptdnfemergenixpacmanyumxbpszypper

# apk add tshark

# apt install tshark

# dnf install wireshark-cli

TODO

on NixOSon non-NixOS

TODO

TODO

# pacman -S wireshark-cli

# yum install wireshark-cli

TODO

TODO

---

Config

$ sudo usermod -a -G wireshark $USER

TODO

---

Use

TODO

capture the interface interface-name with a protocol filter only displaying ICMP packets:

$ sudo tshark -i interface-name -Y 'icmp'

note : only ICMP packets are displayed but all packet are still captured

capture the interface interface-name with a specific capture filter :

$ sudo tshark -i interface-name -f "tcp and src host 127.0.0.1 and dst host 127.0.0.1 and src portrange 5064-5065"

note : not all packets are captured, only those that are filtered

write to an output file (with the pcap ng format by default)

$ sudo tshark -i interface-name -w output_file.pcap

convert the file to a text file:

$ sudo tshark -T text -r output_file.pcap > output_file.txt

---

If this cheat sheet has been useful to you, then please consider leaving a star here.