TShark is a command-line tool that comes bundled with Wireshark. It provides similar functionality to Wireshark but without the GUI. Below are some options for running TShark.

Make sure to add the Wireshark directory to your %Path% or run the command from the Wireshark folder under “Program Files”.

Basic TShark command:

tshark

To select and interface if you have more then one

tshark -i <interface_Name>

Capture packets to a file:

tshark -i <interface_name> -w captured.pcap

This command captures and saves them to the specified file “captured.pcap”

Read a Capture File:

tshark -r captured.pcap

This command reads the captured file “captured.pcap” and displays the packet information.

Filtering Packets:

You can apply disply filters to TShark to view specific packets. User the ‘-Y’ option followed by the filter expression.

tshark -r captured.pcap -Y "expression"

Replace “expression” with the desired filter such as “ip.addr == 192.168.0.1” to filter packets with a specific IP address.

Display summary information:

TShark can also display summary information about captured packets. User the ‘-z’ option followed by the summary type.

tshark -r captured.pcap -z "summary"

Replace “summary” with the desired summary type, such as ‘io,phs’ for the I/O and protocol hierarchy summary.

I will be adding more articles about Wireshark/TShark in the coming weeks, please stay tuned.