IP Network - Tshark

 

 

 

Simply put, Tshark is the command line version of wireshark. You can do in Tshark whatever you can do in Wireshark. The only issue is to figure out proper command and option keys. You may use this page as a cheatsheet for these commands.

 

 

Where to find Tshark ?

 

The first thing you need to know is the location (folder) of Tshark executable program. (In most case, if you just type in 'Tshark' in the command window, you may see following message).

    'tashark' is not recognized as an internal or external command, operable program or batch file.

The simplest way to find the location of Tshark is to search 'Tshark' in windows file explorer. In my PC, I found the wireshark in the following folder.. (but you may find this in different location. So don't blindly copy this and search the location on PC/equipment yourself).

 

 

 

How to find Network Interface Name

 

One of the most important parameter you have to specify in 'Tshark' command would be the name of your network interface card. If you have only one network interface card in the PC, you don't need to know.. just run Tshark. But if you have multiple network card (including WiFi), you need to know the exact name of the interface card. At first I thought it can be easily found by 'ipconfig' or 'netshell' comand, but all of my trials with these command failed. After a lot of struggle, I learned that the easiest way is to use 'Tshark' program itself to find the network interface name.

 

Followings are an example. Red part is the Tshark command and option to list all the network interface card names. The blue part is the file path where Tshark program is located. This path may be different in your PC. You should figure this out as explained in previous section.

 

C:\temp>"C:\Program Files (x86)\Wireshark\tshark" -D

 

The example of the result would be as follows. Note that the 'Red' part is the name of the interface you have to use in Tshark command. The Black part is the just additional information.. these are not a part of interface name.

 

1. \Device\NPF_{A1CD5AEF-448A-4D36-8A5B-3BB543A265B8} (Intel(R) 82574L Gigabit Network Connection)

2. \Device\NPF_{2E50CDCA-FB6A-43D0-BE90-6AD077E217C6} (Intel(R) 82577LM GigabitNetwork Connection)

3. \Device\NPF_{9E6294E5-89BA-41B2-8CFB-0837A4504F3E} (Microsoft)

 

 

How to start capturing the packets for a specific interface Name ?

 

Once you figure out the name, you can capture the IP packet coming through the network card as follows.

 

 

If you start the command, it capture the packet and print them out as shown below.

 

 

If you want to stop capturing, press 'Ctrl + C'.

 

 

How to start capturing the packets for a specific interface Number(index) ?

 

If you think the interface name is too long and awkward to use, you can use the simple number mapped to each interface card.

If you run 'Tshard -D' and get the following result, you see the number at the beginning of each interface info. The number is a kind of index for the interface and you can use this number to specify the interface card to capture.

 

1. \Device\NPF_{A1CD5AEF-448A-4D36-8A5B-3BB543A265B8} (Intel(R) 82574L Gigabit Network Connection)

2. \Device\NPF_{2E50CDCA-FB6A-43D0-BE90-6AD077E217C6} (Intel(R) 82577LM GigabitNetwork Connection)

3. \Device\NPF_{9E6294E5-89BA-41B2-8CFB-0837A4504F3E} (Microsoft)

 

Following is an example that capture the packet from the interface card \Device\NPF_{2E50CDCA-FB6A-43D0-BE90-6AD077E217C6}

 

C:\temp>"C:\Program Files (x86)\Wireshark\tshark" -i 2

 

 

How to start capturing the packets for a specific interface into a pcap file ?

 

With '-w' option, you can capture the full details of the captured packet into a specified file as follows.

 

 

If you run this command, it is showing the number of packets being captured as shown below.

 

 

Stop capturing by pressing 'Ctrl + C', you will get the pcap file saved as shown below.

 

 

 

How to start capturing the packets for a specific interface into a pcap file for a certain duration ?

 

If you run as follows with '-a duration:NUM' option and it captures only for the duration and automatically stops. Following example shows the case where it runs for 30 seconds.

 

C:\temp>"C:\Program Files (x86)\Wireshark\tshark" -i "\Device\NPF_{2E50CDCA-FB6A-43D0-BE90-6AD077E217C6}" -w test.pcap -a duration:30

 

 

How to start capturing the packets for a specific interface into a pcap file in a certain file size ?

 

If you run as follows with '-a file:NUM' option and it captures until it reaches a certain file size and automatically stops. In the following example, the specified file size is 5KB.

 

C:\temp>"C:\Program Files (x86)\Wireshark\tshark" -i "\Device\NPF_{2E50CDCA-FB6A-43D0-BE90-6AD077E217C6}" -w test.pcap -a filesize:5