Tshark command options: Capture and .pcap files ----------------------- -D List the network interfaces available on the computer. -i Specify interface on which to capture traffic. -c Capture a given number of packets. -a Autostop based on time duration, file size, etc. -n Disable all the name resolutions. -r Read from .pcap file. -w Write to .pcap file. -P Vistualize packets while writing to file using option -w. Dissectors ---------- -d ==, ... "Decode As", see the man page for details. Example: tcp.port==8888,http Filters ------- -G fields List the fields of different dissectors available for being used as display filters. -f Allows specifying BSD Packet Filters (e.g., libpcap or tcpdump filters) for the capture . The filters must be in between "". -R In Tshark < version 1.12 operates as display filter. In Tshark >= version 1.12 operates as read filter and needs to include -2 (two-pass) option. Allows specifying Wireshark Display Filters (i.e., dissector filters). The filters must be in between "". I have experienced issues with this option command in version 1.12 in Debian. -Y In Tshark >= version 1.12 operates as display filter. Allows specifying Wireshark Display Filters (i.e., dissector filters). Allows specifying Wireshark Display Filters (i.e., dissector filters). The filters must be in between "". Logical Operators for combining filters: && || ! Directive Operators: param.subparam ==, param.subparam eq Equal to. param.subparam !=, param.subparam ne Not equal to. param.subparam >, param.subparam gt Greater than. param.subparam <, param.subparam lt Less than. param.subparam >=, param.subparam ge Greater or equal than. param.subparam <=, param.subparam le Less or equal than. param.subparam &, param.subparam bitwise_and Compare bit field value. Text operators: contains matches Membership operators: in {} Examples: Look at OSPF traffic: tshark -i eth0 -O ospf Look at DNS traffic: tshark -f "udp port 53" -i eth0 Look at CDP traffic: tshark -R "cdp.deviceid == R1" -i eth0 Look at traffic in several ports: tshark -i eth0 -Y "tcp.port in {80 443 8080}" Display EIGRP fields: tshark -G | cut -f3 | grep "^eigrp\." Packet Data Visualization ------------------------- -V Verbose mode. Shows each of the fields of each of the protocols. -O Only show packet details of these protocols, comma-separated. It is a reduced version of -V. -C Specifies the use of a "Configuration Profile" file. -G defaultprefs Lists the default Tshark preferences. -o prefname:value Overrides default preference settings for the text output (e.g., column format or relative sequence numbers). Example: tshark -i eth0 -o tcp.analyze_sequence_numbers:TRUE Example: tshark -i eth0 -o eth.check_fcs:TRUE -T Formats the text output. The options are pdml, psml, ps, text and fields. -e Fields to print if the option '-T fields' is used. Wireshark Specific Column names may be used prefixed with "_ws.col." -E Format the fields when the option -e is used. Options are field names (header = y|n), separator character (separator=/t|/s|), field occurrence (occurrence=f|l|a) and the separator for field occurrences (aggregator=,|/s|), and the use of quotes to surround fields (quote=d|s|n). -x Show the packet data in ASCII and HEX format. Examples: "-e frame.number -e ip.addr -e udp -e _ws.col.Info" Present certain columns. "-e frame.number -e frame.time -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info" Present the default Wireshark/Tshark columns. Statistics ---------- -q Only displays the statistics and not any per-packet information. -z Various statistics. Statistics details: proto,colinfo,, Append all field values for the packet to the Info column of the one-line summary output. Can be used multiple times on the command line. Should not be used with options -V and -q. conv,type[,filter] Conversations Statistics. The type can be TCP,UDP,IP,FDDI, etc. io,phs Show Protocol Hierarchy Statistics io,stat,interval[,filter][,filter] Show total number of bytes and frames in time intervals. The parameter interval is in seconds. io,stat,interval,FRAMES()filter,BYTES()filter Same than previous line. io,stat,interval,"[COUNT|SUM|MIN|MAX|AVG|LOAD](field)filter_containing_the_desired_field" Same than previous line for handling different protocol fields. follow,prot,mode,filter[,range] Follow a stream. Here, prot can be TCP or UDP (or SSL in Wireshark >= 1.10), mode specifies the output type (ASCII/HEX), and the optional range specifies which "chunks" of the stream should be displayed. Examples: "conv,ip,ip.addr==192.168.15.0/24" IPv4 Conversations "follow,tcp,ascii,192.168.15.4:58905, 192.168.30.5:21,1" Follow TCP Stream (the last 1 includes HEX format to the output) io,phs,"ip.addr==192.168.15.4 && ssl || http" Protocol Hierarchy Statistics io,stat,10,AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt and tcp.stream==89 Calcula Commands for individual TCP stream analysis: ------------------------------------------- Bandwidth Analysis of a TCP stream: STREAMID=140;PORT=445; tshark -r capture_06_07_vlan169.pcapng -q -z io,stat,1,"tcp.stream==$STREAMID and tcp.srcport==$PORT","tcp.stream==$STREAMID and tcp.dstport==$PORT" Analyze Retransmissions, Duplicated Acks and RTT of a TCP stream: STREAMID=319; tshark -r capture_06_07_vlan169.pcapng -q -z io,stat,0,"tcp.stream==$STREAMID","COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission and tcp.stream==$STREAMID","COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack and tcp.stream==$STREAMID","AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt and tcp.stream==$STREAMID" -z conv,tcp,tcp.stream==$STREAMID Note: The command capinfos can be used to measure general characteristics of the whole capture file like data bitrate. editcap, on the other hand can be used to eliminate packet duplication or reduce the packet size.