TShark Cheat Sheet, Cheat Sheet of Computer Networks

Download TShark Cheat Sheet and more Cheat Sheet Computer Networks in PDF only on Docsity! 1/2 TShark Abstract TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is pcap format, which is also the format used by tcpdump and various other tools. Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet. Source: tshark man page $ man tshark Where to Acquire Included with Wireshark. Examples/Use Case Note: Some of the examples below presume files and paths that might not match your particular system and tool installation. Warning: Examples below use the -R syntax for doing display filters. Depending upon the version of tshark installed on your system, you might need to replace -R with -Y Read a pcap file: $ tshark -r /pcaps/zeus-gameover-loader.pcap Read a pcap, don't resolve names (layers 3 or 4): $ tshark -nr /pcaps/zeus-gameover-loader.pcap Read a pcap, use the display filter "http.request.method==GET": $ tshark -r /pcaps/zeus-gameover-loader.pcap -R "http.request.method==GET" Read a pcap, show TCP SYN packets not sent to port 80, don't resolve names: