TShark Cheat Sheet

Wireshark is a popular network protocol analyzer, and TShark is its command-line counterpart. TShark is used for capturing and analyzing network traffic. Here’s a basic cheat sheet to help you use TShark effectively:

Basic Usage

Capture Traffic:

tshark -i <interface>

Read from a File:

tshark -r <filename>

Apply Display Filter:

tshark -i <interface> -f "expression"

Display Filter Expressions

IP Address Filter:

tshark -i <interface> host <ip_address>

Protocol Filter:

tshark -i <interface> -Y <protocol>

Port Filter:

tshark -i <interface> port <port_number>

Display Specific Fields:

tshark -i <interface> -e <field>

Output Options

Save to a File:

tshark -i <interface> -w <output_filename>

Export to JSON:

tshark -i <interface> -T json

Output as PDML:

tshark -i <interface> -T pdml

Advanced Filtering

BPF (Berkeley Packet Filter) Syntax:

tshark -i <interface> -f "expression"

Complex Filtering:

tshark -i <interface> -Y "filter_expression"

Statistics

Capture Statistics:

tshark -i <interface> -z "statistics"

Conversations:

tshark -i <interface> -z "conv,<type>"

Follow Streams

Follow TCP Stream:

tshark -i <interface> -z "follow,tcp,raw,<stream_number>"

SSL/TLS Decryption

Decrypt SSL/TLS Traffic:

tshark -i <interface> -o "ssl.keylog_file:<file_path>"

Miscellaneous

Quiet Mode (No Banner):

tshark -q

Display Interface List:

tshark -D

Read from Multiple Files:

tshark -r <file1> -r <file2>

Display Help:

tshark --help

Remember to replace <interface>, <ip_address>, <port_number>, <output_filename>, <file_path>, <type>, <stream_number>, <protocol>, and <field> with the relevant values for your use case. The examples provided cover common scenarios, but TShark has many more features and options. Check the TShark documentation for detailed information.