Commands used in the below post. If you wish for a quick reference instead of going through the post sudo tshark -f "tcp port 80" -F pcap -w /var/tmp/port_80_cap.pcap -c 10sudo tshark -r /var/tmp/port_80_cap.pcapsudo tshark -r /var/tmp/port_80_cap.pcap -Tfields -e ip.src -e tcp.port -e ip.ttl -e ip.dstsudo tshark -f "tcp port 80" -F pcap -w /var/tmp/port_80_cap.pcap -c 10sudo tshark -r /var/tmp/port_80_cap.pcap -Tfields -Y ip.dst==172.31.33.25 -e ip.dst -e tcp.dstportsudo tshark -r capture_ospf.capsudo tshark -r capture_ospf.cap -Y "frame.number == 4"sudo tshark -r capture_ospf.cap -Y "frame.number == 4" -V
Wireshark is famous for packet capture and analysis of various packet-capture files. Basically, if you never used Wireshark before it’s a sophisticated and popular GUI tool for doing packet captures and analysis.
While not every time you need a GUI tool or most importantly you don’t have access to a GUI environment, eg: you are running an EC2 cloud instance of ubuntu, typically you would not install a GUI extension to this, it is meant to run server workloads.
This is where Tshark comes in very handy, Tshark offers all the options that Wireshark has at a CLI level without the need for GUI applications as such, lets’s see a typical example where we capture traffic on Port 80
