Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, I will provide practical examples to get you started using tshark and begin carving valuable information from the wire.
Use these as the basis for starting to build your extraction commands. As you can see the syntax for capturing and reading a
pcap is very similar to
Capture Packets with Tshark
tshark -i wlan0 -w capture-output.pcap
Read a Pcap with Tshark
tshark -r capture-output.pcap
HTTP Analysis with Tshark
In the following example we extract data from any HTTP requests that are seen. Using the
-T we specify we want to extract fields, and with the
-e options we identify which fields we want to extract.
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent
searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 ads.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
The default separator for the fields in the output above is TAB. We could also use the parameter
-E seperator=, to change the delimeter to a comma.
Parse User Agents and Frequency with Standard Shell Commands
Using the previous command to extract
http.user_agent, this time extracting from a pcap rather than off the live interface. Note in this example combining with standard shell commands allows us to
sort and count the occurrences of the
tshark -r example.pcap -Y http.request -T fields -e http.host -e http.user_agent | sort | uniq -c | sort -n
Using this we can quickly parse a
pcap, even if it is very large and get a summary of all the user agents seen. This can be used to detect malware, old browsers on your network and scripts.
Using additional HTTP filters in Analysis
We could perform a similar analysis with the request URL in place of the user agent
-e http.request.full_uri. Other fields we could include in the output are
-e ip.dst and
-e http.request.method. As you can see by combing different filters and output fields we can create very complex data extraction commands for tshark that can be used to find interesting things within a capture.
tshark -r example.pcap -Y http.request -T fields -e http.host -e ip.dst -e http.request.full_uri
DNS Analysis with Tshark
Here is an example that extracts both the DNS query and the response address.
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr
68 campus-map.stanford.edu 188.8.131.52 www.google.com itunes.apple.com 184.108.40.206 71 itunes.apple.com campus-map.stanford.edu admission.stanford.edu 220.127.116.11 74 financialaid.stanford.edu 18.104.22.168 admission.stanford.edu
Add time and source / destination IP addresses
-e frame.time -e ip.src -e ip.dst to your output.
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr
Apr 22, 2015 23:20:16.922103000 22.214.171.124 192.168.1.7 wprecon.com 126.96.36.199 1 Apr 22, 2015 23:20:17.314244000 188.8.131.52 192.168.1.7 wprecon.com 2 Apr 22, 2015 23:20:18.090110000 184.108.40.206 192.168.1.7 code.jquery.com