Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, I will focus on providing practical examples for how you can get started using tshark and begin carving valuable information from the wire.
Use these as the basis for starting to build your extraction commands. As you can see the syntax is very similar to
tshark -i wlan0 -w capture-output.pcap tshark -r capture-output.pcap
In the following example you can see that we extract data from any HTTP requests that are seen. Using the
-T we specify that we want to extract fields and with the
-e options we identify which fields we want to extract.
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent
searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 1 searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 ads.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
The default separator for the fields in the output above is TAB. We could also use the parameter
-E seperator=, to change the delimeter to a comma.
Here is an example that extracts both the DNS query and the response address.
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr
68 campus-map.stanford.edu 22.214.171.124 www.google.com itunes.apple.com 126.96.36.199 71 itunes.apple.com campus-map.stanford.edu admission.stanford.edu 188.8.131.52 74 financialaid.stanford.edu 184.108.40.206 admission.stanford.edu
Add time and source / destination IP addresses
-e frame.time -e ip.src -e ip.dst to your output.
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr
Apr 22, 2015 23:20:16.922103000 220.127.116.11 192.168.1.7 wprecon.com 18.104.22.168 1 Apr 22, 2015 23:20:17.314244000 22.214.171.124 192.168.1.7 wprecon.com 2 Apr 22, 2015 23:20:18.090110000 126.96.36.199 192.168.1.7 code.jquery.com
stdoutgiving you many options to manipulate and clean the output.
Lets get passwords.... in a HTTP post. By not specifying the fields option as above we will receive the full TCP stream of the HTTP Post. If we add the filter
tcp contains "password" and
grep for that password we will just get the actual POST data line.
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password
Hopefully this tutorial has given you a quick taste of the useful features that are available to you when using
tshark for extracting data from the wire or from pcaps.