Wireshark and tshark notes: Difference between revisions
Jump to navigation
Jump to search
(Created page with "{{networking stuff}} {{stub}} '''Wireshark''' captures network data and shows it visually. It's e.g. a great network debugging tool. '''tshark''' is basically the command line variant of wireshark. This makes it like tcpdump, but a little more capable. wireshark and tshark have a slightly confusing difference between '''capture filters''' and '''display filters''' '''Capture filters''' : are what can be passed into libpcap/winpcap, :: so '''is the same syn...") |
mNo edit summary |
||
| Line 4: | Line 4: | ||
{{stub}} | {{stub}} | ||
'''Wireshark''' captures network data and shows it visually. It's | '''Wireshark''' captures network data and shows it visually. | ||
: It's a great network debugging tool. | |||
'''tshark''' is basically the command line variant of wireshark. | '''tshark''' is basically the command line variant of wireshark. | ||
This makes it like [[tcpdump]], but a little more capable. | : This makes it like [[tcpdump]], but a little more capable. | ||
| Line 22: | Line 25: | ||
'''Display filters''' | '''Display filters''' | ||
: are much more capable | : are much more capable | ||
: only change what part of already-captured data is being shown right now (so can be changed live) | : only change what part of already-captured data is being shown right now (so can be changed live) | ||
: where the program allows (e.g. interactive wireshark GUI), you can alter while capturing | |||
| Line 37: | Line 34: | ||
* -f <capture filter> | * -f <capture filter> | ||
* -Y <displaY filter> | * -Y <displaY filter> | ||
...there are actually a few more filter related options, most of which are only relevant for more advanced use. | ...there are actually a few more filter related options, most of which are only relevant for more advanced use. | ||
<!-- | <!-- | ||
There are also: | There are also: | ||
| Line 49: | Line 44: | ||
You'll probably frequently use capture filters to narrow to what you're interested in, which at first may be as broad as things like: | |||
And yes, everything you can express in capture filters you can also do in display filters, but the syntax will be different. | |||
Consider: | |||
: {{inlinecode|tcp port 80}} (capture filter) versus | |||
: {{inlinecode|<nowiki>tcp.port == 80</nowiki>}} (display filter) | |||
You'll probably frequently use capture filters to narrow down a firehose to to what you're interested in, which at first may be as broad as things like: | |||
net 192.168.0.0/24 | net 192.168.0.0/24 | ||
src net 192.168.0.0/24 | src net 192.168.0.0/24 | ||
Latest revision as of 11:21, 25 June 2024
|
For other network related things, see:
|
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
Wireshark captures network data and shows it visually.
- It's a great network debugging tool.
tshark is basically the command line variant of wireshark.
- This makes it like tcpdump, but a little more capable.
wireshark and tshark have a slightly confusing difference between capture filters and display filters
Capture filters
- are what can be passed into libpcap/winpcap,
- so is the same syntax that tcpdump, WinDump, and others use
- cannot be changed during a capture
- are intended mostly to limit the amount of data we pick up into RAM / onto disk (which is great on busy networks)
Display filters
- are much more capable
- only change what part of already-captured data is being shown right now (so can be changed live)
- where the program allows (e.g. interactive wireshark GUI), you can alter while capturing
In wireshark you get asked at different times.
In tshark it's mostly:
- -f <capture filter>
- -Y <displaY filter>
...there are actually a few more filter related options, most of which are only relevant for more advanced use.
And yes, everything you can express in capture filters you can also do in display filters, but the syntax will be different. Consider:
- tcp port 80 (capture filter) versus
- tcp.port == 80 (display filter)
You'll probably frequently use capture filters to narrow down a firehose to to what you're interested in, which at first may be as broad as things like:
net 192.168.0.0/24 src net 192.168.0.0/24 dst net 192.168.0.0/24 host 172.18.5.4 ether broadcast or ether multicast multicast and not broadcast net 192.168.0.0/24 or net 0.0.0.0/8 or 224.0.0.0/4 arp port 67 or port 68
See also:
- https://wiki.wireshark.org/CaptureFilters
- pcap-filter man page
- tshark man page
Display filters
Display filters try to expose a lot of useful things as fields.
See also:
- https://wiki.wireshark.org/DisplayFilters
- https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf