Wireshark and tshark notes
|
For other network related things, see:
|
Wireshark captures network data and shows it visually. It's e.g. a great network debugging tool.
tshark is basically the command line variant of wireshark.
This makes it like tcpdump, but a little more capable.
wireshark and tshark have a slightly confusing difference between capture filters and display filters
Capture filters
- are what can be passed into libpcap/winpcap,
- so is the same syntax that tcpdump, WinDump, and others use
- cannot be changed during a capture
- are intended mostly to limit the amount of data we pick up into RAM / onto disk (which is great on busy networks)
Display filters
- are much more capable
- if the program allow s(e.g. wireshark GUI), you can alter while capturing
- only change what part of already-captured data is being shown right now (so can be changed live)
Yes, there is plenty of overlap - with different syntax, e.g.
- tcp port 80 (capture filter) versus
- tcp.port == 80 (display filter)
In wireshark you get asked at different times.
In tshark it's mostly:
- -f <capture filter>
- -Y <displaY filter>
...there are actually a few more filter related options, most of which are only relevant for more advanced use.
You'll probably frequently use capture filters to narrow to what you're interested in, which at first may be as broad as things like:
net 192.168.0.0/24 src net 192.168.0.0/24 dst net 192.168.0.0/24 host 172.18.5.4 ether broadcast or ether multicast multicast and not broadcast net 192.168.0.0/24 or net 0.0.0.0/8 or 224.0.0.0/4 arp port 67 or port 68
See also:
- https://wiki.wireshark.org/CaptureFilters
- pcap-filter man page
- tshark man page
Display filters
Display filters try to expose a lot of useful things as fields.
See also:
- https://wiki.wireshark.org/DisplayFilters
- https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf