tshark usage example

Wireshark is a excellent GUI tool to view and analyze the network traces. Often we ssh to servers from terminal/console and capture traces(pcap, pcapng etc) using tcpdump command. Now to analyse these traces we have to copy the traces to the system where we have Wireshark installed. If these files are huge in size it takes considerable amount of time as well as bandwidth. tshark makes your life easy in this scenarios. tshark is a text version of wireshark where you can capture and analyze the trace files. here are the sample usage of tshark for different scenarios.

tshark -r ldap.pcap -2 -Y ‘ldap and ldap.protocolOp == 3’ -T json -J ldap

tshark -r ldap.pcap -2 -Y ‘ldap and ldap.protocolOp == 3’ -O ldap

tshark -r ldap.pcap -2 -Y ‘ldap and ldap.protocolOp == 3’ -T fields -e tcp.payload

tshark -r sip.pcap -Y ‘sip.Status-Code == 200 and (udp.port == 7722 or udp.port == 7711)’ -T fields -e ‘sdp.media_attribute.field’

tshark -r camel.pcap -Y camel -O m3ua,camel decode only m3ua and camel layes

tshark -r camel.pcap -Y camel -O m3ua,sccp,camel decode only m3ua,sccp and camel layers