Apply Capture Filters in Tshark

Introduction

In this lab, you will learn how to use Tshark's capture filters to selectively capture network packets. You'll explore Wireshark filter syntax and practice capturing TCP traffic on specific interfaces using commands like tshark -f "tcp".

Through hands-on exercises, you'll filter TCP packets on eth1, analyze packet details, and save results to tcp.pcap. This lab provides practical experience in applying capture filters to efficiently isolate and examine targeted network traffic.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/capture_filters("Capture Filters") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/packet_capture -.-> lab-548914{{"Apply Capture Filters in Tshark"}} wireshark/capture_filters -.-> lab-548914{{"Apply Capture Filters in Tshark"}} wireshark/packet_analysis -.-> lab-548914{{"Apply Capture Filters in Tshark"}} wireshark/commandline_usage -.-> lab-548914{{"Apply Capture Filters in Tshark"}} end

Learn Syntax with Manual Reference

In this step, you will learn the basic syntax of Wireshark capture filters by referencing the manual page. Understanding these fundamentals is crucial before performing actual packet captures, as filters allow you to selectively capture only the network traffic you're interested in.

First, open the terminal in your LabEx VM if not already open. The default working directory is ~/project. This is where we'll execute all our commands.
To access the comprehensive Wireshark filter documentation, run the following command in your terminal:

man wireshark-filter

This manual page contains all the official documentation about capture filter syntax and capabilities. Think of it as your cheat sheet for building effective filters.

As you scroll through the manual (press Enter to navigate), focus on these key sections that form the foundation of capture filters:
- Basic filter syntax structure: How to properly format your filter expressions
- Common protocol filters: Predefined filters for protocols like TCP, UDP, HTTP
- Comparison operators: How to compare values in your filters
- Logical operators: Combine conditions using and, or, not
Now let's apply what you've learned with a practical example. Execute this command to test a simple TCP filter:

tshark -f "tcp" -c 5

This command does three things:

-f "tcp" applies a filter to capture only TCP packets
-c 5 limits the capture to 5 packets
The results display directly in your terminal

If there's network traffic, you'll see output similar to this, showing details of each captured TCP packet:

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 443 → 49234 [SYN] Seq=0 Win=64240 Len=0

Each line represents one packet, showing its number, timestamp, source and destination IP addresses, ports, and TCP flags.

When you're done examining the output, press q to exit both the manual page (if still open) and any running tshark capture. This returns you to the command prompt, ready for the next step.

Filter TCP Traffic with -f "tcp"

In this step, you will practice capturing TCP (Transmission Control Protocol) network traffic using Wireshark's filter syntax. TCP is one of the core protocols of the Internet protocol suite, providing reliable, ordered, and error-checked delivery of data between applications. This exercise builds on the basic packet capture skills you learned previously.

First, ensure you're in the default working directory where we'll store our capture files:

cd ~/project

To capture live TCP traffic from your network interface, execute this command:

sudo tshark -i eth1 -f "tcp" -c 10

Let's break down what each part of this command does:

sudo gives you administrator privileges needed for packet capture
-i eth1 specifies we're capturing from the Ethernet interface (eth1)
-f "tcp" applies a capture filter to only collect TCP packets
-c 10 limits the capture to 10 packets for this demonstration

The output will display TCP packets with essential information in this format:

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 443 → 49234 [SYN] Seq=0 Win=64240 Len=0
2 0.000123 192.168.1.2 → 192.168.1.1 TCP 74 49234 → 443 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0

Each line represents a TCP packet showing:

Packet number and timestamp
Source and destination IP addresses
Source and destination ports
TCP flags (like SYN, ACK)
Sequence numbers and window sizes

To examine the complete TCP packet structure including all header fields, use the verbose mode:

sudo tshark -i eth1 -f "tcp" -c 5 -V

The -V flag provides detailed output showing the complete TCP header with all its fields like sequence numbers, acknowledgment numbers, flags, window size, checksum, and options.

If you need to interrupt a running capture at any point, simply press Ctrl+C to stop the process. This is useful when you want to terminate a long-running capture or if you've seen enough packets for your analysis.

Capture Filtered Traffic on eth1

In this step, you will learn to capture network traffic on the eth1 interface with specific filters, building on the TCP filtering from previous steps. The eth1 interface typically represents your primary wired network connection, and we'll use it to demonstrate practical packet capturing scenarios.

First, verify your network interfaces by running:

ip addr show eth1

This command displays detailed information about your eth1 interface. You should see output showing the eth1 interface is up (state UP) and has an assigned IP address. This verification is important because you can't capture traffic on an interface that doesn't exist or isn't active.

To capture HTTP traffic specifically on eth1, use:

sudo tshark -i eth1 -f "tcp port 80" -c 15

Let's break down what this command does:

-i eth1 specifies which network interface to listen on
-f "tcp port 80" creates a capture filter for HTTP traffic (port 80 is the standard HTTP port)
-c 15 limits the capture to 15 packets, which is enough for demonstration without overwhelming you with data

To capture traffic between specific IPs, try:

sudo tshark -i eth1 -f "host 8.8.8.8" -c 10

Here we're filtering traffic to/from Google's DNS server (8.8.8.8). The "host" filter matches both incoming and outgoing traffic to this specific IP address. This is useful when you want to monitor communication with a particular server.

For more complex filtering, combine conditions:

sudo tshark -i eth1 -f "tcp port 443 and host 8.8.8.8" -c 5

This command demonstrates how to combine filters. It captures HTTPS traffic (port 443) specifically to/from 8.8.8.8. The "and" operator allows you to create precise filters that match multiple conditions simultaneously.

Observe the output showing filtered packets with details like:

1 0.000000 192.168.1.100 → 8.8.8.8 TCP 74 49234 → 443 [SYN] Seq=0 Win=64240 Len=0

This sample output shows a TCP SYN packet (the first packet in a TCP connection) from your local machine (192.168.1.100) to Google's server. The numbers represent timing, ports, and TCP sequence information that helps analyze network behavior.

Save Results with -w tcp.pcap

In this step, you will learn how to save captured network traffic to a file for later analysis. This is particularly useful when you need to examine network packets at a different time or share them with colleagues. We'll use Wireshark's command-line tool Tshark with the -w option to save our capture.

First, let's make sure we're in the correct working directory. The ~/project directory is where we'll store our capture files to keep things organized:

cd ~/project

Now we'll capture actual TCP traffic. The following command does several important things at once. It's like setting up a network camera that only records TCP packets and saves them to a file:

sudo tshark -i eth1 -f "tcp" -w tcp.pcap -c 20

Let's break down what each part of this command means:

-i eth1 tells Tshark to listen on the eth1 network interface
-f "tcp" applies a capture filter to only record TCP packets
-w tcp.pcap saves the captured packets to a file named tcp.pcap
-c 20 limits the capture to 20 packets so we don't collect too much data

After running the capture, we should verify that our file was created properly. The ls command with -lh options shows the file size in a human-readable format:

ls -lh tcp.pcap

You should see output showing the file exists and its size (typically a few KB for 20 packets).

Now let's examine our captured packets. This command reads the first 5 packets from our saved file:

tshark -r tcp.pcap -c 5

The -r option tells Tshark to read from a file instead of capturing live traffic, while -c 5 limits the output to 5 packets.

For a more technical view of what we captured, we can use verbose mode. This shows all the protocol details and packet contents, but we'll limit it to the first 20 lines to keep the output manageable:

tshark -r tcp.pcap -V | head -20

The -V enables verbose output, and head -20 shows just the beginning of that output so we don't get overwhelmed with information.

Summary

In this lab, you have learned to apply capture filters in tshark through practical exercises. You explored filter syntax fundamentals including protocol filters and logical expressions, then practiced capturing TCP traffic with basic commands.

The lab further guided you through advanced techniques like live interface monitoring, output customization with verbose mode, and saving filtered captures to files. These skills enable efficient network traffic analysis by combining interface selection, filtering, and output management in streamlined workflows.