Capture Packets in Tshark

Introduction

In this lab, you will learn how to use Tshark, the command-line version of Wireshark, to capture and analyze network packets. You'll practice essential skills including interface selection, packet capture initiation, protocol filtering, and output saving techniques.

This practical exercise covers Tshark installation, permission configuration, and basic command operations for effective network monitoring. These fundamental packet analysis skills are valuable for network troubleshooting and security investigations.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/installation("Installation and Setup") wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") subgraph Lab Skills wireshark/installation -.-> lab-549928{{"Capture Packets in Tshark"}} wireshark/interface -.-> lab-549928{{"Capture Packets in Tshark"}} wireshark/packet_capture -.-> lab-549928{{"Capture Packets in Tshark"}} wireshark/display_filters -.-> lab-549928{{"Capture Packets in Tshark"}} wireshark/export_packets -.-> lab-549928{{"Capture Packets in Tshark"}} end

Install Tshark

In this step, you will install Tshark, a powerful command-line network protocol analyzer that comes with Wireshark. Tshark is the terminal version of Wireshark and allows you to capture and analyze network traffic directly from the command line without a graphical interface. This is particularly useful when working on remote servers or when you prefer keyboard-based workflows.

First, update the package list to ensure you get the latest version of Tshark. This is a good practice before installing any new software on Linux systems:
```
sudo apt update
```
Install Tshark using the following command. The -y flag automatically confirms any prompts during installation:
```
sudo apt install -y tshark
```
During installation, you may see a prompt about allowing non-superusers to capture packets. This is an important security consideration - selecting "Yes" will allow regular users to run packet capture, which is what we want for this lab.
After installation completes, verify Tshark is correctly installed by checking its version. This command also confirms the installation path is properly set in your system:
```
tshark --version
```
You should see output similar to:
```
TShark (Wireshark) 3.6.12 (Git v3.6.12 packaged as 3.6.12-1~ubuntu20.04.0)
```
To ensure Tshark can capture packets without requiring root privileges (which would be inconvenient and less secure), we need to add your user to the wireshark group. This group has the necessary permissions for packet capture:
```
sudo usermod -aG wireshark $USER
```
Note: Normally you would need to log out and log back in for this group change to take effect, but in this lab environment the change should be immediate. In a real system, you would need to restart your session.

Select an Interface

In this step, you will identify and select a network interface for packet capture using Tshark. Network interfaces are the points of connection between your computer and a network, and you need to choose the correct one to monitor network traffic. Think of them like doors to your computer - you need to pick the right door where the network traffic is coming through.

First, list all available network interfaces on your system:
```
tshark -D
```
This command will display all network interfaces your computer can use to capture packets. The output typically looks like:
```
1. eth0
2. any (Pseudo-device that captures on all interfaces)
3. lo (Loopback)
```
Each interface serves a different purpose. The eth0 is usually your wired Ethernet connection, while wlan0 would be your wireless connection if available.
Examine the output carefully to identify your active network interface. For most practical purposes, you'll want to use:
- eth0 for Ethernet connection (common in labs and virtual machines)
- wlan0 for wireless connection (if your computer has WiFi)
- any to capture on all interfaces simultaneously (useful but can be noisy)
For this lab, we'll use the eth0 interface as it's commonly available in virtual environments. Before proceeding, let's verify this interface exists and is active by running:
```
ip link show eth0
```
This command shows detailed information about the eth0 interface. You should see output indicating the interface exists and its current state (UP/DOWN). If the command returns an error, the interface may not be available on your system.
Now let's test our interface selection with a quick packet capture. Run this command to capture exactly 5 packets from the eth0 interface:
```
tshark -i eth0 -c 5
```
The -i flag specifies which interface to use, and -c 5 tells Tshark to stop after capturing 5 packets. This is a good way to verify your interface selection works before doing longer captures. The packets will appear in your terminal as they're captured.

Start Packet Capture

In this step, you will begin capturing live network traffic using Tshark on the interface you selected in the previous step. Packet capture is fundamental to network analysis as it allows you to monitor and examine all network communications passing through your selected interface. Think of it like setting up a microphone to record all conversations happening on a specific network channel.

First, ensure you're in the correct directory where we'll be working:
```
cd ~/project
```
This ensures all your captured packet files will be saved in the right location and keeps your workspace organized.
Start a basic packet capture on your selected interface (eth0) with the following command:
```
tshark -i eth0
```
The -i flag tells Tshark which interface to listen on (in this case, eth0). This command begins capturing all packets on the eth0 interface and displays them in real-time in your terminal. Each line represents a single network packet with details about its source, destination, protocol, and other characteristics.
Let the capture run for about 30 seconds to collect some traffic. You'll see output similar to:
```
1 0.000000000 192.168.1.2 → 192.168.1.1 TCP 74 55922 → 80 [SYN] Seq=0 Win=64240 Len=0
2 0.000123456 192.168.1.1 → 192.168.1.2 TCP 74 80 → 55922 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0
```
This example shows a TCP handshake between two devices. The first line shows a SYN packet initiating a connection, while the second line shows the response (SYN-ACK).
To stop the capture, press Ctrl+C in your terminal. This keyboard shortcut sends an interrupt signal to Tshark. The tool will then display capture statistics like:
```
^C123 packets captured
```
This summary tells you how many packets were captured during your session.
For a more controlled capture, you can specify the exact number of packets to capture (e.g., 50 packets):
```
tshark -i eth0 -c 50
```
The -c flag stands for "count" and makes Tshark automatically stop after capturing the specified number of packets. This is useful when you only need a sample of network traffic rather than a continuous capture.

Filter by Protocol

In this step, you will learn to filter network traffic by specific protocols using Tshark. Protocol filtering is essential because networks carry many different types of traffic simultaneously. By filtering, you can focus on particular protocols that interest you while ignoring irrelevant packets, making your analysis more efficient.

First, ensure you're in the correct directory where we'll be working. This helps keep your project files organized:
```
cd ~/project
```
Let's start with TCP traffic, which is used by many common services like web browsing (HTTP/HTTPS) and secure shell (SSH). The following command captures 20 TCP packets:
```
tshark -i eth0 -f "tcp" -c 20
```
The -f flag specifies the capture filter, while -c limits the number of packets captured.
Now try capturing UDP traffic, which is used for lightweight communications like DNS lookups and VoIP services. This command captures 10 UDP packets:
```
tshark -i eth0 -f "udp" -c 10
```
For ICMP packets (used by network diagnostic tools like ping), use this command to capture 5 packets:
```
tshark -i eth0 -f "icmp" -c 5
```
You can combine filters to capture multiple protocols simultaneously. This example captures both DNS traffic (UDP port 53) and HTTP traffic (TCP port 80), totaling 15 packets:
```
tshark -i eth0 -f "port 53 or port 80" -c 15
```
For more precise filtering after capture, use display filters with the -Y option. This command captures 30 packets but only shows HTTP or DNS traffic in the output:
```
tshark -i eth0 -c 30 -Y "http or dns"
```
Display filters are processed after capture, allowing for more complex filtering without affecting what gets recorded.

Save Capture Output

In this step, you will learn to save your captured network traffic to files for later analysis. Saving packet captures is crucial because it allows you to review network activity at a later time, share findings with team members, or perform detailed analysis without needing to capture live traffic again. The PCAP (Packet CAPture) format is the standard file format used by most network analysis tools.

First, ensure you're in the correct directory where you want to save your capture files. The project directory is a good place to keep your work organized:
```
cd ~/project
```
The basic command to save captured packets uses the -w flag to specify the output file. This example captures 50 packets from interface eth0 and saves them in PCAP format:
```
tshark -i eth0 -c 50 -w capture.pcap
```
The .pcap extension is important as it indicates this is a standard packet capture file that can be opened by most network analysis tools.
For better organization, you can create a dedicated directory for your captures. This command first creates a 'captures' directory if it doesn't exist, then captures only HTTP traffic (port 80) and saves it with a descriptive filename:
```
mkdir -p captures && tshark -i eth0 -c 30 -w captures/http_traffic.pcap -f "port 80"
```
To review a saved capture file, use the -r (read) option. This displays the packets in the terminal just like a live capture:
```
tshark -r capture.pcap
```
For more advanced workflows, you can capture all traffic first, then extract specific protocols later. This example captures 100 packets, then filters out only DNS traffic to a new file:
```
tshark -i eth0 -c 100 -w full_capture.pcap \
  && tshark -r full_capture.pcap -Y "dns" -w dns_only.pcap
```
Finally, verify your saved captures by listing them with their sizes. This helps you confirm the files were created and gives you an idea of how much data was captured:
```
ls -lh *.pcap
```
The -lh options make the output more readable by showing file sizes in human-readable format (KB, MB) rather than bytes.

Summary

In this lab, you have learned how to install and configure Tshark for network packet analysis. The process included installing Tshark via apt, updating package lists, and verifying the installation with tshark --version.

You also practiced identifying network interfaces using tshark -D and selecting an appropriate interface for traffic capture. These foundational skills prepare you for more advanced network protocol analysis in future exercises.