Compress Capture Files in Tshark

Introduction

In this lab, you will learn to capture, compress, and analyze network traffic using Wireshark's command-line tool tshark. You'll practice essential commands for interface selection, compressed file saving, and packet reading while verifying data integrity.

The exercises cover listing interfaces, capturing live traffic, and inspecting compressed files. By completing this lab, you'll gain skills to efficiently manage packet captures in compressed formats, optimizing storage space without compromising data quality.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/protocol_dissection("Protocol Dissection") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/interface -.-> lab-548918{{"Compress Capture Files in Tshark"}} wireshark/packet_capture -.-> lab-548918{{"Compress Capture Files in Tshark"}} wireshark/display_filters -.-> lab-548918{{"Compress Capture Files in Tshark"}} wireshark/protocol_dissection -.-> lab-548918{{"Compress Capture Files in Tshark"}} wireshark/packet_analysis -.-> lab-548918{{"Compress Capture Files in Tshark"}} wireshark/commandline_usage -.-> lab-548918{{"Compress Capture Files in Tshark"}} end

Capture Traffic with -i eth1

In this step, you'll learn how to use tshark, Wireshark's command-line version, to capture live network traffic. The -i option lets you specify which network interface to monitor - crucial when your machine has multiple network connections.

First, let's prepare our workspace. Open the terminal in your LabEx VM and navigate to the project directory where we'll store our captures:
```
cd ~/project
```
Before capturing, we need to identify available network interfaces. Run this command to list them:
```
tshark -D
```
You'll see output listing your network interfaces, typically including:
```
1. eth1 (your primary Ethernet interface)
2. any (all interfaces)
3. lo (loopback for internal communication)
```
To start capturing packets on your main network interface (usually eth1), use:
```
tshark -i eth1
```
This shows real-time network traffic scrolling in your terminal - each line represents a packet with source/destination addresses and protocol information.
To stop the continuous capture (which would otherwise run indefinitely), press Ctrl+C. The terminal will then display capture statistics including total packets captured.
For practice, let's capture exactly 5 packets. The -c flag limits the capture count:
```
tshark -i eth1 -c 5
```
This command automatically stops after capturing 5 packets, giving you a manageable sample to examine.

Save with Gzip using -w capture.pcap.gz

In this step, we'll explore how to efficiently store network traffic captures by saving them directly in compressed format using Tshark. Compression helps reduce storage space while maintaining all the original packet data. The -w option in Tshark automatically handles compression when we use the .gz file extension.

First, let's navigate to our working directory where we'll store the capture files. This ensures all our files stay organized in one place:
```
cd ~/project
```
Now we'll capture live network traffic and save it compressed. The following command does three important things at once:
- Specifies which network interface to monitor (eth1)
- Automatically compresses the output file (notice the .gz extension)
- Limits the capture to 10 packets for demonstration purposes
```
tshark -i eth1 -w capture.pcap.gz -c 10
```
As the command runs, you'll see Tshark counting each captured packet until it reaches 10.
After the capture finishes, let's verify our compressed file was created properly. The -lh options show the file size in human-readable format:
```
ls -lh capture.pcap.gz
```
The output shows the compressed file's details, including its size (much smaller than an uncompressed capture would be):
```
-rw-r--r-- 1 labex labex 1.2K Mar 1 10:00 capture.pcap.gz
```
Finally, we can read directly from the compressed file without manually decompressing it. This command displays just the first 3 packets to confirm our capture worked:
```
tshark -r capture.pcap.gz -c 3
```
Tshark handles the decompression automatically, showing you the packet details exactly as if you'd used an uncompressed file.

Read Compressed File with -r capture.pcap.gz

In this step, you'll work with the compressed packet capture file (capture.pcap.gz) you created earlier. We'll use Wireshark's command-line tool tshark to read and analyze this file without needing to manually decompress it first. This is particularly useful when dealing with large capture files that would take up significant disk space if uncompressed.

First, let's verify we're in the right location and that our compressed capture file exists. The following commands will navigate to the project directory and list the file with details:
```
cd ~/project
ls -l capture.pcap.gz
```
You should see the compressed file listed with its size and permissions. This confirms we're ready to proceed.
The basic command to read the compressed capture file displays packet summaries. Each line represents one network packet with essential information like timestamp, source/destination addresses, and protocol:
```
tshark -r capture.pcap.gz
```
Notice that tshark automatically handles the gzip compression - we don't need separate decompression steps.
When working with large files, it's often helpful to limit output. This command shows just the first 5 packets, which is useful for quick verification:
```
tshark -r capture.pcap.gz -c 5
```
The -c flag stands for "count" and controls how many packets to display.
To dive deeper into packet contents, we use verbose mode with -V. This example shows full details for the first 3 packets, including all protocol headers and payload data:
```
tshark -r capture.pcap.gz -V -c 3
```
The verbose output is invaluable when you need to examine specific packet fields or troubleshoot network issues.
For targeted analysis, we can filter packets by protocol. This command displays the first 2 HTTP packets found in the capture:
```
tshark -r capture.pcap.gz -Y "http" -c 2
```
The -Y flag applies a display filter (similar to Wireshark's main filter syntax).
Finally, to get statistics about the entire capture file without displaying individual packets, we use this counting command:
```
tshark -r capture.pcap.gz -q -z io,stat,0
```
The -q makes the output quiet (suppressing packet display), while -z provides various statistics options. This gives a quick overview of the capture's size and content.

Verify with -V

In this step, you'll explore Wireshark's powerful verbose mode using the -V flag. This mode reveals the complete protocol dissection of packets, showing you exactly what's happening at each layer of network communication. It's particularly useful when you need to examine packet contents beyond just the basic headers.

First, let's navigate to our working directory and verify our compressed capture file exists. The cd command changes directory, while ls -l shows detailed file information:
```
cd ~/project
ls -l capture.pcap.gz
```
Now we'll use -V to see comprehensive protocol details. The -c 3 flag limits output to the first 3 packets, making it easier to analyze:
```
tshark -r capture.pcap.gz -V -c 3
```
Each packet's output will show layer-by-layer information including Ethernet, IP, and transport layer headers, followed by any application layer data.
When focusing on HTTP traffic, we combine -V with a display filter (-Y). This shows only HTTP packets with their full protocol details:
```
tshark -r capture.pcap.gz -Y "http" -V -c 2
```
For TCP analysis, this command displays one TCP packet with all its protocol fields. You'll see sequence numbers, flags, window size, and other TCP-specific information:
```
tshark -r capture.pcap.gz -V -Y "tcp" -c 1
```
DNS queries reveal interesting details in verbose mode. This shows a single DNS packet including query type, class, and the complete question section:
```
tshark -r capture.pcap.gz -V -Y "dns" -c 1
```
Finally, we can check for packets with bad checksums. This helps identify potential network corruption or capture issues:
```
tshark -r capture.pcap.gz -V -Y "tcp.checksum_bad==1" -c 1
```

Summary

In this lab, you have learned to efficiently capture, compress, and analyze network traffic using Wireshark's tshark command-line tool. You practiced capturing live traffic on the eth1 interface with -i eth1 and saving compressed files directly in gzip format using -w capture.pcap.gz.

The exercises demonstrated how to manage packet captures effectively by combining compression with analysis. You verified the ability to read compressed files without manual decompression using -r capture.pcap.gz, while mastering essential flags like -i, -w, -r, and -c.