Debug with Logs in Tshark

Introduction

In this lab, you will learn essential debugging techniques using Wireshark's command-line tool Tshark. You'll explore how to set debug levels with --log-level, capture live traffic on eth1 using -i, and save logs to files with --log-file for analysis.

Through hands-on exercises, you'll practice configuring debug modes, monitoring network traffic, and interpreting log outputs. This lab provides practical experience with Tshark's core debugging features in a controlled VM environment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/interface -.-> lab-548920{{"Debug with Logs in Tshark"}} wireshark/packet_capture -.-> lab-548920{{"Debug with Logs in Tshark"}} wireshark/display_filters -.-> lab-548920{{"Debug with Logs in Tshark"}} wireshark/packet_analysis -.-> lab-548920{{"Debug with Logs in Tshark"}} wireshark/commandline_usage -.-> lab-548920{{"Debug with Logs in Tshark"}} end

Set Debug Level with --log-level debug

In this step, you'll learn how to adjust the detail level of log messages when using Wireshark's command-line tool tshark. The --log-level flag helps control how much information tshark displays, which is especially helpful when you need to understand what's happening behind the scenes or troubleshoot issues.

First, let's prepare our working environment. Open a terminal in your LabEx VM. We'll work in the default project directory to keep things organized:
```
cd ~/project
```
The basic command structure for setting log levels is straightforward. You simply specify the desired level after the flag:
```
tshark --log-level <level>
```
Here are the most commonly used log levels, ordered from least to most detailed:
- critical - Only displays severe errors that might prevent tshark from working
- warning - Shows potential issues that aren't critical but worth noting
- message - The default level that shows normal operational messages
- info - Provides additional informational messages about tshark's activities
- debug - Shows the most detailed technical information for deep troubleshooting
For this exercise, we'll use debug level to see the maximum amount of information. This will help us understand all the behind-the-scenes operations of tshark. Run this command:
```
tshark --log-level debug
```
After running the command, you'll notice much more output than usual. This debug output includes initialization details, internal processing messages, and technical information about how tshark is handling network traffic.
When you're ready to stop tshark, simply press Ctrl+C in the terminal. This keyboard shortcut sends an interrupt signal to stop the currently running command.

Capture Traffic with -i eth1

In this step, we'll explore how to capture live network traffic using Wireshark's powerful command-line tool tshark. Network interfaces are the physical or virtual points where your computer connects to a network, and eth1 is typically the first Ethernet interface in Linux systems.

First, let's identify which network interfaces are available on your LabEx VM. This helps ensure we're monitoring the correct one:
```
tshark -D
```
This command lists all network interfaces that tshark can access. Look for eth1 in the output - this is usually your primary Ethernet connection.
Now we'll start capturing actual network traffic. The -i flag tells tshark which interface to monitor:
```
tshark -i eth1
```
As packets flow through your network, you'll see them displayed in real-time. Each line represents one network packet and shows:
- The exact time it was captured (timestamp)
- Where it came from and where it's going (IP addresses)
- What kind of network communication it contains (protocol)
- How much data it carries (packet length)
Let the capture run for about 10 seconds to collect a representative sample of traffic. When ready, press Ctrl+C to stop the capture. This gives you hands-on experience with live packet capture.
Sometimes you might want to capture a specific number of packets. The -c flag lets you set this limit:
```
tshark -i eth1 -c 10
```
This command will automatically stop after capturing exactly 10 packets, which is useful for quick tests.
You can combine this with debugging to get more detailed information about the capture process:
```
tshark -i eth1 --log-level debug
```
This shows not just the packets, but also tshark's internal operations, helping you understand what's happening behind the scenes.

Log to File with --log-file tshark.log

In this step, you will learn how to save tshark capture logs to a file for later analysis using the --log-file option. This is particularly useful when you need to document network traffic patterns or troubleshoot connectivity issues, as it allows you to review the data at your convenience rather than watching real-time output.

First, ensure you're in the default working directory. This is important because the log file will be created in your current directory:
```
cd ~/project
```
To start capturing network traffic and simultaneously save all logs to a file named tshark.log, execute this command. The -i eth1 specifies we're capturing from the Ethernet interface:
```
tshark -i eth1 --log-file tshark.log
```
Let the capture run for about 10 seconds to gather sufficient data, then press Ctrl+C to gracefully stop the capture process. This keyboard interrupt ensures the log file is properly closed.
Verify the log file was successfully created by listing directory contents. The -l flag shows detailed file information including size and timestamp:
```
ls -l tshark.log
```
You should see the file listed with its size and creation time, confirming the capture worked as expected.
View the contents of the log file to examine the captured packets. The cat command displays the entire file contents in your terminal:
```
cat tshark.log
```
The output will show the captured packets in a readable format, including timestamps, source/destination addresses, and protocol information.
For a more complete example combining previous steps, try this enhanced command that includes multiple useful parameters:
```
tshark -i eth1 --log-level debug --log-file tshark.log -c 20
```
This comprehensive command will:
- Capture packets specifically from the eth1 network interface
- Set the logging level to debug for maximum detail
- Save all output to the tshark.log file
- Automatically stop after capturing exactly 20 packets

Review Logs for Errors

In this step, you will analyze the tshark log file created in the previous step to identify potential network issues and errors. This is a crucial skill for network troubleshooting as logs provide detailed records of network activity and potential problems.

First, navigate to your project directory if you're not already there. This ensures you're working with the correct log file:
```
cd ~/project
```
View the complete log file contents to get an overall picture of the captured network traffic. The cat command displays the entire file content in your terminal:
```
cat tshark.log
```
To search specifically for error messages in the log, use grep with case-insensitive matching (-i flag). This helps find all error entries regardless of capitalization:
```
grep -i "error" tshark.log
```
For more comprehensive analysis, search for multiple types of issues including warnings and failures. The -E flag enables extended regular expressions:
```
grep -E -i "error|warning|fail" tshark.log
```
To quantify the number of error occurrences, pipe the grep output to word count (wc) with line count (-l). This gives you a quick sense of how many errors were logged:
```
grep -i "error" tshark.log | wc -l
```
For a more structured view of packet-level errors, use tshark's display filter (-Y) to show only frames with error flags. This helps identify problematic packets in your capture:
```
tshark -r tshark.log -Y "frame.error_flag == 1"
```
To save just the error messages for further analysis or reporting, redirect the grep output to a new file. This creates a clean error-only log:
```
grep -i "error" tshark.log > errors.txt
```

Summary

In this lab, you have learned practical techniques for network traffic analysis using Wireshark's command-line tool tshark. You explored setting debug levels with --log-level debug to obtain detailed operational messages, which is crucial for troubleshooting complex network issues.

Additionally, you practiced capturing live traffic on the eth1 interface by identifying available interfaces and analyzing real-time packet data. These fundamental skills enable efficient network monitoring and problem diagnosis in command-line environments.