LabEx
Log InJoin Free

Export Filtered Packets in Tshark

WiresharkBeginner
Practice Now

Introduction

In this lab, you will learn how to filter and export specific network packets using Wireshark's command-line tool tshark. You'll practice extracting UDP packets from a sample capture file (capture.pcap) and saving them to a new file (udp.pcap).

The exercise covers key tshark operations including opening capture files with -r, applying filters with -Y, and exporting results using -w. You'll also verify the exported packets using detailed analysis with the -V flag.

Open File with -r capture.pcap

In this step, you will learn how to open a packet capture file using Wireshark's command-line tool tshark. This is the first step in analyzing network traffic from a pre-recorded capture file. Tshark is the terminal version of Wireshark, allowing you to analyze network packets without the graphical interface.

The -r option in tshark allows you to read packets from a previously saved capture file. The file we'll use (capture.pcap) contains sample network traffic data for analysis. PCAP files store raw network packet data that can be examined later.

Follow these steps carefully:

  1. First, ensure you're in the correct directory where the capture file is located. This is important because tshark needs to find the file:
cd ~/project
  1. Verify that the capture file exists and check its size. This confirms you're working with the right file:
ls -l capture.pcap

You should see output similar to this, showing the file permissions, size and modification time:

-rw-r--r-- 1 labex labex 123456 Jul 1 10:00 capture.pcap
  1. Now open the capture file using tshark. This basic command reads the file and displays a summary of each packet:
tshark -r capture.pcap

This will display the packet summary in your terminal. Each line represents one network packet with key information:

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 443 → 54321 [SYN] Seq=0 Win=64240 Len=0
2 0.000123 192.168.1.2 → 192.168.1.1 TCP 74 54321 → 443 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0
  1. To see more detailed information about the packets, including all protocol layers (like Ethernet, IP, TCP headers), you can add the -V flag for verbose output:
tshark -r capture.pcap -V

This will show the complete packet details, which is useful when you need to examine specific fields in the packet headers.

Filter UDP with -Y "udp"

In this step, you will learn how to filter UDP packets from a network capture using Wireshark's display filter syntax with the -Y option in tshark. UDP (User Datagram Protocol) is a core networking protocol that provides a simple way to send datagrams without establishing connections. This filtering is particularly useful when you need to focus only on UDP traffic from a larger capture file that may contain multiple protocols.

The -Y option in tshark works similarly to Wireshark's display filter field. It allows you to specify filtering criteria that will show only packets matching certain conditions. Here, we'll specifically filter for packets using the UDP protocol.

Follow these steps carefully:

  1. First, ensure you're still in the project directory where your capture file is located. This is important because tshark needs the correct path to access your capture file:
cd ~/project
  1. Now apply the UDP filter to analyze only UDP packets in the capture file. The basic command structure is tshark -r [file] -Y [filter]:
tshark -r capture.pcap -Y "udp"

This command will process the capture.pcap file and display only UDP packets. The output will show filtered packets in a format like this:

5 0.002345 192.168.1.1 → 192.168.1.2 UDP 82 5353 → 5353 Len=40
8 0.004567 192.168.1.2 → 192.168.1.1 UDP 82 5353 → 5353 Len=40

Each line represents a UDP packet, showing its number in the capture, timestamp, source and destination IP addresses, ports, and packet length.

  1. To get more detailed information about each UDP packet, you can add the -V (verbose) flag. This will display the complete protocol breakdown for each packet:
tshark -r capture.pcap -Y "udp" -V

This verbose output will show all layers of the packet, including Ethernet, IP, and UDP headers with their respective fields and values.

  1. If you just need to know how many UDP packets exist in your capture (without seeing their contents), you can pipe the output to the word count command:
tshark -r capture.pcap -Y "udp" | wc -l

This will output a single number representing the total count of UDP packets found in your capture file.

Export Packets with -w udp.pcap

In this step, you will learn how to export filtered UDP packets to a new capture file using Wireshark's -w option. This is particularly useful when you want to isolate specific network traffic for focused analysis or to share with colleagues.

The -w option tells Tshark to write packets to a file in pcap format, which is the standard format for packet capture files. When combined with the -Y filter we used earlier, we can selectively save only the UDP packets from our original capture file.

Let's break down the process step by step:

  1. First, ensure you're in the project directory where your capture file is located:
cd ~/project
  1. Now, let's export all UDP packets to a new file called udp.pcap:
tshark -r capture.pcap -Y "udp" -w udp.pcap

This command does three important things:

  • -r capture.pcap specifies the input file to read
  • -Y "udp" applies our filter to select only UDP packets
  • -w udp.pcap tells Tshark where to save the filtered packets
  1. After running the command, let's verify that our new file was created:
ls -l udp.pcap

You should see output similar to this, showing the file exists and its size:

-rw-r--r-- 1 labex labex 12345 Jul 1 10:05 udp.pcap
  1. To check how many UDP packets were actually exported to our new file:
tshark -r udp.pcap | wc -l

This command counts all packets in the new file. The number should match the UDP packets from your original capture.

  1. Finally, let's confirm that only UDP packets were exported by checking for any non-UDP packets:
tshark -r udp.pcap -Y "not udp" | wc -l

This should return 0, which means our filter worked correctly and only UDP packets were saved to udp.pcap.

Verify with -r udp.pcap -V

In this final verification step, we'll examine the contents of the exported UDP packets file (udp.pcap) using Wireshark's detailed output mode. The -V flag stands for "verbose" and displays comprehensive protocol information for each packet, helping us confirm that our earlier filtering and export operations worked correctly.

When working with packet captures, verification is crucial because it ensures we've extracted exactly what we intended. Let's walk through several verification methods:

  1. First, navigate to the project directory where your packet capture file is stored:
cd ~/project
  1. View the first few UDP packets with detailed protocol information. The head -20 command limits output to the first 20 lines for readability:
tshark -r udp.pcap -V | head -20

The output will show packet details like this example, where you can verify UDP protocol information:

Frame 1: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
Ethernet II, Src: 00:11:22:33:44:55, Dst: 66:77:88:99:aa:bb
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.2
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
  1. To confirm all packets in the file are UDP packets, we'll examine the protocol fields. This command extracts and counts unique protocol types:
tshark -r udp.pcap -T fields -e frame.protocols | sort | uniq -c

In a properly filtered capture, you should only see UDP-related protocols listed.

  1. For thorough verification, let's check for any non-UDP packets that might have accidentally been included. This command filters for non-UDP traffic and should return empty results:
tshark -r udp.pcap -Y "not udp" -V
  1. Finally, count the total number of UDP packets in your exported file to verify the quantity matches your expectations:
tshark -r udp.pcap | wc -l

This gives you the total count of packets in the capture file, which should all be UDP packets after our filtering process.

Summary

In this lab, you have learned how to use Wireshark's command-line tool tshark to analyze, filter, and export network packets. The exercises covered opening capture files with -r, viewing detailed packet information using -V, and applying display filters with -Y to isolate specific traffic like UDP.

You practiced exporting filtered packets to a new file using -w and verified the results by re-reading the output. These techniques provide essential skills for efficient network traffic analysis and selective data extraction in command-line environments.

Related Wireshark Courses
Wireshark for Beginners

Wireshark for Beginners

cybersecuritywireshark
Cybersecurity Analysis with Wireshark and Tshark

Cybersecurity Analysis with Wireshark and Tshark

cybersecuritywireshark