Introduction
In this lab, you will learn to analyze network traffic using Wireshark's command-line tool tshark by generating protocol statistics from a packet capture file. You'll explore key options like -r for reading files, -q for quiet mode, and -z io,phs for protocol hierarchy statistics.
The exercise will guide you through verifying capture files, viewing packet summaries, and interpreting protocol distributions. This practical experience will enhance your network analysis skills with tshark's statistical features.
Read File with -r capture.pcap
In this step, you will learn how to open and analyze a packet capture file using Wireshark's command-line tool tshark. The -r option is fundamental as it specifies which packet capture file to read. Think of it like opening a document with a text editor - you need to tell the program which file to work with.
First, ensure you're in the correct directory. Open the terminal and run:
cd ~/projectThis command navigates to the project directory where our sample capture file is stored. It's like opening the right folder before accessing a file.
The lab environment provides a sample capture file named
capture.pcap. Verify its existence:ls -l capture.pcapExpected output should show the file details like:
-rw-r--r-- 1 labex labex 12345 Jan 1 00:00 capture.pcapThe
ls -lcommand shows the file's permissions, size, and modification time. This confirms the file is present and accessible before we try to analyze it.To read the capture file with tshark, execute:
tshark -r capture.pcapThis command reads the
capture.pcapfile and displays each network packet's summary information. You'll see columns showing:- Packet number (sequence in the capture)
- Timestamp (when it was captured)
- Source and destination IP addresses
- Protocol used (TCP, UDP, etc.)
- Basic information about the packet
For a cleaner output with just packet numbers and protocols, add the
-q(quiet) option:tshark -r capture.pcap -qThe
-qflag simplifies the output by suppressing some details. This is useful when you just want to quickly scan the types of traffic in the capture without seeing all the packet details.To exit the packet listing, press
Ctrl+Cwhen you've seen enough output. This keyboard combination stops the command's execution and returns you to the terminal prompt.
Remember, these commands are just displaying the captured packets - we're not modifying the file in any way. The next steps will show you how to analyze this traffic in more detail.
Compute Hierarchy Stats with -z io,phs
In this step, we'll explore how to analyze network traffic by generating protocol hierarchy statistics using Wireshark's command-line tool tshark. The -z io,phs option creates a structured overview showing how different network protocols relate to each other in your captured traffic.
First, let's make sure we're in the right working directory where our capture file is stored:
cd ~/projectThis command navigates to the project directory where we'll be working with our packet capture file.
Now we'll analyze the
capture.pcapfile to see the protocol distribution. Run this command:tshark -r capture.pcap -z io,phsHere's what each part does:
-r capture.pcapreads our packet capture file-z io,phsgenerates the protocol hierarchy statistics
The command produces output showing how protocols are layered in your network traffic. Here's a sample structure:
====================================================== Protocol Hierarchy Statistics Filter: eth frames:100 bytes:10000 ip frames:90 bytes:9000 tcp frames:80 bytes:8000 http frames:70 bytes:7000 udp frames:10 bytes:1000 arp frames:10 bytes:1000 ======================================================This tree structure reveals:
- Ethernet (eth) as the base layer carrying all traffic
- IP packets making up 90% of Ethernet frames
- TCP being the dominant transport protocol within IP
- HTTP traffic accounting for most TCP packets
The statistics provide three key pieces of information for each protocol:
- Percentage of total traffic (implied by frame counts)
- Absolute numbers of frames and bytes transmitted
- The encapsulation relationship between protocols
For a cleaner view without additional capture information, add the
-q(quiet) option:tshark -r capture.pcap -z io,phs -qThe
-qflag suppresses extra details, giving you just the protocol hierarchy statistics. This is particularly useful when you only need the protocol breakdown.
Suppress Packet Details with -q
In this step, you'll learn about the -q option in tshark, which helps simplify your output when analyzing network traffic. This is especially useful when you only need statistical information rather than detailed packet contents.
First, let's navigate to our working directory where the packet capture file is stored:
cd ~/projectThis ensures we're in the right location to access our sample capture file.
Let's first examine what normal tshark output looks like without the
-qoption:tshark -r capture.pcapThis command displays complete packet information including protocol headers and payload data. For beginners, this output might appear overwhelming with too many details when you're only interested in overall statistics.
Now let's try the same command with the
-q(quiet) option:tshark -r capture.pcap -qNotice how this suppresses the detailed packet information, giving you a cleaner output. The
-qoption tells tshark to only show summary information, which is easier to read when you don't need packet-level details.Let's combine
-qwith the protocol hierarchy statistics we learned earlier:tshark -r capture.pcap -z io,phs -qThis powerful combination gives you just the protocol statistics without any distracting packet details. The
-z io,phsgenerates the statistics while-qensures we only see the statistical summary.Key differences to observe:
- Without
-q: Shows complete packet dissection including all protocol layers - With
-q: Provides a cleaner view showing only summary/statistical information - Particularly useful when combined with statistics options (
-z) for focused analysis
- Without
Remember, the -q option is your friend when you want to focus on the big picture rather than individual packet details. It helps reduce visual clutter while still providing the essential information you need for network analysis.
View Stats on Console
In this step, you'll learn how to use tshark's powerful statistical features to analyze network traffic patterns directly in your terminal. These commands help you understand traffic distribution, identify top communicators, and spot unusual patterns in captured network data.
First, ensure you're in the correct working directory where your capture file is stored. This is important because tshark needs to access the file:
cd ~/projectView basic capture file statistics with time intervals. The
-qflag suppresses packet details, while-z io,stat,60creates 60-second summary blocks:tshark -r capture.pcap -q -z io,stat,60This shows how traffic volume changes over time in one-minute segments.
To see which IP addresses are most active (endpoint statistics), this command counts traffic per address:
tshark -r capture.pcap -q -z endpoints,ipIt lists all communicating IPs with their sent/received packet and byte counts.
For conversation statistics showing which IP pairs communicate and how much:
tshark -r capture.pcap -q -z conv,ipThis reveals communication patterns between specific source-destination pairs.
Combine multiple statistics in one command for comprehensive analysis:
tshark -r capture.pcap -q -z io,stat,60 -z endpoints,ip -z conv,ipWhen reviewing statistics, focus on these key indicators:
- Total packets and bytes: Overall traffic volume
- Traffic distribution over time: Spot peaks or unusual patterns
- Top communicating endpoints: Identify heavy users
- Conversation pairs: Understand who talks to whom and how much
Summary
In this lab, you have learned to utilize Wireshark's command-line tool tshark for network traffic analysis. You practiced reading packet capture files using the -r option and simplified output with the -q flag for better readability.
Additionally, you explored generating protocol hierarchy statistics through the -z io,phs option, which provides valuable insights into protocol distribution within network traffic. This technique enables quick assessment of traffic composition without inspecting individual packets.


