Monitor Traffic in Real Time in Tshark

Introduction

In this lab, you will learn to monitor network traffic in real-time using Wireshark's command-line tool tshark. You'll practice capturing packets on the eth1 interface, configuring live statistics updates, and analyzing summarized output with key commands like -i and --update-interval.

Through hands-on exercises, you'll observe TCP handshakes, terminate sessions, and interpret real-time traffic details including IP addresses and protocols. This lab provides practical experience with essential network analysis techniques.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/interface -.-> lab-548934{{"Monitor Traffic in Real Time in Tshark"}} wireshark/packet_capture -.-> lab-548934{{"Monitor Traffic in Real Time in Tshark"}} wireshark/commandline_usage -.-> lab-548934{{"Monitor Traffic in Real Time in Tshark"}} end

Start Capture with -i eth1

In this step, you will learn how to start a network packet capture using Wireshark's command-line tool tshark on the eth1 interface. This is the fundamental operation for network traffic analysis.

Network interfaces are the physical or virtual points where your computer connects to a network. The -i flag in tshark specifies which network interface to capture packets from. In most Linux systems, eth1 represents the first Ethernet interface, which is typically your primary wired network connection. In our LabEx VM environment, eth1 is the default Ethernet interface connected to the network.

When you run tshark without any filters, it will capture all network traffic passing through the specified interface. This includes both incoming and outgoing packets. The command we're about to use provides a real-time view of this traffic.

Follow these steps to begin capturing:

Open the terminal in your LabEx VM (you should already be in the ~/project directory)
Run the following command to start capturing on eth1:

tshark -i eth1

This command tells tshark to listen on the eth1 interface and display each packet as it's captured. The output will show detailed information about each network packet in real-time.

You should see output similar to this as packets start being captured:

Capturing on 'eth1'
1 0.000000000 192.168.1.100 → 192.168.1.1    TCP 74 55942 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=123456789 TSecr=0 WS=128
2 0.000123456 192.168.1.1 → 192.168.1.100    TCP 74 80 → 55942 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=987654321 TSecr=123456789 WS=128

Each line represents a captured packet, showing its timestamp, source and destination IP addresses, protocol type (TCP in this case), and various protocol-specific details. The first packet shows a TCP connection initiation (SYN flag), while the second shows the response (SYN-ACK).

To stop the capture, press Ctrl+C in the terminal. This will display a summary of the captured packets before returning to the command prompt. The summary includes statistics about how many packets were captured and processed.

Set 1-Second Updates with --update-interval 1000

In this step, we'll configure tshark to show periodic updates of network traffic statistics. This approach is particularly helpful for beginners because it provides a clear, manageable view of network activity without overwhelming you with constant packet details.

The --update-interval parameter controls how frequently tshark refreshes its display. The value is specified in milliseconds (ms), where 1000 ms equals 1 second. This means we'll get a snapshot of our network traffic every second, making it easier to observe patterns and changes.

Before we begin, let's understand what we're doing:

We're monitoring the eth1 network interface (the default Ethernet port on most systems)
Instead of seeing every single packet, we'll see summarized counts
The display will automatically refresh every second

Here's how to set this up:

First, ensure you're in the correct working directory. Open your terminal and navigate to:

cd ~/project

Now run this command to start monitoring with 1-second updates:

tshark -i eth1 --update-interval 1000

After running this, you'll see output similar to:

Capturing on 'eth1'
Packets: 15
Packets: 32
Packets: 47

Important notes about the output:

The "Packets" count shows the total number captured since starting tshark
Each new line represents an update after the specified interval (1 second)
The numbers will vary depending on your actual network activity
Higher numbers indicate more network traffic during that period

This method gives you a clean, periodic overview of network activity, which is especially useful when you're first learning about network monitoring and want to observe traffic patterns without getting lost in details.

Show Live Summary with -P

In this step, we'll explore how to monitor network traffic at a high level using tshark's summary mode. This is particularly useful when you want to observe traffic patterns without getting overwhelmed by individual packet details. Think of it like watching a highway's traffic flow rather than examining each car.

The -P parameter tells tshark to display periodic statistics instead of showing every packet. When combined with --update-interval, it creates a dashboard-like view that refreshes at your specified timing. This approach is much more efficient than scrolling through raw packet data when you just need an overview.

Before we begin, ensure you're in the correct working directory where you have permission to capture network traffic. The command we'll use builds upon what you've learned in previous steps:

tshark -i eth1 --update-interval 1000 -P

Here's what each part does:

-i eth1 specifies the network interface to monitor
--update-interval 1000 sets the refresh rate to 1000 milliseconds (1 second)
-P enables the periodic statistics display mode

After running the command, you'll see output that updates every second, showing three key metrics:

Capturing on 'eth1'
Packets: 15    Avg. packet size: 342 bytes    Packets/s: 5
Packets: 32    Avg. packet size: 356 bytes    Packets/s: 8
Packets: 47    Avg. packet size: 378 bytes    Packets/s: 7

These metrics tell you:

The total number of packets captured since starting
The average size of these packets in bytes
The current rate of packets flowing through the interface

This view is especially helpful for spotting sudden traffic spikes or unusual patterns in your network activity. The numbers will change dynamically as network conditions change, giving you real-time insight into what's happening on your network.

Terminate with Ctrl+C

In this step, we'll learn how to safely stop an active tshark packet capture session. As a beginner, it's important to understand that simply closing the terminal or killing the process abruptly could result in lost data. The proper method uses the standard Linux interrupt mechanism.

When you run tshark, it continuously monitors network traffic and writes data to memory. Pressing Ctrl+C sends a SIGINT (signal interrupt) that tells tshark to:

Immediately stop capturing new packets
Finalize and display the collected statistics
Cleanly exit back to your command prompt

Here's exactly what to do:

First, make sure your tshark capture is running (using the same command from earlier: -i eth1 --update-interval 1000 -P)
On your keyboard, press and hold the Ctrl key
While holding Ctrl, press the C key once

You'll see output like this:

^C
47 packets captured

The ^C symbol confirms you pressed Ctrl+C. The number shows how many packets were successfully captured during your session. This count helps verify your capture worked as expected before you stopped it.

Remember that this method preserves all captured data and gives you a clean exit, unlike force-quitting which might lose packets being processed when stopped.

Summary

In this lab, you have learned to monitor network traffic in real time using Tshark, Wireshark's command-line interface. Key techniques included initiating packet capture on eth1 with -i, setting periodic updates via --update-interval, and displaying live packet summaries using -P.

The exercises provided hands-on experience with capturing raw packets, analyzing TCP handshakes, and tracking real-time traffic statistics. These fundamental skills enable efficient network monitoring and troubleshooting through terminal-based packet inspection.