Use Display Filters in Tshark

Introduction

In this lab, you will learn to utilize display filters in Wireshark's command-line tool tshark for efficient network traffic analysis. You will practice reading packet capture files (capture.pcap) and applying filters to isolate specific traffic patterns, such as packets from particular IP addresses or TCP ports.

Through hands-on exercises, you will master key tshark commands including -r for file reading and -Y for filter application. The lab emphasizes comparing filtered and unfiltered results to enhance your network troubleshooting skills.

Verify Tshark Installation and Sample File

In this initial step, you will confirm that the tshark command-line tool is installed and that the sample packet capture file is available in your working directory. This ensures your environment is ready for the subsequent network analysis tasks.

First, verify the tshark installation by checking its version. Open a terminal and run:
```
tshark -v
```
You should see output similar to this, indicating tshark is installed:
```
TShark (Wireshark) X.Y.Z (Git vX.Y.Z-gXXXXXXXXXXXX)
...
```
The version numbers (X.Y.Z) may vary, but the presence of the output confirms tshark is ready.
Next, navigate to the project directory where the sample packet capture file is located. This is the default working directory for this lab:
```
cd ~/project
```
Verify that the sample packet capture file, capture.pcap, exists in this directory. This file will be used for all subsequent analysis steps:
```
ls -l capture.pcap
```
You should see output similar to:
```
-rw-r--r-- 1 labex labex 123456 Jan 1 00:00 capture.pcap
```
This output confirms the file's permissions, owner, size, and modification date, indicating it is present and accessible.

Read Packet Capture File with -r

In this step, you will learn how to read and display the contents of a packet capture file using tshark. The -r option is fundamental for specifying an input file, allowing tshark to analyze pre-recorded network traffic instead of capturing live data.

Ensure you are in the ~/project directory, as this is where our capture.pcap file is located:
```
cd ~/project
```
Now, use tshark to read and display all packets from the capture.pcap file:
```
tshark -r capture.pcap
```
The -r flag instructs tshark to read from the specified file. This command will output a summary of each packet directly to your terminal.
The output will show basic information for each packet in columns. You will see details such as the packet number, timestamp, source and destination IP addresses, protocol, and a brief description. For example:
```
1   0.000000 10.0.2.15 → 10.0.0.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
2   0.000123 10.0.0.2 → 10.0.2.15 TCP 74 49234 → 80 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0
...
```
Each line represents one network packet, providing a quick overview of the traffic.
Since capture.pcap contains many packets, the output will scroll continuously. To stop the display and return to your command prompt, press Ctrl+C. This keyboard shortcut safely terminates the tshark process.

Filter by Source IP with -Y "ip.src==10.0.2.15"

In this step, you will learn how to apply a display filter to show only packets originating from a specific source IP address. The -Y option in tshark allows you to use Wireshark's powerful display filter syntax to narrow down your analysis to relevant traffic.

Ensure you are in the ~/project directory:
```
cd ~/project
```
Now, filter the capture.pcap file to display only packets where the source IP address is 10.0.2.15. The filter ip.src==10.0.2.15 specifies this condition:
```
tshark -r capture.pcap -Y "ip.src==10.0.2.15"
```
The -Y flag applies the display filter provided in quotes.
The command will output only the packets that match the filter criteria. You will notice that every displayed packet has 10.0.2.15 as its source IP address:
```
1   0.000000 10.0.2.15 → 10.0.0.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
3   0.000456 10.0.2.15 → 10.0.0.2 TCP 66 80 → 49234 [ACK] Seq=1 Ack=1 Win=64240 Len=0
...
```
Compare this output with the unfiltered results from the previous step. This demonstrates how display filters help you focus on specific traffic patterns within a large capture file.
When you are finished examining the filtered output, press Ctrl+C to stop the display and return to your command prompt.

Combine Filters with -Y "ip.src==10.0.2.15 and tcp.port==80"

In this step, you will learn to combine multiple display filters using logical operators to refine your network traffic analysis. By using the and operator, you can specify that packets must meet all defined conditions to be displayed, allowing for highly targeted investigations.

Ensure you are in the ~/project directory:
```
cd ~/project
```
Now, let's filter for packets that meet two conditions simultaneously: they must originate from IP address 10.0.2.15 AND use TCP port 80 (commonly used for HTTP traffic). The and operator ensures both conditions must be true for a packet to be included in the output:
```
tshark -r capture.pcap -Y "ip.src==10.0.2.15 and tcp.port==80"
```
This command will display only the packets that match both the source IP and the TCP port criteria.
The output will show only packets that satisfy both conditions. For example, you might see HTTP requests or responses from the specified IP address:
```
1   0.000000 10.0.2.15 → 10.0.0.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
5   0.001234 10.0.2.15 → 10.0.0.2 HTTP 145 GET /index.html HTTP/1.1
...
```
Observe how this combined filter provides more precise results compared to using single filters. This technique is crucial for isolating specific conversations or application traffic.
When you are done examining the output, press Ctrl+C to return to the command prompt.

Verify Output with -P (Detailed Packet View)

In this final step, you will learn how to display detailed information for filtered packets using tshark's -P option. The -P flag is particularly useful when you want to see packet summaries while also writing packets to a file or when used with other output-suppressing options.

Ensure you are in the ~/project directory:
```
cd ~/project
```
First, let's see the difference between using -P and not using it when writing to a file. Run this command without -P:
```
tshark -r capture.pcap -Y "ip.src==10.0.2.15 and tcp.port==80" -w filtered.pcap
```
Notice that no packet information is displayed on the screen because the packets are being written to a file.

Now run the same command with the -P option:

tshark -r capture.pcap -Y "ip.src==10.0.2.15 and tcp.port==80" -w filtered.pcap -P

With the -P flag, you will see packet summaries displayed on the screen while the packets are simultaneously being written to the file:

1   0.000000 10.0.2.15 → 10.0.0.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
2   0.000123 10.0.2.15 → 10.0.0.2 TCP 74 80 → 49234 [ACK] Seq=1 Ack=1 Win=64240 Len=0
...

Another useful scenario is combining -P with -q (quiet mode). First, try with just -q:
```
tshark -r capture.pcap -Y "ip.src==10.0.2.15 and tcp.port==80" -q
```
This suppresses all packet output and only shows a count at the end.
Now combine -q with -P:
```
tshark -r capture.pcap -Y "ip.src==10.0.2.15 and tcp.port==80" -q -P
```
The -P option overrides the -q suppression and displays packet summaries again.

The -P option is most valuable when you need to monitor packet processing while simultaneously saving filtered results to a file, or when you want to override output suppression from other options like -q.

Summary

In this lab, you have learned to effectively apply display filters using Wireshark's tshark command-line tool for network traffic analysis. You practiced reading PCAP files with -r, filtering by IP addresses and ports using -Y, and combining conditions with logical operators like and.

The exercises demonstrated how to isolate specific traffic patterns and verify results with -P, equipping you with essential skills for targeted packet analysis. These techniques enable efficient troubleshooting by focusing on relevant network data.