Use Display Filters in Tshark

Introduction

In this lab, you will learn to utilize display filters in Wireshark's command-line tool tshark for efficient network traffic analysis. You'll practice reading packet capture files (tcp.pcap) and applying filters to isolate specific traffic patterns, such as packets from particular IP addresses or TCP ports.

Through hands-on exercises, you'll master key tshark commands including -r for file reading and -Y for filter application. The lab emphasizes comparing filtered and unfiltered results to enhance your network troubleshooting skills.

Skills Graph

Read File with -r tcp.pcap

In this step, you will learn how to read a packet capture file using Wireshark's command-line tool tshark. The -r option is one of the most fundamental commands in tshark, allowing you to specify a packet capture file (PCAP) to analyze. This is similar to opening a file in the Wireshark GUI, but done through the command line.

1. First, we need to navigate to the directory containing our packet capture file. Open a terminal and run:

   cd ~/project

   This command changes your working directory to the project folder where our sample capture file is stored.

2. The lab environment provides a sample packet capture file named tcp.pcap. Let's verify it exists before we try to read it:

   ls -l tcp.pcap

   You should see output similar to:

   -rw-r--r-- 1 labex labex 12345 Jan 1 00:00 tcp.pcap

   This shows the file permissions, owner, size, and modification date - confirming the file is present.

3. Now we'll use tshark to read and display the packet capture file:

   tshark -r tcp.pcap

   The -r flag tells tshark to read from the specified file rather than capturing live traffic. This command will display the packet contents directly in your terminal.

4. The output will show each packet with basic information in columns:

   1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
   2 0.000123 192.168.1.2 → 192.168.1.1 TCP 74 49234 → 80 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0

   Each line represents one network packet, showing its number, timestamp, source/destination IPs, protocol (TCP here), and TCP flags.

5. The output will continue scrolling as tshark displays all packets. To stop the display and return to your command prompt, press Ctrl+C. This keyboard interrupt safely terminates the tshark process.

Filter by Source IP with -Y "ip.src==192.168.1.1"

In this step, you will learn how to filter network packets by source IP address using Wireshark's tshark command-line tool. The -Y option is specifically designed for display filters, which help you focus on particular network traffic patterns without modifying the original packet data.

1. First, ensure you're in the correct directory where your packet capture file is stored. This is important because tshark needs to know where to find the file you want to analyze:

   cd ~/project

2. Now let's filter packets that originate from the specific IP address 192.168.1.1. The -r flag specifies the input file, while -Y applies our filter condition. The filter syntax ip.src==192.168.1.1 means "show only packets where the source IP equals 192.168.1.1":

   tshark -r tcp.pcap -Y "ip.src==192.168.1.1"

3. The command will output only the packets matching our filter criteria. Notice how each entry shows the source IP (192.168.1.1) and destination IP, along with other protocol details:

   1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
   3 0.000456 192.168.1.1 → 192.168.1.2 TCP 66 80 → 49234 [ACK] Seq=1 Ack=1 Win=64240 Len=0

4. To understand the filtering effect better, compare this output with the unfiltered results you saw earlier. This demonstrates how display filters help isolate specific traffic patterns from large capture files.

5. When you're done examining the filtered output, press Ctrl+C to stop the display and return to the command prompt. This keyboard shortcut works for most command-line tools that output continuous results.

Combine Filters with -Y "ip.src==192.168.1.1 and tcp.port==80"

In this step, you'll learn how to combine multiple filters in Wireshark's command-line tool tshark to precisely analyze network traffic. The -Y option (display filter) lets you use logical operators like and to create complex filtering conditions. This is particularly useful when you need to examine traffic that matches multiple criteria simultaneously.

1. First, navigate to the project directory where your packet capture file is stored. This ensures tshark can find the file you want to analyze:

   cd ~/project

2. Now let's filter for packets that meet two conditions: they must come from IP address 192.168.1.1 AND use TCP port 80 (typically HTTP traffic). The and operator ensures both conditions must be true for a packet to be displayed:

   tshark -r tcp.pcap -Y "ip.src==192.168.1.1 and tcp.port==80"

3. The output will show only packets that match both criteria. For example, you might see HTTP requests from the specified IP address:

   1 0.000000 192.168.1.1 → 192.168.1.2 TCP 74 80 → 49234 [SYN] Seq=0 Win=64240 Len=0
   5 0.001234 192.168.1.1 → 192.168.1.2 HTTP 145 GET /index.html HTTP/1.1

4. Notice how this combined filter gives you more targeted results than using single filters alone. Compare this output with what you saw when filtering just by IP or just by port to understand how combining filters helps isolate specific traffic patterns.

5. When you're done examining the output, press Ctrl+C to return to the command prompt. This keyboard combination stops the display of packet information.

Verify Output with -P

In this step, you will learn how to verify and print packet details using Wireshark's -P option with tshark. The -P flag tells tshark to print packet details in a structured, human-readable format rather than just showing summary lines. This is particularly useful when you need to examine specific fields within network packets.

1. First, ensure you're in the correct directory where your packet capture file is located. This is important because tshark needs to access the pcap file we'll be analyzing:

   cd ~/project

2. Now we'll use tshark to filter and display packets from IP address 192.168.1.1 communicating on TCP port 80. The command combines three important flags:

   • -r to read from our capture file
   • -Y to apply our display filter
   • -P to show detailed packet information

   tshark -r tcp.pcap -Y "ip.src==192.168.1.1 and tcp.port==80" -P

3. The -P option provides a hierarchical breakdown of each packet's contents. Here's what a sample output might look like, showing different protocol layers:

   Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
   Ethernet II, Src: 00:11:22:33:44:55, Dst: 66:77:88:99:aa:bb
   Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.2
   Transmission Control Protocol, Src Port: 80, Dst Port: 49234, Seq: 0, Ack: 0, Flags: SYN

4. Notice how this output shows more technical details than previous commands without -P. You can see:

   • The physical layer (Ethernet) information
   • Network layer (IP) addresses
   • Transport layer (TCP) port numbers and flags

5. When you're done examining the output, you can stop the display by pressing Ctrl+C. This keyboard combination works in most Linux terminals to interrupt the current command.

Summary

In this lab, you have learned to effectively apply display filters using Wireshark's tshark command-line tool for network traffic analysis. You practiced reading PCAP files with -r, filtering by IP addresses and ports using -Y, and combining conditions with logical operators like and.

The exercises demonstrated how to isolate specific traffic patterns and verify results with -P, equipping you with essential skills for targeted packet analysis. These techniques enable efficient troubleshooting by focusing on relevant network data.