image.png

Essential Utilities

Utility Purpose
capinfos Summarize capture file metadata before deep dives
grep Search packet text dumps or CSV exports
awk Field-based filtering, counting, and reporting
cut Extract specific columns or fields from text output
uniq Deduplicate sorted output; often paired with sort
nl Number lines of output for easy reference
sed Stream editor for in-line text transformations 
# Live capture on interface 2 (press Ctrl+C to stop)
tshark -i 2

# Read from a saved file and display packet summary
tshark -r capture.pcapng

# Save live capture to file
tshark -i eth0 -w output.pcap

Core Options

Flag Function Example
-h Help page (common flags) tshark -h
-v Version information tshark -v
-D List available capture interfaces tshark -D
-i Select interface (by number or name) tshark -i ens33
-c Stop after N packets tshark -c 100
-w Write packets to file tshark -w filtered.pcap
-r Read from file instead of live capture tshark -r demo.pcapng
-V Verbose: show full packet details tshark -V
-q Quiet mode: suppress packet summary output tshark -q
--color Colorize terminal output tshark --color
-x Hex+ASCII dump of packet payload tshark -x

Capture Autostop & Ring Buffers

One-shot stop conditions (-a)

# Stop after 30s
tshark -i eth0 -w file.pcap -a duration:30
# Stop at 10 MB
tshark -i eth0 -w file.pcap -a filesize:10240
# Rotate into 3 files of ≤10 MB each
tshark -i eth0 -w file.pcap -a filesize:10240 -a files:3

Continuous ring buffer (-b)

# New file every 60s, keep last 5
tshark -i eth0 -w rotating.pcap -b duration:60 -b files:5
# Rotate by filesize
tshark -i eth0 -w rotating.pcap -b filesize:5120 -b files:4

Capture vs. Display Filters

Filter Type Option Syntax Description
Capture (BPF) -f "host 10.0.0.5" Filters at packet capture time
"net 192.168.1.0/24"
"port 80"
Display -Y 'ip.addr == 10.0.0.5' Filters after packets are captured/read
'tcp.port == 443'
'http.request.method == "GET"'