Analyzing network traffic with Tshark

When the system logs fail to provide information on problems, or if you simply want to know what is happening on the network, it is worth taking a look at the data stream. Tools such as Tcpdump [1] or Wireshark [2] let you listen on the network to study and troubleshoot network problems. Tcpdump is the tool of choice for gurus and professionals, but Wireshark appeals to many users because of its powerful GUI. If you prefer to work at the command line, or if you don't have time to grapple with Wireshark's elaborate user interface, you can use Wireshark's little brother Tshark [3] to sniff packets in a terminal window.

Like other packet sniffers, Tshark switches the interface into promiscuous mode to listen for network packets. In promiscuous mode, the network adapter hands over all the packets to the operating system, instead of just the ones addressed directly to the local system with the MAC address. Tshark can therefore listen to all the traffic on the local network, and you can use filtering commands to narrow down the output to specific hosts or protocols that you want to study.

Many Packages, Many Privileges

You can install Tshark via the command line or using a graphical tool of your choice. I used the 64-bit version of Tshark 1.10.6 on Ubuntu 14.04 for this article. Tshark is included with most other major distributions and accepts the same parameters, so you can use a different flavor of Linux and complete the installation with the package manager of your choice. On Ubuntu, you first need to update your system (Listing 1, first two lines). Then, install the program using the package manager (last line).

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Capture File Filtering with Wireshark

    Wireshark doesn’t just work in real time. If you save a history of network activity in a pcap file using a tool such as tcpdump, you can filter the data with Wireshark to search for evidence.

    more »
  • Perl – Build a Sniffer

    If you need to browse through packets rushing by on the local network, Wireshark provides a useful service. But, if you prefer to build your own tools, why not use the command-line version, TShark, and a terminal-friendly Curses UI?

    more »
  • Network Analysis

    The nightmare of any admin is a user who can't resisting clicking on an unknown attachment labeled Application.exe. This article draws on a real-world example to show how you can use built-in Linux resources to detect unauthorized traffic that might have been invited in by a trigger-happy user.

    more »
  • Security Lessons

    Building a network flight recorder with Wireshark.

    more »
  • Wireshark

    If you know your way around network protocols, you can get to the source of a problem quickly with Wireshark.

    more »
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News

Tag Cloud

Administration Community Events Hardware Linux Linux Pro Magazine Mobile Programming Security Software Ubuntu Web Development Windows free software open source