tshark – Capturing Packets from the Windows Command Line

A quick aide-memoir about how to go about capturing traffic from the Windows command line.  You must be in the Wireshark directory (or have the location in your PATH environment settings):

1. Find interface Index:

C:\Program Files (x86)\Wireshark>tshark -D
1. \Device\NPF_{B3BA19B1-3083-4FF5-9CA5-09E33CABEC93} (Microsoft)
2. \Device\NPF_{E7CE2EDC-D965-44DF-A7F2-A14B4A762B40} (Sun)
3. \Device\NPF_{B88703B3-2E09-4FC7-A061-21A94A22BBBE} (Intel(R) 82579LM Gigabit
Network Connection)

2. Capture traffic:

C:\Program Files (x86)\Wireshark>tshark -i 3 -c 10 -w testing.pcap
Capturing on Intel(R) 82579LM Gigabit Network Connection
10

3. read in the file:

C:\Program Files (x86)\Wireshark>tshark -r testing.pcap
1   0.000000 fe80::89d1:db93:6fe0:93c4 -> ff02::c      SSDP  208 M-SEARCH * HTTP/1.1
2   0.007155 fe80::5177:2132:f23f:323d -> ff02::1:ff2d:47f8 ICMPv6  86 Neighbor Solicitation
3   0.009462 fe80::a57f:a2c0:4175:8a37 -> ff02::c      SSDP  208 M-SEARCH * HTTP/1.1
4   0.012513 192.168.200.173 -> 100.23.52.74  CFLOW  1458 total: 29 (v9) records
5   0.030965 fe80::8884:585c:94f1:a93 -> ff02::1:ffb2:2b1a ICMPv6  86 Neighbor Solicitation
6   0.054857 100.23.52.188 -> 100.23.255.255 NBNS  92 Name query NB NET-MASTER<1b>
7   0.082469 100.23.15.101 -> 224.0.0.2    HSRP  62 Hello (state Active)
8   0.095470  100.23.53.31 -> 100.23.255.255 NBNS  92 Name query NB FS03<20>
9   0.101973 172.23.16.252 -> 224.0.0.2    HSRP  62 Hello (state Standby)
10   0.117974 fe80::3c5b:61f0:4cac:4620 -> ff02::1:ff95:5811 ICMPv6  86 Neighbor Solicitation

3a. Read in the file with a Wireshark Display Filter:

C:\Program Files (x86)\Wireshark>tshark -r testing.pcap -R “ip.addr eq 224.0.0.2

7   0.082469 100.23.15.101 -> 224.0.0.2    HSRP  62 Hello (state Active)
9   0.101973 172.23.16.252 -> 224.0.0.2    HSRP  62 Hello (state Standby)

COMMAND LINE HELP:

TShark 1.6.8 (SVN Rev 42761 from /trunk-1.6)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: tshark [options] …

Capture interface:
-i <interface>           name or idx of interface (def: first non-loopback)
-f <capture filter>      packet filter in libpcap filter syntax
-s <snaplen>             packet snapshot length (def: 65535)
-p                       don’t capture in promiscuous mode
-B <buffer size>         size of kernel buffer (def: 1MB)
-y <link type>           link layer type (def: first appropriate)
-D                       print list of interfaces and exit
-L                       print list of link-layer types of iface and exit

Capture stop conditions:
-c <packet count>        stop after n packets (def: infinite)
-a <autostop cond.> …  duration:NUM – stop after NUM seconds
filesize:NUM – stop this file after NUM KB
files:NUM – stop after NUM files
Capture output:
-b <ringbuffer opt.> … duration:NUM – switch to next file after NUM secs
filesize:NUM – switch to next file after NUM KB
files:NUM – ringbuffer: replace after NUM files
Input file:
-r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
-R <read filter>         packet filter in Wireshark display filter syntax
-n                       disable all name resolutions (def: all enabled)
-N <name resolve flags>  enable specific name resolution(s): “mntC”
-d <layer_type>==<selector>,<decode_as_protocol> …
“Decode As”, see the man page for details
Example: tcp.port==8888,http
-H <hosts file>          read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
Output:
-w <outfile|->           write packets to a pcap-format file named “outfile”
(or to the standard output for “-“)
-C <config profile>      start with specified configuration profile
-F <output file type>    set the output file type, default is libpcap
an empty “-F” option will list the file types
-V                       add output of packet tree        (Packet Details)
-O <protocols>           Only show packet details of these protocols, comma
separated
-S                       display packets even when writing to a file
-x                       add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field>               field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n            switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a      print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n           select double, single, no quotes for values
-t ad|a|r|d|dd|e         output format of time stamps (def: r: rel. to first)
-u s|hms                 output format of seconds (def: s: seconds)
-l                       flush standard output after each packet
-q                       be more quiet on stdout (e.g. when using statistics)
-W n                     Save extra information in the file, if supported.
n = write network address resolution information
-X <key>:<value>         eXtension options, see the man page for details
-z <statistics>          various statistics, see the man page for details

Miscellaneous:
-h                       display this help and exit
-v                       display version info and exit
-o <name>:<value> …    override preference setting
-K <keytab>              keytab file to use for kerberos decryption
-G [report]              dump one of several available reports and exit
default report=”fields”
use “-G ?” for more help

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.