CyberCheatsheets

tshark Cheat Sheet

CLI Wireshark for capture, display filters, and protocol field extraction on authorized traffic.

Network & ProtocolanalysispcapwiresharkUpdated 2026-06-02

Overview

tshark analyzes live or saved PCAPs with display filters and field extraction—scriptable alternative to Wireshark GUI for authorized packet review and reporting.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y tshark
sudo usermod -aG wireshark $USER

Essential commands

Capture like tcpdump

sudo tshark -i eth0 -w capture.pcap

Read pcap with summary

tshark -r capture.pcap -q -z io,stat,0

Common workflows

Live capture with filter —

sudo tshark -i eth0 -f "host 10.10.10.5" -w target.pcap
sudo tshark -i eth0 -Y "http.request" -T fields -e http.host -e http.request.uri

Extract HTTP objects and credentials (cleartext) —

tshark -r capture.pcap -Y "http.request.method==POST" -T fields
-e ip.src -e http.host -e http.request.uri -e urlencoded-form.key

Kerberos / SMB (AD pentest) —

tshark -r capture.pcap -Y "kerberos.msg_type==30" -T fields -e kerberos.CNameString
tshark -r capture.pcap -Y "smb2.cmd==5" -T fields -e ip.src -e ip.dst -e smb2.filename

DNS exfil or lookups —

tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

Follow TCP stream —

tshark -r capture.pcap -qz follow,tcp,ascii,0

Export JSON for tooling —

tshark -r capture.pcap -T json > packets.json

Flags reference

-i IF

Capture interface

-r FILE

Input PCAP

-w FILE

Output PCAP

-f FILTER

Capture BPF filter

-Y FILTER

Display filter

-T fields

Field output

-e FIELD

Field to print

-T json

JSON output

-q

Quiet (stats modes)

-z

Statistics

-c N

Packet count limit

Tips

  • Display filters (-Y) differ from capture filters (-f); use -f to reduce file size at capture time.
  • tshark -G fields | grep -i kerberos lists extractable field names.
  • For encrypted TLS, look for metadata (SNI, JA3) unless keys are available.
  • Pair live capture with tcpdump when GUI-free remote SSH sessions only allow CLI.

References

Aide-mémoires similaires