Wireshark in the Terminal: Using tshark

Added: 2026-05-20

[00:00:00]Wireshark in the terminal, mastering Tshark.

[00:00:04]Welcome.

[00:00:05]In this tutorial, we're diving into the world of network analysis with Tshark, the terminal-based version of Wireshark.

[00:00:11]Remember, this is for educational purposes only.

[00:00:16]First, let's list all the available network interfaces on our machine using Tshark {dash} D.

[00:00:22]This command gives us a numbered list of interfaces we can monitor.

[00:00:27]Next, we're capturing packets on the WLAN0 interface.

[00:00:32]By using {dash} i 0, we specify the interface. And {dash} c 10 limits the capture to just 10 packets.

[00:00:40]This is a great way to quickly check the traffic on your network without getting overwhelmed by data.

[00:00:47]Now, let's focus on HTTP traffic by filtering packets on TCP port 80 with {dash} f TCP port 80.

[00:00:56]We're using {dash} a duration 30 to capture for 30 seconds. This way, we can see all the HTTP requests and responses flowing through our network interface.

[00:01:07]You can also analyze previously captured data.

[00:01:10]Let's read a file named capture.pcap with {dash} r and filter for HTTP requests using {dash} q.request.

[00:01:18]This allows us to focus on specific types of traffic even after the capture is complete.

[00:01:24]For more detailed analysis, Shark can extract specific fields from packets.

[00:01:30]Using {dash} T fields with {dash} E options, we extract the source IP, destination IP, and HTTP host header.

[00:01:38]This provides a concise view of who's communicating with whom and what domains are being accessed.

[00:01:44]Finally, let's look at some statistics using {dash} q for quiet mode and {dash} z for statistics.

[00:01:51]Here, we're generating 10-second interval statistics for TCP and UDP traffic, giving us insight into the network's bandwidth usage.