If tshark captures on the correct interface without -i, you can skip this section.
Multiple types of interfaces are available in wireshark:
| Command | Captures from |
|---|---|
tshark -i <n> |
nth interface |
tshark -i <interface name> |
interface |
tshark -i - |
stdin |
tshark -i FIFO |
FIFO file |
tshark -i <extcap interface> |
extcap |
tshark -r <file> |
File |
If no -i argument is found, tshark aliases to tshark -i 1.
You may need to use sudo when capturing depending on how you installed dumpshark on your system.
tshark -D and dumpshark -D each print the interfaces they are aware of. dumpshark knows of a subset of tshark’s interfaces (dumpshark is not aware of extcap interfaces). Prefer tshark -D to dumpshark -D in scripts.
If we wanted to capture traffic on p2p0, we could call that with tshark -i 2.
It is possible for interface number to change if new ones are added or
subtracted. Interface name is less likely to change, so prefer it in scripts.
tshark expects the exact name of the interface. If the interface name has spaces or special characters, use ‘single quotes’.
If you run ping 8.8.8.8 & tshark, you should start seeing numbered packets from tshark:
If you don’t, you should find out what interfaces you have
available, as the one you are currently using is not working. tshark -D
will show you a list of interfaces tshark is aware of. If in doubt, ifconfig on
*nix and ipconfig /all on Windows will print all interfaces.
If you do not see any packets captured, try using tshark -i <interface> with the listing of tshark -D from before.
These one-liners will print the exact interface name for each OS.
# Using powershell on Windows
Get-NetAdapter | where {$_.Status -eq "Up"} | Select -ExpandProperty Name
# BSD & Macos
route get default | awk '/interface:/{print $NF}'
# Linux
route | awk '/^default|^0.0.0.0/{print $NF}'
You shouldn’t need to specify link layer type as that is automatically
detected. tshark -i ${interface} -L will show you the available DLTs for
the interface. If you need to change the DLT, use
tshark -i ${interface} -y ${DLT}. For wireless adapters, changing the DLT
to PPI is the equivalent of -I (turning on monitor-mode).
You can specify monitor-mode and promiscuous mode with -I and -p
respectively. Monitor-mode applies to 802.11 interfaces only and allows for
the sniffing of traffic on all BSSIDs in range. This is important for 802.11
troubleshooting where control frames direct and describe wireless
conversations. Promiscuous mode is the default and allows for snooping ALL
traffic, not just the packets destination of your MAC (normally these are
discarded). Turning it off gives you a view of what the CPU sees instead of
the network adapter.
More information can be found in the Wireshark Guide.