About

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
Start Here
What does this thing do?
2 min |  Ross Jacobs |  August 8, 2019

Table of Contents

Quicklinks: User Guide: What is Wireshark?

What is tshark.dev?

tshark.dev is your complete guide to working with packet captures on the command-line. The focus here is on doing everything in the CLI because that is an interface your scripts and programs can use. Bash features prominently here, with some examples also in python and ruby. Programs such as Termshark and PyShark do novel things by leveraging tshark. You can too by using this guide!

For the uninitiated, tshark is the CLI component of Wireshark (see below), and both help you troubleshoot network problems. If you do not have Wireshark installed and configured, Start Here. Use the minimap or sidebar to find what you need.

This is a living, breathing guide. Contributions and suggestions are welcome!

What is Wireshark?

Wireshark is a tool used to visualize network issues (see below).

Part of the power of Wireshark is that it makes Network Analysis easy by making it visual. You can search for packets with display filters and then use the packet details pane to look at the relevant info. Wireshark is well documented with the Official Documentation and the Wireshark Forums, among others.

Parts of Wireshark

Here we see the details and bytes of the selected packet.

In addition to a GUI version, Wireshark comes with many command-line utilities like tshark.

What is Tshark?

tshark (Terminal wireSHARK) is the command line tool (CLI) that has most, but not all, of the features of Wireshark. What features tshark lacks is often found in other CLI tools that are bundled with Wireshark. All are documented online with manpages.

Most existing documentation on Wireshark focuses on the GUI. Wireshark’s CLI is just as good for most tasks and far better for scripting. This guide’s focus is tshark for these reasons.

Tshark Example

How Is This Different from Wireshark Docs?

Most Wireshark documentation focuses on the GUI. In its many forms, it spans two Wireshark guides, multiple forums, a wiki, man pages, developer email chains, etc. That is not to say the existing documentation is not good. You will find what you are looking for eventually.

Being outside of the Wireshark project allows this website to cover topics that are external to it. Depending on the article, this can vary from scripting with bash or example usage of other programs. Tshark.dev and Wireshark docs are related but differ in their scopes.