Capture and analyze network packets using tcpdump and tshark

We can use tcpdump to capture the packets whereas tshark to analyse the packets.

$ tcpdump --help
tcpdump version 4.9.2
libpcap version 1.7.4
OpenSSL 1.0.2g  1 Mar 2016
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

Using above help, lets capture the packets and try to write it to a file name captured_packets.pcap as,

 $ sudo tcpdump -i wlan0 -w captured_packets.pcap 

Lets do some network operations, like browse website etc, for testing ( you could already be getting packaets flowing in network even if you didn’t do anything purposefully )

Press Ctrl+C to stop packaet capturing, if you are done with capturing. Lets check the captured file as,

$ sudo tcpdump -i wlan0 -w captured_packets.pcap
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C371 packets captured
371 packets received by filter
0 packets dropped by kernel

So, it shown that we captured 371 packets, Lets check the captured file as,

$ ls -l captured_packets.pcap 
-rw-r--r-- 1 root root 91365 May  1 00:06 captured_packets.pcap

Now, lets try to decode / analyse those captured packets, for that we will use tshark which is wireshark’s command line version.

 $ sudo apt install tshark 

 $ tshark -r captured_packets.pcap -V 

We can redirect the analysed output to a file as,

 $ tshark -r captured_packets.pcap -V > Analysed_text_file.txt 

Check help as,

$ tshark –help
TShark (Wireshark) 2.2.6 (Git Rev Unknown from unknown)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] …

Capture interface:
-i name or idx of interface (def: first non-loopback)
-f packet filter in libpcap filter syntax
-s packet snapshot length (def: 65535)
-p don’t capture in promiscuous mode
-I capture in monitor mode, if available
-B size of kernel buffer (def: 2MB)
-y link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit

Capture stop conditions:
-c stop after n packets (def: infinite)
-a … duration:NUM – stop after NUM seconds
filesize:NUM – stop this file after NUM KB
files:NUM – stop after NUM files
Capture output:
-b … duration:NUM – switch to next file after NUM secs
filesize:NUM – switch to next file after NUM KB
files:NUM – ringbuffer: replace after NUM files
Input file:
-r set the filename to read from (- to read from stdin)

Processing:
-2 perform a two-pass analysis
-R packet Read filter in Wireshark display filter syntax
-Y packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N enable specific name resolution(s): “mnNtCd”
-d ==, …
“Decode As”, see the man page for details
Example: tcp.port==8888,http
-H read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
–disable-protocol disable dissection of proto_name
–enable-heuristic
enable dissection of heuristic protocol
–disable-heuristic
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcap-format file named “outfile”
(or to the standard output for “-“)
-C start with specified configuration profile
-F

set the output file type, default is pcapng
an empty “-F” option will list the file types
-V add output of packet tree (Packet Details)
-O Only show packet details of these protocols, comma
separated
-P print packet summary even when writing to a file
-S the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|ek|text|fields
format of text output (def: text)
-j protocols layers filter if -T ek|pdml|json selected,
(e.g. “http tcp ip”,
-e field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E= set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s| select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s| select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X : eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z various statistics, see the man page for details
–capture-comment
add a capture comment to the newly created
output file (only for pcapng)

</outfile|->

Miscellaneous:
-h display this help and exit
-v display version info and exit
-o : … override preference setting
-K keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report=”fields”
use “-G ?” for more help

WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing “echo 0 > /proc/sys/net/core/bpf_jit_enable”