Packet Analysis

Wireshark is used for Passive Network Analysis to diagnose network issues. tshark provides a CLI for this tool. This guide provides examples and direction on how to use tshark and pitfalls to avoid. This is a living, breathing guide. If you’d like to contribute, fork me on GitHub!

How is this different from Wireshark docs?

Wireshark documentation is sufficient to document a feature’s existance, but not its usage. It’s a reference, not a guide.

If you have a Wireshark question, there are mayn good resources like the Official Documentation, the manpages, or you can ask a question on Wireshark Forums.

Philosophy

• Add examples so they exist
• Articles should help you find information as fast as possible. This means short articles.
• If X has already been written, link to it instead of writing the same article twice.

Table of Contents

• Setup
• Installation
• Configuration

• Capture Pcap
• Choosing an Interface
• Unusual Interfaces

• Search Online Pcaps
• Generate Pcap
• Randpkt
• Script Packets
• Use a Program

• Edit Pcap
• editcap
• reordercap
• mergecap
• text2pcap
• Editing Hex

• Export Files
• Analyze Pcap
• Tshark Decryption

• Communicate Results
• SharkFu
• Tshark, Colorized

• Next Steps
• Further Reading
• Contribute