Tshark: 7 Tips on Wireshark’s Command-Line Packet Capture Tool

If your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the ‘Expert’ complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark!

When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.

Why use Tshark? When capturing on a busy network interface, you may find that Wireshark can’t keep up with the packet rate. Many factors affect Wireshark’s capture capabilities. If you are running lots of processes on your host, Wireshark may just not be able to keep up with the capture process. If this happens, Wireshark may display “Dropped: [number/percentage]” on the Status Bar, as shown below.

Dropped Packets… Nooooooo!!!!

Sponsorships Available

Sponsorships Available

Sponsorships Available

Interestingly, Tshark can’t capture traffic itself. It calls another Wireshark CLI tool, Dumpcap, to capture the traffic. You could use Dumpcap to capture the traffic, but Dumpcap doesn’t have all the features that Tshark offers. In this article, we’ll work with Tshark as our capture tool.

Tip 1: Add the Wireshark Program Directory to Your Path

First – you want to add the Wireshark program directory to your path, so you don’t have to type “[drive/directory]:tshark” each time you run (Read more...)