Tshark
While working with networked applications and distributed systems, it sometimes becomes to necessary to take a look at the network traffic for debugging. There are many tools that you can use to inspect network traffic but on this page we will discuss tshark.
tshark is a CLI included with the wireshark package that allows you to apply filters and view incoming and outgoing traffic on your machine. You can also install tshark as a standalone tool using your package manager on ubuntu.
Installing tshark
On a cloud9 environment you can simply use apt-get to install tshark:
sudo apt-get install tshark
Using Tshark
List interfaces
To list the interfaces available for monitoring on your server, you can use the -D flag.
sudo tshark -D
This produces the following output:
Running as user "root" and group "root". This could be dangerous.
1. eth0
2. any
3. lo (Loopback)
4. docker0
5. nflog
6. nfqueue
7. ciscodump (Cisco remote capture)
8. randpkt (Random packet generator)
9. sshdump (SSH remote capture)
10. udpdump (UDP Listener remote capture)
Capture traffic
To Capture on an interface, you can then specify an interface with the -i flag:
sudo tshark -i eth0
This produces a lot of output that is hard to follow and probably not useful for you. Instead, you can filter based on many filter flags such as protocol, port, ip address and many more. We’ll cover a few below.
Capture traffic based on port
You may find that you know the port of a service you want to inspect. The -Y flag allows you to specify a filter for packets. If you want to view only traffic going to a specific port then you can use tcp.dstport like so:
tshark -Y "tcp.dstport == 9800"
You can do the same for traffic originating from a certain port with tcp.srcport as well as for a udp port using: udp.port.
Capture traffic based on ip address
If you want to view only traffic going to a specific ip address then you can use ip.dst like so:
tshark -Y "ip.dst == 18.206.216.172"
Similar results can be achieved with ip.src.
Show the contents of packets
It can be helpful to see the contents of packets for diagnosing issues. To do so we can use the -x flag to show the hex contents. This can be done like so:
tshark -Y "tcp.dstport == 9800" -x
This will show you an output like so:
Capturing on 'Wi-Fi: en0'
0000 48 5d 36 18 68 61 e0 ac cb 5d ec cc 08 00 45 00 H]6.ha...]....E.
0010 00 40 00 00 40 00 40 06 8c fb c0 a8 01 9a 12 ce .@..@.@.........
0020 d8 ac f8 da 26 48 06 86 30 ac 00 00 00 00 b0 02 ....&H..0.......
0030 ff ff 50 f2 00 00 02 04 05 b4 01 03 03 06 01 01 ..P.............
0040 08 0a 1a db c7 1c 00 00 00 00 04 02 00 00 ..............
Show detailed packet information
Sometimes you need to take an even deeper dive into your packets. You can do this by using the -V command. It will show full protocol infortmation for ethernet, ipv4 and tcp as well as any additional details. It is used like so:
tshark -Y "tcp.dstport == 9800" -V
You can also use the -O options to show the same output for a specific protocol like so:
tshark -Y "tcp.dstport == 9800" -O tcp
Filter based on request method
When working with api’s and backend endpoints, you may want to filter packets based on http protocols. You can do so by using http.request.method. To find GET requests, you can do the following:
tshark -Y 'http.request.method == "GET"' -x
Using a trace file
Instead of observing live traffic, you can also use tshark to analyze packets stored in a trace. Packet traces are typically stored in pcap format. To analyze a trace file use:
tshark -Y 'http.request.method == "GET"' -x -r file.pcap