Wireshark

From wikinotes

wireshark is a packet sniffer. It is useful for getting an overview of all of the traffic on your local network.

Documentation

man tshark https://www.wireshark.org/docs/man-pages/tshark.html
man wireshark-filter (display filter syntax) https://www.wireshark.org/docs/man-pages/wireshark-filter.html
man pcap-filter (capture filter syntax) https://www.tcpdump.org/manpages/pcap-filter.7.html

Install

sudo pacman -S wireshark-cli
usermod -a -G wireshark will

newgrp wireshark  # make changes to group active w/o login
tshark            # run wireshark

Usage

# filters(-f) are composable
tshark -i any             # capture on all ifaces
tshark -i en0 -f "tcp"
tshark -i en0 -f "tcp port 80 or tcp port 443"

# write/read dump
tshark -w out.pcap
tshark -r out.pcap

# extract HTTP requests from dumped data
tshark -r out.pcap -V -2 -R 'http.request.method == "GET" || http.request.method == "HEAD"'

# exclude tcp/ip traffic from an ip addr
tshark -r out.pcap -2 -R 'ip.src!=192.168.1.100 and ip.src!=192.168.1.100'

# allowlist http requests/responses
tshark -r out.pcap -R 'http.request || http.response'

Filters

  • capture filter -f {exp}
  • display filter (single pass) -Y {exp}
  • display filter (double pass) -2 -R {exp}