Using tshark

Another useful tool for the analysis of pcap files is tshark.

The tshark tool is a console version WireShark. tshark has virtually the same functionality as tcpdump, but it adds the possibility of a WireShark protocol analyzer and uses syntax to filter.

To read a previously recorded pcap file the -r option is also used. The output format depends on the protocol. Thus, tshark shows application-level information.

To obtain additional information, use the -V option. To display packets in hex and ASCII formats, use the -x option.

Tshark allows the use of filters capture when using syntax that is similar to tcpdump's BPF, and display filters can be used when the built-in protocol analyzers.

For the use of, filters should be used with the -f option and the -R recording and read option. So to read pcap file of DNS traffic, you can use the following command:

tshark -r dump.pcap -R 'udp && dst.port == 53'

Another useful feature is the ability to generate...