Mastering tshark: Install, Capture, and Analyze Network Packets on CentOS 7
This guide introduces tshark, shows how to install it on CentOS 7, demonstrates common capture commands, explains key command‑line options, and provides troubleshooting tips for effective network packet analysis.
1. Introduction to tshark
tshark is a network protocol analyzer that can capture live traffic, read from saved capture files, print decoded packets to standard output, or write them to a file. Its native capture format is pcapng, the same format used by Wireshark. Without options, tshark behaves like tcpdump, capturing from the first available interface and displaying a summary line for each packet.
Experimental environment: OS: CentOS 7.6; Wireshark version 1.10.14.
2. Installation Steps
1. Install the EPEL repository # yum install -y epel-release 2. Install Wireshark (tshark is included) # yum install -y wireshark 3. Verify the installed version
# tshark -v
TShark 1.10.14 (Git Rev Unknown from unknown)3. Usage Examples
Show help information # tshark --help Show version information # tshark -v Capture on the eth0 interface # tshark -i eth0 Capture the first 10 packets # tshark -i eth0 -c 10 Capture HTTP packets # tshark -i eth0 -f 'tcp dst port 80' Capture only HTTP request packets
# tshark -i eth0 -f 'tcp dst port 80' -R "http.request"Print specific fields (host and request URI) from HTTP packets
# tshark -i eth0 -n -f 'tcp dst port 80' -R 'http.host and http.request.uri' -T fields -e http.host -e http.request.uri -lCapture packets from a specific IP address # tshark -i eth0 -R "ip.addr == 47.103.25.27" The -R option accepts any Wireshark display filter; see the blog post “Common Wireshark filter expressions” for examples.
4. Command‑Line Options Overview
Only a subset of frequently used parameters is listed here; the full reference is at https://www.wireshark.org/docs/man-pages/tshark.html .
Capture Interface Options
-i <interface>: interface name or index (default: first non‑loopback)
-f <capture filter>: libpcap filter expression
-s <snaplen>: snapshot length (default 262144)
-p: disable promiscuous mode (capture only traffic destined for the host)
-I: enable monitor mode if supported
-B <buffer size>: kernel buffer size (default 4 MB)
-y <link type>: link‑layer type (default first found)
-D: list all interfaces and exit
-L: list interface link‑layer types and exit
Capture Termination Options
-c <packet count>: stop after capturing n packets
-a <autostop condition> … duration:NUM: stop after NUM seconds
-a … filesize:NUM: stop when output file exceeds NUM KB
-a … files:NUM: stop after creating NUM files
Capture Output Options
-b <ringbuffer opt> … duration:NUM: switch to the next file after NUM seconds
-b … interval:NUM: create a new file every NUM seconds
-b … filesize:NUM: switch after the file exceeds NUM KB
-b … files:NUM: rotate after NUM files
File Reading Options
-r <infile>: read packets from the specified file
Analysis Options
-2: perform a two‑pass analysis
-R <read filter>: read filter using Wireshark syntax
-Y <display filter>: display filter (can replace -R)
-n: disable all name resolution
-N <name resolve flags>: enable specific name‑resolution layers (e.g., m for MAC, n for network, t for transport)
-d <layer_type>==,<decode_as_protocol> …: decode specific traffic, e.g.,
-d tcp.port==8888,httpOutput Formatting Options
-w <outfile|->: write packets to a file in pcapng format (or ‘-’ for stdout)
-C <config profile>: use the specified configuration profile
-F <output file type>: set output file type (default pcapng)
-V: add a packet hierarchy tree to the output
-O <protocols>: display details only for listed protocols (comma‑separated)
-P: print a summary after each file
-S <separator>: line separator between packets
-x: include hex and ASCII dump of each packet
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?: set output format (default text)
-j <protocolfilter>: protocol filter when using -T ek|pdml|json -J <protocolfilter>: top‑level protocol filter for -T ek|pdml|json -e <field>: print a field when using -T fields (multiple allowed)
-E <fieldsoption>=: configure fields output
Other Options
-h: display help
-v: display version
-o <name>:…: override configuration items
-K <keytab>: use a keytab file for Kerberos decryption
-G [report]: generate a report (default “fields”)
5. FAQ
Q: yum reports “No package tshark available”.
A: tshark is part of the Wireshark package; install Wireshark instead. # yum provides tshark Original article: https://blog.csdn.net/carefree2005/article/details/122131633
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.