[ Tshark CLI (MUSL) ] [ 3.4.6 ] a network protocol analyzer. It lets you capture packet data

This is the best place for community developers to publish their genius work. Your Apps enrich the QNAP Turbo NAS.
Post Reply
User avatar
QNAP_Stephane
Experience counts
Posts: 4802
Joined: Wed Mar 27, 2013 1:00 am

[ Tshark CLI (MUSL) ] [ 3.4.6 ] a network protocol analyzer. It lets you capture packet data

Post by QNAP_Stephane »

Image
Source https://www.wireshark.org/docs/man-pages/tshark.html

Require : MUSL FRAMEWORK MUST BE INSTALLED ON NAS
https://www.qnapclub.eu/fr/qpkg/1098

Download :

https://www.qnapclub.eu/fr/qpkg/1156


Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on the standard output for each received packet.

When run with the -r option, specifying a capture file from which to read, TShark will again work much like tcpdump, reading packets from the file and displaying a summary line on the standard output for each packet read. TShark is able to detect, read and write the same capture files that are supported by Wireshark. The input file doesn't need a specific filename extension; the file format and an optional gzip compression will be automatically detected. Near the beginning of the DESCRIPTION section of wireshark(1) or https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed description of the way Wireshark handles this, which is the same way Tshark handles this.

Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present when compiling TShark, it will be possible to compile it, but the resulting program will be unable to read compressed files.

When displaying packets on the standard output, TShark writes, by default, a summary line containing the fields specified by the preferences file (which are also the fields displayed in the packet list pane in Wireshark), although if it's writing packets as it captures them, rather than writing packets from a saved capture file, it won't show the "frame number" field. If the -V option is specified, it instead writes a view of the details of the packet, showing all the fields of all protocols in the packet. If the -O option is specified, it will only show the full details for the protocols specified, and show only the top-level detail line for all other protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify. If the -P option is specified with either the -V or -O options, both the summary line for the entire packet and the details will be displayed.

Packet capturing is performed with the pcap library. That library supports specifying a filter expression; packets that don't match that filter are discarded. The -f option is used to specify a capture filter. The syntax of a capture filter is defined by the pcap library; this syntax is different from the read filter syntax described below, and the filtering mechanism is limited in its abilities.

Read filters in TShark, which allow you to select which packets are to be decoded or written to a file, are very powerful; more fields are filterable in TShark than in other protocol analyzers, and the syntax you can use to create your filters is richer. As TShark progresses, expect more and more protocol fields to be allowed in read filters. Read filters use the same syntax as display and color filters in Wireshark; a read filter is specified with the -R option.

Read filters can be specified when capturing or when reading from a capture file. Note that that capture filters are much more efficient than read filters, and it may be more difficult for TShark to keep up with a busy network if a read filter is specified for a live capture, so you might be more likely to lose packets if you're using a read filter.

A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).

If the -w option is specified when capturing packets or reading from a capture file, TShark does not display packets on the standard output. Instead, it writes the packets to a capture file with the name specified by the -w option.

If you want to write the decoded form of packets to a file, run TShark without the -w option, and redirect its standard output to the file (do not use the -w option).

If you want the packets to be displayed to the standard output and also saved to a file, specify the -P option in addition to the -w option to have the summary line displayed, specify the -V option in addition to the -w option to have the details of the packet displayed, and specify the -O option, with a list of protocols, to have the full details of the specified protocols and the top-level detail line for all other protocols to be displayed. If the -P option is used together with the -V or -O option, the summary line will be displayed along with the detail lines.

When writing packets to a file, TShark, by default, writes the file in pcapng format, and writes all of the packets it sees to the output file. The -F option can be used to specify the format in which to write the file. This list of available file formats is displayed by the -F option without a value. However, you can't specify a file format for a live capture.

When capturing packets, TShark writes to the standard error an initial line listing the interfaces from which packets are being captured and, if packet information isn't being displayed to the terminal, writes a continuous count of packets captured to the standard output. If the -q option is specified, neither the continuous count nor the packet information will be displayed; instead, at the end of the capture, a count of packets captured will be displayed. If the -Q option is specified, neither the initial line, nor the packet information, nor any packet counts will be displayed. If the -q or -Q option is used, the -P, -V, or -O option can be used to cause the corresponding output to be displayed even though other output is suppressed.

When reading packets, the -q and -Q option will suppress the display of the packet summary or details; this would be used if -z options are specified in order to display statistics, so that only the statistics, not the packet information, is displayed.

The -G option is a special mode that simply causes Tshark to dump one of several types of internal glossaries and then exit.
---------------------------------------------------------------------------------------------------------------------------

Find all QPKG in the MyQnap.org repository https://www.myqnap.org
join our discord server for any inquiry related to qpkg - https://discord.gg/4fPxHSWKQW

----------------------------------------------------------------------------------------------------------------------------
Post Reply

Return to “Community Apps”