How to Use Tshark (Terminal wireshark, lol)

Tshark or i would called it Terminal wireshark, yeah it is. It's a terminal version of wireshark, i just fall in love with this tool recently and i will spend this day to learn it. Ok let's skip what i learn and i will make it simple for you. This tool is similar to tcpdump, you can easily learn this tool if you know some tcpdump commands.

tshark -i wlan0 -w output.pcap

Those command will store wlan0 dump to output.pcap.

You can also insert another argument like:

 tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap

Or:

“Ethernet address 00:08:15:00:08:15”	eth.addr == 00:08:15:00:08:15
“Ethernet type 0×0806 (ARP)”	eth.type == 0×0806
“Ethernet broadcast”	eth.addr == ff:ff:ff:ff:ff:ff
“No ARP”	not arp
“IP only”	ip
“IP address 192.168.0.1”	ip.addr == 192.168.0.1
“IP address isn't 192.168.0.1, don't use != for this!”	!(ip.addr == 192.168.0.1)
“IPX only”	ipx
“TCP only”	tcp
“UDP only”	udp
“UDP port isn't 53 (not DNS), don't use != for this!”	!(udp.port == 53)
“TCP or UDP port is 80 (HTTP)”	tcp.port == 80 || udp.port == 80
“HTTP”	http
“No ARP and no DNS”	not arp and not (udp.port == 53)
“Non-HTTP and non-SMTP to/from 192.168.0.1”	not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1

Or even searching for password, lol this tool is awsome ^_^

tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password

That's it, i would love making another review for sniffing and MITM stuff, so stay tune guys

sources:
https://www.wireshark.org/docs/man-pages/tshark.html
http://blog.x-if.com/2010/11/tshark-examples/