Recently, we wanted to use wireshark
on an Ubuntu
through ssh
and no X-Server
forwarding enabled.
After a quick search we found tshark
.
TShark
is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.TShark
‘s native capture file format ispcap
format, which is also the format used bytcpdump
and various other tools.
Without any options set,TShark
will work much liketcpdump
. It will use thepcap
library to capture traffic from the first available network interface and displays a summary line onstdout
for each received packet.
TShark
is able to detect, read and write the same capture files that are supported byWireshark
.From: man tshark
Install tshark on Ubuntu
sudo apt-get install tshark -y;
Using tshark to capture all traffic on eth0 to a pcap file
sudo tshark -i eth0 -w something.pcap;
Note: If you just want to capture network traffic on a network interface and not use the additional features wireshark
has to offer, you can also use tcpdump
as follows
#The following command will create a files that has in its name the current date and time using the date function. sudo tcpdump -i eth0 -w "data.`date +%Y-%m-%d\ %H.%M`.pcap";