Part of the Ethereal development process included Terminal Ethereal (Tethereal), which was a CLI tool. Tethereal was later renamed tshark or Terminal Wireshark.
tshark is a lightweight CLI tool. To capture using tshark on a Windows machine, go into the CLI. If you have multiple interfaces, find which interface is active using ipconfig, then build a command, as the following code shows. Keep in mind that the commands on a Windows machine are not case-sensitive:
C:Program FilesWireshark>tshark -i "ethernet 2" -w Test-Tshark.pcap -a duration:10
To run the tshark example, follow these steps:
- Begin the command with tshark.
- Identify the interface by using -i, then the interface name.
- To write to a file, use -w, then the filename and path. Make sure you add the extension.
- To set the duration, use -a, which is capture auto stop, and set the duration in seconds.
- Press Enter to begin the capture.
When complete, locate and open the pcap file in Wireshark. If you don't send the output to a file, you will see a list of packets captured on the screen:
The Wireshark documentation lists a number of switches to use with tshark. The following table of command-line tools are from the documentation, which can be found at https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html.
Many are the same options that you can use while using Wireshark's graphical user interface, such as adding filters and specific field values. The following table represents the options in tshark:
| Output | |
| -w <outfile|-> | Set the output filename (or - for stdout) |
| -i <interface> | Name or idx of interface (def: first non-loopback) |
| Capture stop conditions | |
| -c <packet count> | Stop after n packets (def: infinite) |
| -a <autostop cond.> ... |
|
When Gerald Combs and the original development team first released Ethereal, it had limited functionality and could decode less than six protocols. The Wireshark developer's goal today is to ensure functionality on Windows, macOS, and Linux. You can use Wireshark on any number of computers as necessary. All the source code is available under the General Public License (GPL) and can be found in the current Wireshark source code repository. Here is a snap of Wireshark preferences—protocols:
Wireshark NG is loaded with protocols to dissect, with new protocols added every year. To see whether a specific protocol is supported, go to Edit, then Preferences—as shown in the preceding screenshot—and then scroll to see the desired protocol.