How to capture the traffic from the terminal via Tshark
Discription
The following steps will show you how to capture the traffic data via the terminal using Tshark
Steps
- Updating the repositories and installing tshark.
sudo apt updatesudo apt upgrade
sudo apt install tshark- You can check the NIC on your machine via the following command.
sudo tshark -D- To run the tshark via terminal capturing from all NICs and saving the captured data to the PCAP file extension.
sudo tshark -w /tmp/tshark.pcap -i any- You can capture the traffic for a specific host from a specific NIC
sudo tshark -w /tmp/tshark.pcap -i INTERFACE host IPADDRESSWhere INTERFACE is the specific Interface found earlier with tshark -D and IPADDRESS is the IP address of interest
- Keep it running for 10 mins “More/Less”, then Press Ctrl-C
- You can check the captured file info via the following command line.
sudo ls -lha /tmp/tshark.pcap- You can check the data inside your PCAP file via terminal
sudo tshark -r /tmp/tshark.pcap - Download the file, and then you can check it from your machine via Wireshark