Home / ubuntu / Questions / 33398
Accepted
Thomas Ward
Asked: 2011-04-04 16:31:06 +0800 CST

Application with Output similar to the GUI output of "WireShark"

  • 772

I know that WireShark allows live packet capturing as well as details being displayable in the GUI. Is there any similar program that operates on a CLI, rather than a GUI? This is intended for use on a server install, in which only CLI is available (and also where disk space is limited, so much that the dependencies for the wireshark packages cannot be installed (i.e. the packages for the GUI).

10.10

2 Answers

  1. Best Answer

    Sure, tshark (text shark) is the same program, but with a noninteractive command line interface.

    You can also run tshark on the server and transfer the captures over ssh to a wireshark gui running somewhere else.

    For example:

      mbp@joy% sudo tshark -i wlan0 -p  -R 'http'
  Capturing on wlan0
  3.929359 192.168.178.22 -> 66.102.11.104 HTTP GET / HTTP/1.1 
  4.104763 66.102.11.104 -> 192.168.178.22 HTTP HTTP/1.1 301 Moved Permanently  (text/html)
  4.118925 192.168.178.22 -> 66.102.11.104 HTTP GET / HTTP/1.1 
  4.295749 66.102.11.104 -> 192.168.178.22 HTTP HTTP/1.1 302 Found  (text/html)
  4.355713 192.168.178.22 -> 66.102.11.104 HTTP GET / HTTP/1.1 
  4.560568 66.102.11.104 -> 192.168.178.22 HTTP HTTP/1.1 200 OK  (text/html)
  4.588767 192.168.178.22 -> 66.102.11.104 HTTP GET /images/nav_logo40.png HTTP/1.1

    You can also do tshark ... |tee packetlog so it goes both to the screen and to the file.

    Or, alternatively, tshark -w stuff.pcap will write the raw packets into that file, which you can then copy to another machine and open within the wireshark gui, if you want to do more in-depth investigation.

    • 10

  2. tshark Install tshark is a good option.

    An alternative is tcpdump Install tcpdump, which is a well-known predecessor. It's widely available on other platforms, so you might run into it even if you don't use it on your server.

    • 1