Networking/Computing Tips/Tricks

Rate this content:
0 of 5 - 0 votes
Thank you for rating this article.

Check out these great references as well: 

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

As most folks who use Wireshark know, Wireshark comes with a collection of command line or terminal based utilities.  Here is a view of those utilities (I got to this by (in Windows) clicking Help> About Wireshark> Folders Tab> and then selecting the hyperlink for the Program Files).  My File Manager openned and I see the applications installed:

ws1216 1

You can see 'tshark' is one of those programs.

T-Shark is essentially the terminal or command line version of Wireshark.  T-Shark can do pretty much everything the Wireshark GUI can do, without the GUI of course.  For a separate article on some of the the things you can do with T-Shark, click here.

Running T-Shark to do some tasks can be less CPU intensive that running the GUI.  So if you wanted to perform a capture over an extended amount of time with the Ring Buffer feature, and maximize the chances of not nissing packets due to CPU utilization in the GUI, using T-Shark is an excellent option.

Here is an example of using T-Shark to capyure using a ring buffer:

tshark -i 5 -b files:20 -b filesize:60000 -w c:\mycaptures\tsharkring.pcap

Now let's break this command down so we understand it.

tshark = this is the program name

-i # = the dash or tack i means interface, and then the number after it is the interface you wish to capture on.

-b = Ring Buffer (note you have to put -b in front of each ring buffer setting)

files:#  = this is the number of files in your ring buffer.

filesize:# = the maximum size in bytes that you want each of these files to be (the example shown is 60 MBytes.

-w filename = means write the capture results to the file path and name provided.

So let's try one and see how this works.

I will start by opening a cammond line or terminal window: Start> Run> cmd, or Start> then just type cmd!

ws1216 2

Now change to the Wireshark programs directory with 'cd c:\Program Files\Wireshark':

ws1216 3

Perfect, now for most of you, you will probably want to know what interfaces exist on your system so you can determine the interface number.  Do this with the 'tshark -D' command (notice I also made my terminal window a little wider to avoid line wrap):

ws1216 4

You can see I have several interfaces (as will you also).  I am using my Ethernet, so that is interface number 5.

Now I can enter my tshark ring buffer command (notice I used less number of files and smaller sizes for my example):

ws1216 5 

If you typed the command correctly, you will see the 'Capturing on' and then on the next line you will see the packet counter incrementing.

Now, if you look in the directory path that you told T-Shark you wanted to write the files to, you will see something like this:

ws1216 6

Note that like Wireshark, T-Shark increments the file name seed you specified and plugs in a timestamp to each file name.  Since I asked for a new file every 1000 kilobytes, T-Shark started a new file around 978 bytes (as there was no more room for a full packet!).

In my example, I stopped the capture by typing CTRL-C in the terminal window:

ws1216 7

T-Shark stopped.  

Now let's see what is in the capture directory I specified:

ws1216 8


We see serveral things:

First, recall I wanted 10 files in the ring buffer.

Second, that there are a total of 10 files, which is what I wanted.  Note that file #11 has essentially overwritten file #1 which is no longer there.  This clearly illustrates the notion of the ring buffer.

I hope this helps you to understand how to use T-Shark and Ring Buffer functionality.

If I wanted to now analyze these packets I could merge them together into one bigger capture file and then dissect the merged results in the Wireshark GUI.  The simplest way to merge is to open the oldest file first, then drag and drop them in order onto the Wireshark GUI screen.

I am often asked, what are the right "settings" for this ring buffer capture.  My answer is always to experiment.  Depending on the speed on the interfaces you are running and how full those interfaces are, compared to a reasonable "time window" that you can react to the failure and know you have the problem captured will be the tradeoff that you are aiming for.  As a reference, the example above was me just web browsing to about four popular news site home pages.

Happy Packet Sniffing!

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Learning Services Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Utility Video Virtualbox Virtualization Voice VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed