tshark 命令

常用示例

说明

tshark is the command-line version of Wireshark, providing network packet capture and analysis capabilities. It can capture live traffic from network interfaces, read packets from capture files, and decode protocol data. The tool supports both capture filters (BPF syntax, applied during capture) and display filters (Wireshark syntax, applied to output). It can output data in various formats including text, JSON, and PDML for further processing.

参数

-i _interface_

Capture on specified interface

-f _filter_

Capture filter (BPF syntax)

-Y _filter_

Display filter (Wireshark syntax)

-r _file_

Read packets from file

-w _file_

Write packets to file

-T _format_

Output format (text, json, pdml, ps, fields, etc.)

-e _field_

Field to print (with -T fields/json/pdml)

-d _spec_

Decode as protocol (e.g., tcp.port==8080,http)

-c _count_

Stop after capturing count packets

-a _condition_

Autostop condition (duration:sec, filesize:KB)

-V

Verbose output (packet tree)

-x

Print hex dump of packet data

-q

Quiet mode (less output)