Day 1 - tshark

Writer: Rauli Kaksonen

Command-line tool 'tshark' is part of the popular 'Wireshark' network monitoring and packet analysis software. The project was started by Gerald Combs in 1997 and has involved since with the help of a community of contributors into very versatile tool supporting hundreds of supported protocols and media formats. Wireshark is the capture and analysis tool used by network administrators, developers, security researchers, etc.

In the CinCan project, we have dockerized many handy analysis tools including 'tshark'. We also create the cincan tool wrapper, which makes it almost as easy to use a dockerized tool as a tool installed natively (without the need to install each tool, of course).

Below we assume that you have installed the cincan tool, but you can use the dockerized tools without it using docker, as well.

Let's assume you have a file 'traffic.pcap' which contains some data captured earlier and you need to analyze the content of the capture. The following example lists the packets in the capture:

 % cincan run cincan/tshark -r traffic.pcap

Tshark can be also used to capture traffic from the network. To do this with the tshark dockerized in the Cincan project, you need to provide option --net host to allow access to host network from the container, and give the tool kernel capabilities NET_RAW and NET_ADMIN. For example, the following captures traffic into file 'traffic.pcap'. Please, replace with the name of the network interface to capture.

% cincan run --cap-add NET_RAW --cap-add NET_ADMIN --network host cincan/tshark -i <INTERFACE> > traffic.pcap

That was only a very small portion of the features of the 'tshark' tool. There is also the "Wireshark GUI" which provides nice graphical environment for capturing and analysing traffic. Have fun!