Tshark Quick Reference

Intro

tshark is a terminal based packet capture tool from the folks at Wireshark, and is similar to tcpdump. This page contains useful captures I have used for troubleshooting various issues and investigations.

SNI to IP Mapping

cmd

tshark -i wlo1 -Y "tls.handshake.type == 1" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name

DNS Query Filtering

cmd

tshark -i wlo1 -f "port 53" -T fields -e dns.qry.name -e ip.src -e dns.qry.name -Y "dns.qry.name contains yahoo"

Outro

Peace out nerds 🦈

Links

https://www.wireshark.org/docs/man-pages/tshark.html

https://gist.github.com/githubfoam/6c9e07f95c2eb03ec4ae9709252c713f

On This Page