More about tshark
We often say that using a command-line utility is generally the best tool for getting information about your Linux system and tshark is no exception in that regard. The following tshark command lists the available network interfaces: $ tshark -D . The -w parameter followed by a filename will store the captured data into a file with the given filename, whereas if you use the -c parameter, it allows you to specify the number of packets you want to capture. The -r parameter followed by an existing filename will allow you to replay a previously captured data file on your screen.
You can also specify Display filters with the help of the -Y option followed by the actual filter you want to use in quotes, for example: $ tshark -r dhcpProblem.pcap -Y ‘bootp’ Should you wish to display the contents of a specific network packet in ASCII format, you can use the following command, which displays packet number 5:
$ tshark -V -r dhcpProblem.pcap -Y frame. number==5
If you want to display more than one packet, you can use tshark with the -c option, which allows you to specify the maximum number of packets you will read: $ tshark -r ~/nmap.pcap -x -c 5 -Y frame. number\>=1 The previous example will read five packets and display them because it starts with packet number 1. So if dhcpProblem.pcap contains six packets only, you will need to execute the following command to display the last two network packets:
$ tshark -r dhcpProblem.pcap -x -c 6 -Y frame.number\>=5
See the screenshot, above, that shows the output from various executions of tshark based on the presented information.