tshark Cheatsheet

- :material-content-copy: **[Copy to Clipboard](#copy-to-clipboard)** - :material-file-pdf-box: **[Download PDF](#download-pdf)**

Overview

tshark is the command-line version of Wireshark, a powerful network protocol analyzer. It allows you to capture and analyze network traffic from the command line, making it ideal for automated analysis, remote troubleshooting, and integration into scripts and monitoring systems.

Key Features

Command-Line Interface: Full Wireshark functionality without GUI
Live Capture: Real-time packet capture and analysis
File Analysis: Read and analyze existing capture files
Flexible Filtering: Powerful display and capture filters
Multiple Output Formats: Text, JSON, XML, CSV, and more
Protocol Dissection: Deep packet analysis for hundreds of protocols
Scripting Integration: Perfect for automation and monitoring

Installation

Package Manager Installation

# Ubuntu/Debian
sudo apt update
sudo apt install tshark

# RHEL/CentOS/Fedora
sudo yum install wireshark-cli
# or
sudo dnf install wireshark-cli

# Arch Linux
sudo pacman -S wireshark-cli

# macOS (Homebrew)
brew install wireshark

# Windows (Chocolatey)
choco install wireshark

Source Installation

# Download and compile from source
wget https://www.wireshark.org/download/src/wireshark-latest.tar.xz
tar -xf wireshark-latest.tar.xz
cd wireshark-*

# Install dependencies (Ubuntu/Debian)
sudo apt install cmake build-essential libglib2.0-dev libpcap-dev

# Configure and build
mkdir build && cd build
cmake ..
make -j$(nproc)
sudo make install

Permission Setup

# Add user to wireshark group (Linux)
sudo usermod -a -G wireshark $USER

# Set capabilities for non-root capture
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

# Verify permissions
getcap /usr/bin/dumpcap

Basic Usage

Interface Management

# List available interfaces
tshark -D

# Capture from specific interface
tshark -i eth0

# Capture from multiple interfaces
tshark -i eth0 -i wlan0

# Capture from any interface
tshark -i any

# Show interface details
tshark -i eth0 --list-interfaces

Basic Capture

# Capture packets (Ctrl+C to stop)
tshark -i eth0

# Capture specific number of packets
tshark -i eth0 -c 100

# Capture for specific duration
tshark -i eth0 -a duration:60

# Capture to file
tshark -i eth0 -w capture.pcap

# Capture with ring buffer
tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5

Reading Capture Files

# Read pcap file
tshark -r capture.pcap

# Read specific packets
tshark -r capture.pcap -c 10

# Read with packet range
tshark -r capture.pcap -Y "frame.number >= 100 and frame.number <= 200"

# Show file information
tshark -r capture.pcap -q -z io,stat,0

Display Filters

Basic Filtering

# Filter by protocol
tshark -i eth0 -Y "http"
tshark -i eth0 -Y "tcp"
tshark -i eth0 -Y "udp"
tshark -i eth0 -Y "dns"

# Filter by IP address
tshark -i eth0 -Y "ip.addr == 192.168.1.1"
tshark -i eth0 -Y "ip.src == 192.168.1.1"
tshark -i eth0 -Y "ip.dst == 192.168.1.1"

# Filter by port
tshark -i eth0 -Y "tcp.port == 80"
tshark -i eth0 -Y "udp.port == 53"
tshark -i eth0 -Y "tcp.srcport == 443"

Advanced Filtering

# Combine filters with logical operators
tshark -i eth0 -Y "tcp.port == 80 and ip.addr == 192.168.1.1"
tshark -i eth0 -Y "http or https"
tshark -i eth0 -Y "not arp"

# Filter by packet size
tshark -i eth0 -Y "frame.len > 1000"
tshark -i eth0 -Y "tcp.len > 0"

# Filter by time
tshark -i eth0 -Y "frame.time >= \"2024-01-01 00:00:00\""

# Filter by MAC address
tshark -i eth0 -Y "eth.addr == aa:bb:cc:dd:ee:ff"

# Filter by network range
tshark -i eth0 -Y "ip.addr == 192.168.1.0/24"

Protocol-Specific Filters

# HTTP filters
tshark -i eth0 -Y "http.request.method == GET"
tshark -i eth0 -Y "http.response.code == 200"
tshark -i eth0 -Y "http.host contains \"example.com\""

# DNS filters
tshark -i eth0 -Y "dns.qry.name contains \"google\""
tshark -i eth0 -Y "dns.flags.response == 1"

# TCP filters
tshark -i eth0 -Y "tcp.flags.syn == 1"
tshark -i eth0 -Y "tcp.flags.reset == 1"
tshark -i eth0 -Y "tcp.analysis.retransmission"

# SSL/TLS filters
tshark -i eth0 -Y "ssl.handshake.type == 1"
tshark -i eth0 -Y "tls.record.content_type == 22"

Capture Filters

Basic Capture Filters

# Capture specific host
tshark -i eth0 -f "host 192.168.1.1"

# Capture specific port
tshark -i eth0 -f "port 80"
tshark -i eth0 -f "tcp port 443"
tshark -i eth0 -f "udp port 53"

# Capture specific protocol
tshark -i eth0 -f "tcp"
tshark -i eth0 -f "udp"
tshark -i eth0 -f "icmp"

# Capture network range
tshark -i eth0 -f "net 192.168.1.0/24"

Advanced Capture Filters

# Combine filters
tshark -i eth0 -f "host 192.168.1.1 and port 80"
tshark -i eth0 -f "tcp and not port 22"

# Capture by direction
tshark -i eth0 -f "src host 192.168.1.1"
tshark -i eth0 -f "dst port 443"

# Capture by packet size
tshark -i eth0 -f "greater 1000"
tshark -i eth0 -f "less 64"

# Capture multicast/broadcast
tshark -i eth0 -f "multicast"
tshark -i eth0 -f "broadcast"

Output Formats and Fields

Output Formats

# Default output
tshark -i eth0

# Verbose output
tshark -i eth0 -V

# One-line summary
tshark -i eth0 -T fields -e frame.number -e ip.src -e ip.dst

# JSON output
tshark -i eth0 -T json

# XML output
tshark -i eth0 -T pdml

# CSV output
tshark -i eth0 -T fields -E separator=, -e ip.src -e ip.dst -e tcp.port

Custom Field Output

# Basic fields
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst

# HTTP fields
tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri

# DNS fields
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name -e dns.resp.addr

# TCP fields
tshark -r capture.pcap -Y "tcp" -T fields -e tcp.srcport -e tcp.dstport -e tcp.len

# Custom separator
tshark -r capture.pcap -T fields -E separator="|" -e ip.src -e ip.dst

Field Extraction

# Extract unique values
tshark -r capture.pcap -T fields -e ip.src | sort | uniq

# Count occurrences
tshark -r capture.pcap -T fields -e ip.src | sort | uniq -c

# Extract HTTP hosts
tshark -r capture.pcap -Y "http" -T fields -e http.host | sort | uniq

# Extract DNS queries
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq

Statistics and Analysis

Basic Statistics

# I/O statistics
tshark -r capture.pcap -q -z io,stat,1

# Protocol hierarchy
tshark -r capture.pcap -q -z phs

# Conversation statistics
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z conv,udp
tshark -r capture.pcap -q -z conv,ip

# Endpoint statistics
tshark -r capture.pcap -q -z endpoints,tcp
tshark -r capture.pcap -q -z endpoints,ip

Advanced Statistics

# HTTP statistics
tshark -r capture.pcap -q -z http,stat
tshark -r capture.pcap -q -z http,tree

# DNS statistics
tshark -r capture.pcap -q -z dns,tree

# Response time statistics
tshark -r capture.pcap -q -z rpc,rtt,tcp

# Packet length statistics
tshark -r capture.pcap -q -z plen,tree

# Expert information
tshark -r capture.pcap -q -z expert

Custom Statistics

# Count packets by protocol
tshark -r capture.pcap -T fields -e _ws.col.Protocol | sort | uniq -c

# Bandwidth usage by IP
tshark -r capture.pcap -T fields -e ip.src -e frame.len | \
  awk '{bytes[$1]+=$2} END {for(ip in bytes) print ip, bytes[ip]}'

# Top talkers
tshark -r capture.pcap -T fields -e ip.src | sort | uniq -c | sort -nr | head -10

# Port usage statistics
tshark -r capture.pcap -Y "tcp" -T fields -e tcp.dstport | sort | uniq -c | sort -nr

Advanced Features

Decryption

# SSL/TLS decryption with key file
tshark -r capture.pcap -o ssl.keylog_file:sslkeys.log -Y "http"

# WEP decryption
tshark -r capture.pcap -o wlan.wep_key1:"01:02:03:04:05"

# WPA decryption
tshark -r capture.pcap -o wlan.wpa-pwd:"password:SSID"

Protocol Dissection

# Disable protocol dissection
tshark -r capture.pcap -d tcp.port==8080,http

# Force protocol dissection
tshark -r capture.pcap -d udp.port==1234,dns

# Show available dissectors
tshark -G protocols

# Show protocol fields
tshark -G fields | grep http

Time and Timestamps

# Absolute timestamps
tshark -r capture.pcap -t a

# Relative timestamps
tshark -r capture.pcap -t r

# Delta timestamps
tshark -r capture.pcap -t d

# Epoch timestamps
tshark -r capture.pcap -t e

# Custom time format
tshark -r capture.pcap -t a -T fields -e frame.time_epoch

Automation Scripts

Network Monitoring Script

#!/bin/bash
# network-monitor.sh

set -e

# Configuration
INTERFACE="${INTERFACE:-eth0}"
CAPTURE_DIR="${CAPTURE_DIR:-/var/log/network-captures}"
ALERT_THRESHOLD="${ALERT_THRESHOLD:-1000}"
MONITORING_DURATION="${MONITORING_DURATION:-300}"

# Create capture directory
mkdir -p "$CAPTURE_DIR"

# Function to capture and analyze traffic
monitor_network() {
    local timestamp=$(date +%Y%m%d_%H%M%S)
    local capture_file="$CAPTURE_DIR/capture_$timestamp.pcap"

    echo "Starting network monitoring on $INTERFACE..."
    echo "Capture file: $capture_file"

    # Start capture in background
    tshark -i "$INTERFACE" -w "$capture_file" -a duration:$MONITORING_DURATION &
    local tshark_pid=$!

    # Wait for capture to complete
    wait $tshark_pid

    echo "Capture completed. Analyzing..."

    # Analyze capture
    analyze_capture "$capture_file"
}

# Function to analyze capture file
analyze_capture() {
    local capture_file="$1"

    echo "=== Network Analysis Report ==="
    echo "File: $capture_file"
    echo "Timestamp: $(date)"
    echo

    # Basic statistics
    echo "--- Basic Statistics ---"
    tshark -r "$capture_file" -q -z io,stat,0
    echo

    # Protocol hierarchy
    echo "--- Protocol Hierarchy ---"
    tshark -r "$capture_file" -q -z phs
    echo

    # Top talkers
    echo "--- Top Source IPs ---"
    tshark -r "$capture_file" -T fields -e ip.src | sort | uniq -c | sort -nr | head -10
    echo

    # Top destinations
    echo "--- Top Destination IPs ---"
    tshark -r "$capture_file" -T fields -e ip.dst | sort | uniq -c | sort -nr | head -10
    echo

    # Top ports
    echo "--- Top TCP Ports ---"
    tshark -r "$capture_file" -Y "tcp" -T fields -e tcp.dstport | sort | uniq -c | sort -nr | head -10
    echo

    # Security analysis
    security_analysis "$capture_file"
}

# Function for security analysis
security_analysis() {
    local capture_file="$1"

    echo "--- Security Analysis ---"

    # Check for suspicious activity
    local syn_flood=$(tshark -r "$capture_file" -Y "tcp.flags.syn==1 and tcp.flags.ack==0" | wc -l)
    local port_scans=$(tshark -r "$capture_file" -T fields -e ip.src -e tcp.dstport | \
                      awk '{ports[$1]++} END {for(ip in ports) if(ports[ip]>50) print ip, ports[ip]}')

    echo "SYN packets (potential SYN flood): $syn_flood"

    if [ "$syn_flood" -gt "$ALERT_THRESHOLD" ]; then
        echo "⚠️  WARNING: High number of SYN packets detected!"
        send_alert "SYN Flood Alert" "Detected $syn_flood SYN packets"
    fi

    if [ -n "$port_scans" ]; then
        echo "⚠️  WARNING: Potential port scans detected:"
        echo "$port_scans"
        send_alert "Port Scan Alert" "Potential port scanning activity detected"
    fi

    # Check for unusual protocols
    echo "--- Unusual Protocol Activity ---"
    tshark -r "$capture_file" -T fields -e _ws.col.Protocol | sort | uniq -c | sort -nr | head -20
}

# Function to send alerts
send_alert() {
    local subject="$1"
    local message="$2"

    echo "🚨 ALERT: $subject"
    echo "Details: $message"

    # Send email alert (if configured)
    if [ -n "$ALERT_EMAIL" ]; then
        echo "$message" | mail -s "$subject" "$ALERT_EMAIL"
    fi

    # Send to syslog
    logger -p local0.warning "Network Monitor Alert: $subject - $message"
}

# Main execution
main() {
    case "${1:-monitor}" in
        "monitor")
            monitor_network
            ;;
        "analyze")
            if [ -z "$2" ]; then
                echo "Usage: $0 analyze <capture_file>"
                exit 1
            fi
            analyze_capture "$2"
            ;;
        "continuous")
            while true; do
                monitor_network
                sleep 60
            done
            ;;
        *)
            echo "Usage: $0 {monitor|analyze|continuous}"
            exit 1
            ;;
    esac
}

main "$@"

HTTP Traffic Analyzer

#!/usr/bin/env python3
# http-analyzer.py

import subprocess
import json
import sys
import argparse
from collections import defaultdict, Counter
from urllib.parse import urlparse

class HTTPAnalyzer:
    def __init__(self, capture_file):
        self.capture_file = capture_file
        self.http_requests = []
        self.http_responses = []

    def extract_http_traffic(self):
        """Extract HTTP traffic from capture file"""
        print("Extracting HTTP traffic...")

        # Extract HTTP requests
        cmd_requests = [
            'tshark', '-r', self.capture_file,
            '-Y', 'http.request',
            '-T', 'json'
        ]

        try:
            result = subprocess.run(cmd_requests, capture_output=True, text=True, check=True)
            if result.stdout.strip():
                self.http_requests = json.loads(result.stdout)
        except subprocess.CalledProcessError as e:
            print(f"Error extracting HTTP requests: {e}")
            return False

        # Extract HTTP responses
        cmd_responses = [
            'tshark', '-r', self.capture_file,
            '-Y', 'http.response',
            '-T', 'json'
        ]

        try:
            result = subprocess.run(cmd_responses, capture_output=True, text=True, check=True)
            if result.stdout.strip():
                self.http_responses = json.loads(result.stdout)
        except subprocess.CalledProcessError as e:
            print(f"Error extracting HTTP responses: {e}")
            return False

        return True

    def analyze_requests(self):
        """Analyze HTTP requests"""
        print("\n=== HTTP Request Analysis ===")

        if not self.http_requests:
            print("No HTTP requests found")
            return

        methods = Counter()
        hosts = Counter()
        user_agents = Counter()
        urls = []

        for packet in self.http_requests:
            try:
                http_layer = packet['_source']['layers']['http']

                # Extract method
                if 'http.request.method' in http_layer:
                    methods[http_layer['http.request.method']] += 1

                # Extract host
                if 'http.host' in http_layer:
                    hosts[http_layer['http.host']] += 1

                # Extract User-Agent
                if 'http.user_agent' in http_layer:
                    user_agents[http_layer['http.user_agent']] += 1

                # Extract full URL
                if 'http.host' in http_layer and 'http.request.uri' in http_layer:
                    url = f"http://{http_layer['http.host']}{http_layer['http.request.uri']}"
                    urls.append(url)

            except KeyError:
                continue

        # Print analysis
        print(f"Total HTTP requests: {len(self.http_requests)}")

        print("\n--- Top HTTP Methods ---")
        for method, count in methods.most_common(10):
            print(f"{method}: {count}")

        print("\n--- Top Hosts ---")
        for host, count in hosts.most_common(10):
            print(f"{host}: {count}")

        print("\n--- Top User Agents ---")
        for ua, count in user_agents.most_common(5):
            print(f"{ua}: {count}")

        print("\n--- Sample URLs ---")
        for url in urls[:20]:
            print(url)

    def analyze_responses(self):
        """Analyze HTTP responses"""
        print("\n=== HTTP Response Analysis ===")

        if not self.http_responses:
            print("No HTTP responses found")
            return

        status_codes = Counter()
        content_types = Counter()
        servers = Counter()

        for packet in self.http_responses:
            try:
                http_layer = packet['_source']['layers']['http']

                # Extract status code
                if 'http.response.code' in http_layer:
                    status_codes[http_layer['http.response.code']] += 1

                # Extract content type
                if 'http.content_type' in http_layer:
                    content_types[http_layer['http.content_type']] += 1

                # Extract server
                if 'http.server' in http_layer:
                    servers[http_layer['http.server']] += 1

            except KeyError:
                continue

        # Print analysis
        print(f"Total HTTP responses: {len(self.http_responses)}")

        print("\n--- Status Codes ---")
        for code, count in status_codes.most_common(10):
            print(f"{code}: {count}")

        print("\n--- Content Types ---")
        for ct, count in content_types.most_common(10):
            print(f"{ct}: {count}")

        print("\n--- Servers ---")
        for server, count in servers.most_common(10):
            print(f"{server}: {count}")

    def security_analysis(self):
        """Perform security analysis"""
        print("\n=== Security Analysis ===")

        suspicious_patterns = [
            'admin', 'login', 'password', 'config', 'backup',
            'test', 'debug', 'dev', 'staging', 'api'
        ]

        suspicious_urls = []

        for packet in self.http_requests:
            try:
                http_layer = packet['_source']['layers']['http']

                if 'http.request.uri' in http_layer:
                    uri = http_layer['http.request.uri'].lower()

                    for pattern in suspicious_patterns:
                        if pattern in uri:
                            if 'http.host' in http_layer:
                                full_url = f"http://{http_layer['http.host']}{http_layer['http.request.uri']}"
                                suspicious_urls.append(full_url)
                            break

            except KeyError:
                continue

        if suspicious_urls:
            print("⚠️  Potentially suspicious URLs detected:")
            for url in set(suspicious_urls[:20]):
                print(f"  {url}")
        else:
            print("✅ No obviously suspicious URLs detected")

    def generate_report(self, output_file=None):
        """Generate comprehensive report"""
        if not self.extract_http_traffic():
            print("Failed to extract HTTP traffic")
            return

        # Redirect output to file if specified
        if output_file:
            sys.stdout = open(output_file, 'w')

        print(f"HTTP Traffic Analysis Report")
        print(f"Capture File: {self.capture_file}")
        print(f"Generated: {subprocess.run(['date'], capture_output=True, text=True).stdout.strip()}")
        print("=" * 50)

        self.analyze_requests()
        self.analyze_responses()
        self.security_analysis()

        if output_file:
            sys.stdout.close()
            sys.stdout = sys.__stdout__
            print(f"Report saved to: {output_file}")

def main():
    parser = argparse.ArgumentParser(description='HTTP Traffic Analyzer')
    parser.add_argument('capture_file', help='Path to capture file')
    parser.add_argument('-o', '--output', help='Output report file')

    args = parser.parse_args()

    analyzer = HTTPAnalyzer(args.capture_file)
    analyzer.generate_report(args.output)

if __name__ == "__main__":
    main()

DNS Analysis Script

#!/bin/bash
# dns-analyzer.sh

set -e

# Configuration
CAPTURE_FILE="$1"
OUTPUT_DIR="${OUTPUT_DIR:-./dns-analysis}"

if [ -z "$CAPTURE_FILE" ]; then
    echo "Usage: $0 <capture_file>"
    exit 1
fi

# Create output directory
mkdir -p "$OUTPUT_DIR"

echo "Analyzing DNS traffic in $CAPTURE_FILE..."

# Extract DNS queries
echo "Extracting DNS queries..."
tshark -r "$CAPTURE_FILE" -Y "dns.flags.response == 0" \
    -T fields -e frame.time -e ip.src -e dns.qry.name -e dns.qry.type \
    > "$OUTPUT_DIR/dns_queries.txt"

# Extract DNS responses
echo "Extracting DNS responses..."
tshark -r "$CAPTURE_FILE" -Y "dns.flags.response == 1" \
    -T fields -e frame.time -e ip.src -e dns.qry.name -e dns.resp.addr \
    > "$OUTPUT_DIR/dns_responses.txt"

# Analyze queries
echo "Analyzing DNS queries..."
cat > "$OUTPUT_DIR/dns_analysis.txt" << EOF
DNS Traffic Analysis Report
==========================
Capture File: $CAPTURE_FILE
Generated: $(date)

--- Query Statistics ---
Total DNS queries: $(wc -l < "$OUTPUT_DIR/dns_queries.txt")
Total DNS responses: $(wc -l < "$OUTPUT_DIR/dns_responses.txt")

--- Top Queried Domains ---
$(awk '{print $3}' "$OUTPUT_DIR/dns_queries.txt" | sort | uniq -c | sort -nr | head -20)

--- Top Query Types ---
$(awk '{print $4}' "$OUTPUT_DIR/dns_queries.txt" | sort | uniq -c | sort -nr)

--- Top DNS Clients ---
$(awk '{print $2}' "$OUTPUT_DIR/dns_queries.txt" | sort | uniq -c | sort -nr | head -10)

--- Suspicious Domains ---
$(awk '{print $3}' "$OUTPUT_DIR/dns_queries.txt" | grep -E "(\.tk$|\.ml$|\.ga$|\.cf$|dga-|random-)" | sort | uniq || echo "None detected")

EOF

echo "Analysis complete. Results saved to $OUTPUT_DIR/"
echo "Summary:"
cat "$OUTPUT_DIR/dns_analysis.txt"

CI/CD Integration

GitHub Actions

# .github/workflows/network-analysis.yml
name: Network Traffic Analysis

on:
  push:
    paths:
      - 'captures/*.pcap'
  workflow_dispatch:
    inputs:
      capture_file:
        description: 'Capture file to analyze'
        required: true

jobs:
  analyze-traffic:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    - name: Install tshark
      run: |
        sudo apt update
        sudo apt install -y tshark

    - name: Analyze network traffic
      run: |
        # Create analysis directory
        mkdir -p analysis-results

        # Find capture files
        if [ "${{ github.event.inputs.capture_file }}" ]; then
          CAPTURE_FILE="${{ github.event.inputs.capture_file }}"
        else
          CAPTURE_FILE=$(find captures/ -name "*.pcap" -type f | head -1)
        fi

        if [ -z "$CAPTURE_FILE" ]; then
          echo "No capture file found"
          exit 1
        fi

        echo "Analyzing: $CAPTURE_FILE"

        # Basic statistics
        tshark -r "$CAPTURE_FILE" -q -z io,stat,0 > analysis-results/basic-stats.txt

        # Protocol hierarchy
        tshark -r "$CAPTURE_FILE" -q -z phs > analysis-results/protocols.txt

        # Top talkers
        tshark -r "$CAPTURE_FILE" -T fields -e ip.src | sort | uniq -c | sort -nr | head -20 > analysis-results/top-sources.txt

        # HTTP analysis
        tshark -r "$CAPTURE_FILE" -Y "http" -T fields -e http.host -e http.request.uri | head -100 > analysis-results/http-requests.txt

        # DNS analysis
        tshark -r "$CAPTURE_FILE" -Y "dns" -T fields -e dns.qry.name | sort | uniq -c | sort -nr | head -50 > analysis-results/dns-queries.txt

    - name: Generate report
      run: |
        cat > analysis-results/report.md << EOF
        # Network Traffic Analysis Report

        **File:** $CAPTURE_FILE
        **Date:** $(date)

        ## Basic Statistics
        \`\`\`
        $(cat analysis-results/basic-stats.txt)
        \`\`\`

        ## Protocol Hierarchy
        \`\`\`
        $(cat analysis-results/protocols.txt)
        \`\`\`

        ## Top Source IPs
        \`\`\`
        $(cat analysis-results/top-sources.txt)
        \`\`\`

        ## HTTP Requests (Sample)
        \`\`\`
        $(cat analysis-results/http-requests.txt)
        \`\`\`

        ## DNS Queries (Top 50)
        \`\`\`
        $(cat analysis-results/dns-queries.txt)
        \`\`\`
        EOF

    - name: Upload analysis results
      uses: actions/upload-artifact@v3
      with:
        name: network-analysis-results
        path: analysis-results/

    - name: Comment on PR
      if: github.event_name == 'pull_request'
      uses: actions/github-script@v6
      with:
        script: |
          const fs = require('fs');
          const report = fs.readFileSync('analysis-results/report.md', 'utf8');

          github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: report
          });

Jenkins Pipeline

// Jenkinsfile
pipeline {
    agent any

    parameters {
        string(name: 'CAPTURE_FILE', defaultValue: '', description: 'Path to capture file')
        choice(name: 'ANALYSIS_TYPE', choices: ['basic', 'security', 'performance'], description: 'Type of analysis')
    }

    stages {
        stage('Setup') {
            steps {
                script {
                    // Install tshark if not available
                    sh '''
                        if ! command -v tshark &> /dev/null; then
                            sudo apt update
                            sudo apt install -y tshark
                        fi
                    '''
                }
            }
        }

        stage('Validate Input') {
            steps {
                script {
                    if (!params.CAPTURE_FILE) {
                        error("CAPTURE_FILE parameter is required")
                    }

                    if (!fileExists(params.CAPTURE_FILE)) {
                        error("Capture file does not exist: ${params.CAPTURE_FILE}")
                    }
                }
            }
        }

        stage('Basic Analysis') {
            steps {
                script {
                    sh """
                        mkdir -p analysis-results

                        # Basic statistics
                        tshark -r "${params.CAPTURE_FILE}" -q -z io,stat,0 > analysis-results/basic-stats.txt

                        # Protocol hierarchy
                        tshark -r "${params.CAPTURE_FILE}" -q -z phs > analysis-results/protocols.txt

                        # Conversation statistics
                        tshark -r "${params.CAPTURE_FILE}" -q -z conv,tcp > analysis-results/tcp-conversations.txt
                        tshark -r "${params.CAPTURE_FILE}" -q -z conv,udp > analysis-results/udp-conversations.txt
                    """
                }
            }
        }

        stage('Security Analysis') {
            when {
                expression { params.ANALYSIS_TYPE == 'security' }
            }
            steps {
                script {
                    sh """
                        # Check for suspicious activity
                        echo "=== Security Analysis ===" > analysis-results/security-analysis.txt

                        # SYN flood detection
                        SYN_COUNT=\$(tshark -r "${params.CAPTURE_FILE}" -Y "tcp.flags.syn==1 and tcp.flags.ack==0" | wc -l)
                        echo "SYN packets: \$SYN_COUNT" >> analysis-results/security-analysis.txt

                        # Port scan detection
                        echo "Potential port scans:" >> analysis-results/security-analysis.txt
                        tshark -r "${params.CAPTURE_FILE}" -T fields -e ip.src -e tcp.dstport | \\
                            awk '{ports[\$1]++} END {for(ip in ports) if(ports[ip]>50) print ip, ports[ip]}' >> analysis-results/security-analysis.txt

                        # Suspicious DNS queries
                        echo "Suspicious DNS queries:" >> analysis-results/security-analysis.txt
                        tshark -r "${params.CAPTURE_FILE}" -Y "dns" -T fields -e dns.qry.name | \\
                            grep -E "(\.tk\$|\\.ml\$|\\.ga\$|\\.cf\$)" | sort | uniq >> analysis-results/security-analysis.txt || true
                    """
                }
            }
        }

        stage('Performance Analysis') {
            when {
                expression { params.ANALYSIS_TYPE == 'performance' }
            }
            steps {
                script {
                    sh """
                        # Performance metrics
                        echo "=== Performance Analysis ===" > analysis-results/performance-analysis.txt

                        # Bandwidth usage
                        tshark -r "${params.CAPTURE_FILE}" -T fields -e ip.src -e frame.len | \\
                            awk '{bytes[\$1]+=\$2} END {for(ip in bytes) print ip, bytes[ip]}' | \\
                            sort -k2 -nr | head -20 >> analysis-results/performance-analysis.txt

                        # Response time analysis
                        tshark -r "${params.CAPTURE_FILE}" -q -z rpc,rtt,tcp >> analysis-results/performance-analysis.txt || true

                        # Packet size distribution
                        tshark -r "${params.CAPTURE_FILE}" -q -z plen,tree >> analysis-results/performance-analysis.txt
                    """
                }
            }
        }

        stage('Generate Report') {
            steps {
                script {
                    sh '''
                        # Create comprehensive report
                        cat > analysis-results/report.html << EOF
<!DOCTYPE html>
<html>
<head>
    <title>Network Analysis Report</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        pre { background: #f5f5f5; padding: 10px; overflow-x: auto; }
        .section { margin: 20px 0; }
    </style>
</head>
<body>
    <h1>Network Analysis Report</h1>
    <p><strong>File:</strong> ${CAPTURE_FILE}</p>
    <p><strong>Analysis Type:</strong> ${ANALYSIS_TYPE}</p>
    <p><strong>Generated:</strong> $(date)</p>

    <div class="section">
        <h2>Basic Statistics</h2>
        <pre>$(cat analysis-results/basic-stats.txt)</pre>
    </div>

    <div class="section">
        <h2>Protocol Hierarchy</h2>
        <pre>$(cat analysis-results/protocols.txt)</pre>
    </div>
EOF

                        # Add security analysis if available
                        if [ -f analysis-results/security-analysis.txt ]; then
                            cat >> analysis-results/report.html << EOF
    <div class="section">
        <h2>Security Analysis</h2>
        <pre>$(cat analysis-results/security-analysis.txt)</pre>
    </div>
EOF
                        fi

                        # Add performance analysis if available
                        if [ -f analysis-results/performance-analysis.txt ]; then
                            cat >> analysis-results/report.html << EOF
    <div class="section">
        <h2>Performance Analysis</h2>
        <pre>$(cat analysis-results/performance-analysis.txt)</pre>
    </div>
EOF
                        fi

                        echo "</body></html>" >> analysis-results/report.html
                    '''
                }
            }
        }
    }

    post {
        always {
            archiveArtifacts artifacts: 'analysis-results/**', fingerprint: true

            publishHTML([
                allowMissing: false,
                alwaysLinkToLastBuild: true,
                keepAll: true,
                reportDir: 'analysis-results',
                reportFiles: 'report.html',
                reportName: 'Network Analysis Report'
            ])
        }

        failure {
            emailext (
                subject: "Network Analysis Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
                body: "The network analysis job failed. Please check the console output for details.",
                to: "${env.CHANGE_AUTHOR_EMAIL}"
            )
        }
    }
}

Troubleshooting

Common Issues

# Permission denied errors
sudo usermod -a -G wireshark $USER
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

# Interface not found
tshark -D
ip link show

# Capture file corruption
tshark -r capture.pcap -q -z io,stat,0

# Memory issues with large files
tshark -r large_capture.pcap -c 1000

# Display filter syntax errors
tshark -Y "invalid filter" 2>&1 | grep -i error

Performance Optimization

# Use capture filters to reduce data
tshark -i eth0 -f "port 80 or port 443"

# Limit capture size
tshark -i eth0 -s 96

# Use ring buffer for continuous capture
tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:10

# Disable name resolution
tshark -i eth0 -n

# Use specific protocols only
tshark -i eth0 -Y "tcp or udp"

Debugging

# Verbose output for debugging
tshark -i eth0 -V

# Show field names
tshark -G fields | grep -i http

# Test display filters
tshark -Y "tcp.port == 80" -c 1

# Check tshark version and capabilities
tshark -v
tshark -G protocols | wc -l

Best Practices

Capture Guidelines

Use Capture Filters: Apply filters at capture time to reduce file size
Limit Packet Size: Use -s option for header-only captures when appropriate
Ring Buffers: Use ring buffers for continuous monitoring
Proper Permissions: Set up proper permissions for non-root capture
Storage Management: Implement log rotation for long-term captures

Analysis Best Practices

Start with Statistics: Use -q -z options for quick overviews
Progressive Filtering: Start broad, then narrow down with specific filters
Save Intermediate Results: Save filtered results for further analysis
Document Findings: Keep detailed notes of analysis steps
Automate Repetitive Tasks: Use scripts for common analysis patterns

Security Considerations

Sensitive Data: Be aware of sensitive data in captures
Access Control: Restrict access to capture files
Encryption: Consider encrypting stored capture files
Retention Policies: Implement appropriate data retention policies
Legal Compliance: Ensure compliance with local laws and regulations

This comprehensive tshark cheatsheet provides everything needed for professional network analysis, from basic packet capture to advanced automation and integration scenarios.