Tshark is part of the Wireshark distribution, previously known as Ethereal. Thanks to its support of a large number of protocols, it can be used to capture/dump and display virtually any kind of network traffic. This article provides an overview of thark capture filters with byte matching used to perform advanced filtering on packet headers and body. Byte matching is a very powerful feature and very helpful for network protocol developers and for prototype testing because it allows to perform protocol analysis even when the packet format is unknown to tshark.

As its name implies, capture filters provide a way to specify which packets tshark should capture. Packets that do not satisfy the filter condition will not be captured. Because only simple parsing is involved, tshark can rapidly take decision whether to capture the packet or not. In comparison to read filters that can be used to fulfill the same purpose, the capture filters ensure that tshark does not miss packets because of parsing delays. Tshark's capture filter uses the same syntax as tcpdump, see man tcpdump for details.

Capture filters based on byte matching are very powerful feature of tshark. The byte matching feature is convenient because it allows to test any value of any field in the packet header and body, even when the packet format is unknown to tshark. The filter specifies values for specific locations in the packets. Tshark tests the specified offset for the given value. If there is a match, the packet is captured, otherwise, the packet is not captured.

To specify a capture filter using byte matching syntax, the field offset as well as the test value must specified using the -f option.

The syntax is as follows :

tshark -i interface -f "filter expression" ...

To capture wireless authentication packets EAPOL/802.1X. We need to test for Ethernet packets where the two byte field that starts at position 12 has the hexadecimal value of 0x888e. This is the corresponding filter and tshark command :

tshark -i ath0 -f "ether[12:2] = 0x888e"

In this second example, we capture packets that contains TCP syn flag set.

tshark -i ath0 -f "tcp[13] = 0x02"

This tells tshark to check the value of the 13th byte of the tcp packet. If this byte contains 0×02, which is the case when only the TCP header syn flag is set, then the packet will be dumped.

To combine filters, the and and or logical operators can be used. The following example captures 802.1X packets of type “EAPOL key”

tshark -i ath0 -f "ether[12:2] = 0x888e and ether[15] = 0x03"

To capture TCP packets where the fin or syn flag is set

tshark -i ath0 -f "tcp[13] = 0x02 or tcp[13] = 0x01"

• Capture and Analysis of RADIUS traffic with tshark
• Visualizing wireless authentication delays
• Designing Capture Filters for Ethereal/Wireshark