TABLE OF CONTENTS Most people familiar with Wireshark tend to use the Wireshark graphical user interface (GUI). However, when Wireshark is installed, it also comes with several other supporting programs: the command-line version of Wireshark, called TShark, and five other programs to assist you in manipulating, assessing, and creating capture files editcap, mergecap, text2pcap capinfos and dumpcap. These supporting programs can be used together to provide very powerful capture file manipulation. For example, files can be captured with TShark, edited with editcap, and merged into a single packet capture file with mergecap. They can then be viewed with TShark or Wireshark. As you read this chapter, you will see the vast capabilities and the granular control these supporting programs give you when manipulating capture files.
TShark is the command-line version of Wireshark. It can be used to capture, decode, and print to screen live packets from the wire or to read saved capture files. Some of the same features apply to both TShark and Wireshark, as they use the same capture library, libpcap, and most of the same code. TShark can read all the same packet capture formats as Wireshark, and will automatically determine the type. If TShark is compiled with the zlib library, it can automatically uncompress and read files that have been compressed with gzip. The advantage to using TShark is that it is highly scriptable.
The following information is the usage output for the TShark program. Notice the various types of...
