In past entries, I have talked about TCPDUMP. Now I will move onto Tshark, which is the command line version of Wireshark that has been popular for several years. If you ever have the opportunity to meet the developer of Wireshark, Gerald Combs, take advantage of the opportunity. You will get a whole new appreciation of where Wireshark came from and where he sees it going. One of the main advantages of using Tshark is that you will be able to use the same capture filters as the the GUI version aka Wireshark. What I will also show in a later post is how to use Tshark as a remote probe for Wireshark.
When getting to install Tshark, the first step you will do to is to make sure you are getting the latest versions of all the files that are requires. Do a sudo apt-get update to get that process started.
To install wireshark, use the command sudo apt-get install tshark. From the accompanying YouTube video, the entire process takes a little over a minute. Depending on the speed of your internet connection, it might take a little longer.
Once you are returned back to the shell prompt, you can start the capture process by using sudo tshark. You will see several examples of the errors you may see if you dont use sudo in front of wireshark.
To only capture a certain number of packets you do sudo tshark -c 10. This will capture just 10 packets and exit out to the shell prompt. If you want to send the packets to a capture file, use -w followed by / and the file name. If you use just -w capture.cap (or whatever file name you want to use), you will get a permissions error. I havent found the cause of the problem yet, using a / in front of the file name will get around the problem. While I prefer to have a directory to save the captures in, for this case, going to the root of the SD file system isnt a problem that becomes a show stopper.
To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/