Troubleshooting is a very important skill for any network engineer to have. When you are troubleshooting, it’s not always about the problem with your equipment or lines that might be down- an issue could also be on your end of things and doesn’t require much in the way of tools
The “troubleshooting commands cisco” is a command-line tool that allows users to troubleshoot their networks. Commands can be run from the command line or via scripts.
Using a command-line interface tool to maximize packet capture is one option, and TShark is one of the best options available. TShark is the GUI version of Wireshark, which gives useful information about network traffic collected.
One of the things that makes Tshark so useful is that instead of clicking several buttons and wading through different menus, you can access the information you need by typing just one command.
Continue reading and you’ll never spend another hour examining your packet captures!
Prerequisites
This will be a hands-on presentation in this course. If you want to follow along, make sure you have the following items on hand.
- A Linux system – Ubuntu 20.04 LTS is used in this tutorial, although any Linux distribution will work.
How to Install Ubuntu 20.04 LTS (How to Install Ubuntu 20.04 LTS (How to Install Ubuntu 20.04 LTS
- Wireshark is already installed on your computer.
On Ubuntu, how to install TShark
Because TShark isn’t installed by default on your Linux distribution, you’ll need to start this tutorial by installing TShark on your system before you can use it.
On most Linux distributions and BSD operating systems, you can install TShark using your package manager. However, for this demonstration, you’ll use the APT package manager to install TShark.
Associated:Examples of Ubuntu Apt Learning
1. To make sure your package management is up to date, use the apt update command. This program refreshes the list of packages on your system as well as their current versions.
System Packages Updating
2. After that, use the apt install command to install the TShark command-line program on your system.
tshark -y sudo apt install
The TShark command-line utility is installed.
3. Use the tshark —version command to verify that the utility is installed on your computer.
You’ll receive something like this as a result. The current version is 3.4.8 as of this writing, although yours may be different.
Examining the TShark version that has been installed
4. Finally, use the tshark —help command to examine all of the tshark commands that are available. Commands
To retrieve information on data recorded in your network, you may use a variety of tshark commands, as shown below. Only a tiny portion of the possible commands are shown in this output. In the next sections, you’ll learn how to utilize several of these instructions at a basic level.
tshark Commands List
All Packets from a Network Interface Captured
You can capture packets and examine network data now that you have TShark installed. You may capture network data via a particular interface, but first you must start TShark and select the network interface where the data will be captured.
1. Use the tshark command to display a list of all accessible network interfaces (-D) that T-shark can locate, even those that are old and inactive.
As seen below, you’ll see a list of the accessible interfaces on your system. Always use the tshark -D command before launching TShark and choosing an interface if your system has several network cards installed.
a list of your system’s available interfaces
2. Next, use the ip link command to identify all active network interfaces (on Linux and BSD systems). For TShark to operate, you must choose an active network interface.
TShark shows all network interfaces on your system, but not all of them are active at any one moment.
In most circumstances, a network interface, such as an ethernet card, will be used. To capture packets in this example, write down eth0 as seen below.
TShark’s Active Network Interfaces are listed below.
3. Finally, execute the tshark command to choose an interface (-i) and start capturing live packets. In step two, replace interface with the interface you highlighted.
You’ll see packets shown in real-time after you start recording data, as demonstrated below. You may also stop TShark from capturing packets at any time by pressing Ctrl+C.
Tshark, like other popular data-network packet analyzer programs like tcpdump and Wireshark, captures packets using the pcap library (libpcap). TShark captures packets from the eth0 interface using the pcap library in this scenario.
As seen below, TShark writes the decoded form of recorded packets to standard output (stdout) on your terminal, each line in a human-readable format.
eth0 packet capture
Obtaining a Predetermined Number of Packets
Let’s say you want to examine a specified amount of packets. If this is the case, instead of collecting all packets, specify a number of packets to capture and examine directly.
The -c option (capture packet count) is added to the tshark command to capture a certain number of packets.
To confirm whether the packets are appropriately routed to tshark, use the following command (-c 10) to capture the first 10 packets. Replace 10 with the number of packets you want to collect.
tshark -i eth0 -c 10 sudo
The First Ten Packets Captured
Instead, use the -q option if you want to record packets without showing them. If you simply want to observe the total amount of recorded packets and don’t want to keep scrolling through outputs on your terminal, the -q option is useful.
To capture packets while suppressing outputs (-q), use the program below.
TShark prints the total number of captured packets in the terminal as soon as you press Ctrl+C. A total of 84 packets were recorded, as seen below.
Prints the Total Number of Captured Packets after capturing packets.
Filter String Capture of Specific Packets
Perhaps the amount of packets collected is excessive, making it almost hard to search for a certain string with your eyes alone. In this situation, you’ll need to apply a filter to collect packets based on a string.
To pick packets based on protocols, source/destination host/port pairings, and other criteria, you’ll utilize TShark’s capture filter expressions. For instance, suppose your SSH connection fails and you just want to collect packets relating to the SSH connection.
With the tcp port 22 string, use the following program to collect and filter packets (-f).
tshark -i eth0 -f “tcp port 22” -c 10 sudo tshark -i eth0
capturing the packets of your SSH connection
If the string filter isn’t adequate, after running a capture filter, you may use the display filter to narrow down your search and examine individual packets. To test texts, patterns, or byte sequences, the display filter uses comparison operators (!==,===,==, etc.).
To indicate more complicated expressions, you may use Boolean operators (and, or, not) and grouping with parenthesis.
For instance, after you’ve discovered the IP addresses you use to login to SSH, you may want to probe further into the packets. You’ll use the == (Equal (any if more than one)) operator in this scenario, as seen below.
To capture and show the first 10 filtered packets (-Y) associated to the 69.28.83.134 IP address, use the tshark command below.
tshark -i eth0 -Y ‘ip.addr == 69.28.83.134’ -c 10 sudo tshark -i eth0 -Y ‘ip.addr == 69.28.83.134’
As you can see, the report below only shows packets with the IP address 69.28.83.134.
Using the Display Filter to Capture Packets
Creating a File from Captured Packets
When you can see captured packets in real time, you can start troubleshooting right away. However, you may not have time to troubleshoot right now. So why not save the packets you’ve captured to a file? For example, suppose your SSH connection was operating great until it abruptly stopped working.
Scrolling through the packets in the terminal doesn’t always provide enough information to figure out what’s wrong. In this instance, you may use TShark to preserve the recorded packets and share them with friends or coworkers who may be able to assist you.
To save packets collected to a.pcap file, use the command below. The following is what the command does:
- The capture ring buffer option (-b) is set, which activates the multiple files mode. TShark writes recorded packets to numbered files in this mode. TShark continues on to the next file when the current one is full, and so on.
- Instructs TShark to generate 10 files (-a files:10), each of 1024 KB, containing the packets collected in the ring buffer mode of operation (1MB). If you leave the files option unchecked, the ring buffer mode of operation will operate indefinitely until your disk space is depleted or a stop situation arises.
This option allows you to utilize an unlimited number of files. However, in the ring buffer mode of operation, the total size of all files cannot exceed 2GB. When this limit is reached, TShark stops and waits for you to delete certain files to free up disk space before proceeding.
- While capturing packets on a specified interface, writes the packets to a file (-w), in this example, ata.pcap (eth0).
tshark -i eth0 -f “tcp port 22” -b filesize:1024 -a files:10 -w ata.pcap sudo tshark -i eth0 -f “tcp port 22”
When writing to a file, TShark does not display you the writing progress or the continuous count of packets collected. Only the number of packets collected will be shown, as seen below.
Captured packets are saved to the ata.pcap file.
To halt the writing process at any moment, hit CTRL+C. You’ll have a new file with packets recorded throughout the session, as seen below.
You may now share this file with your buddy and work together to solve the problem!
Taking a Look at the ata.pcap Files
Conclusion
You learnt how to install TShark on an Ubuntu system in this article. You also learnt how to use filters to find certain recorded packets and save them to a file.
You’ve previously learned how to use TShark and its basic command-line parameters to control packets. You may now begin debugging network difficulties on your own or use it as an opportunity to socialize with your friends!
Why not use your newfound knowledge to install Tshark and Wireshark on AWS EC2 to monitor packets? Or how about determining the bitrate of a video stream?
The “troubleshooting commands in linux” is a command that allows users to troubleshoot the network. Commands include ping, traceroute, and route.
Frequently Asked Questions
How do I troubleshoot a network using command prompt?
A: One of the simplest ways to troubleshoot a network is by using command prompt. There are many options you can use in order to get more information about your connection and diagnose any issues that may be occurring within it.
How do you troubleshoot a network connection?
A: There are many different ways to troubleshoot a network connection, but the most common way is to use TCP/IP utilities. These can be found on virtually every computer and smartphone in existence as well as through various websites like www.speedof Light Image
What are the network commands?
A: The initial network commands are lobby, start, stop and exit. For example, to join a game or leave the lobby you can use these commands respectively:
Related Tags
- cmd commands for network troubleshooting
- command for network configuration
- network troubleshooting commands pdf
- all networking commands
- network troubleshooting commands windows 10
