TShark

TShark is Wireshark's command-line packet analyzer for live captures and saved trace files. It exposes Wireshark's dissectors and filtering engine through flags, stdout, and capture files that fit shell-driven network debugging.

• Capture traffic on chosen interfaces, apply capture or display filters, and write rolling pcap or pcapng files for incident evidence and later analysis.
• Read saved or compressed traces, print packet summaries or full protocol trees, and extract selected fields or statistics from network traffic.
• Export decoded packets as JSON, raw-packet JSON, EK NDJSON, CSV-like field output, or XML for downstream parsing, Elasticsearch ingest, or follow-up tooling.

• Real machine-readable output exists through -T json, jsonraw, ek, and fields, with -j or -J protocol filters and --no-duplicate-keys to narrow or normalize output.
• Non-interactive flags, -l line buffering, interface and link-type discovery, and documented exit codes make it workable in inspect, capture, and verify loops.
• Live capture still needs permissions and network-specific judgment, and decoded output can be large enough that agents usually need tight filters or a capture-first workflow.

• Live capture depends on dumpcap privileges or access to capture devices; the README explicitly discourages running tshark itself as root.
• Verbose decode and JSON modes can explode in size on busy traces, so automation is usually safer when it saves captures first and re-reads them with narrower filters.