How to analyze packets from tshark in realtime via bash?

I need to analyze the IPSec packages from this command in real time:

sudo tshark -i <My_Interface> -Y '(ip.addr == <My_IP>)'

I need to check whether an isakmp package is sent to set a variable as true. I can't wait until the whole sniffing process is finished to be able to read it from a pcap file!


After some workarounds, we have a solution:

while IFS= read -r line; do if [[ $line =~ 'ISAKMP' ]]; then echo $line; fi; done < <(sudo tshark -i <My_Interface>)

Instead of this simple string 'ISAKMP' we can check anything else. The echo command may be any other command (setting an environment variable, etc.)


You might also want to look into the netsniff-ng package in apt. It is a packet sniffing toolkit specifically built for Linux networks.

It works great for things like analyzing signals of pci / usb devices that do not follow their respective data protocols, in order to write custom drivers.

The following is a list of included tools, including descriptions, obtained from the output of apt info netsniff-ng:

  • netsniff-ng: a zero-copy packet analyzer, pcap capturing/replaying tool
  • trafgen: a multithreaded low-level zero-copy network packet generator
  • mausezahn: high-level packet generator for appliances with Cisco-CLI
  • ifpps: a top-like kernel networking and system statistics tool
  • curvetun: a lightweight curve25519-based multiuser IP tunnel
  • astraceroute: an autonomous system trace route and DPI testing utility
  • flowtop: a top-like netfilter connection tracking tool
  • bpfc: a [seccomp-]BPF (Berkeley packet filter) compiler, JIT disassembler

To find out more, you can visit the netsniff-ng website:

http://netsniff-ng.org/