Never Ending Security

It starts all here

How To use Tshark

HOW TO: TSHARK


How to: Tshark

TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn’t necessary or available. It supports the same options as. For more information on, see the manual pages (man tshark).

Auto-save Captures to Multiple Files

Capture the network traffic to 20 files, each sized 100 KB, and then the capture will stop automatically.

# tshark -b filesize:100 -a files:20 -w temp.pcap

Options:

  • -b is the ring buffer option
  • filesize:100 indicates that the maximum size of the output capture file is 100 KB
  • files:20 indicates that the total number of output files that should be created is 20
  • -a indicates auto-stop

Auto-save Captures Based on Time Limit

Capture traffic to multiple files. This command will switch to new file when the file size reaches 10240 KB or when 1 second is elapsed.

# tshark -b filesize:10240 -b duration:1 -w temp.pcap

Specify Capture Buffer Size

Used by the the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size.

# tshark -B 2

Capture Using “decode as” option

This is helpful when you need to specify how a layer type should be dissected. This is same as wireshark “decode as” option, but sometimes specified selector value is different from the value present in packet.

# tshark -r capture.pcap -d sctp.port==3869,diameter   
82 212.059173 192.168.1.2 -> 192.168.1.3 DIAMETER 262 cmd=Capabilities-ExchangeRequest(257) flags=R--- appl=Diameter Common Messages(0) h2h=204a16 e2e=67700000 
 83 212.059330 192.168.1.3 -> 192.168.1.2 SCTP 62 SACK 
 84 212.078804 192.168.105.30 -> 192.168.105.20 DIAMETER 294 cmd=Capabilities-ExchangeAnswer(257) flags=---- appl=Diameter Common Messages(0) h2h=204a16 e2e=67700000 
 85 212.080569 192.168.1.3 -> 192.168.1.2 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a29 e2e=63d00002 
 86 212.084960 192.168.1.2 -> 192.168.1.3 SCTP 62 SACK 
 87 212.084998 192.168.1.2 -> 192.168.1.3 DIAMETER 178 SACK cmd=Device-WatchdogAnswer(280) flags=---- appl=Diameter Common Messages(0) h2h=5542a29 e2e=63d00002 
 88 212.100324 192.168.1.3 -> 192.168.1.2 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a2a e2e=63d00003 
 89 212.101629 192.168.1.2 -> 192.168.1.3 DIAMETER 178 SACK cmd=Device-WatchdogAnswer(280) flags=---- appl=Diameter Common Messages(0) h2h=5542a2a e2e=63d00003 
 90 212.110997 192.168.1.3 -> 192.168.1.2 SCTP 62 SACK 
 91 212.119855 192.168.1.3 -> 192.168.1.2 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a2b e2e=63d00004

Extract Specific Fields

This is very helpful when you like to extracting specific fields from diameter protocol packets. Currently tshark supports only few set of protocols. You can also do the same thing using -V option, and combining with a script or grep command. The method shown below is faster for very large files.

# tshark  -q -r capture.pcap -R diameter -z diameter,avp,257,Origin-Host 
Running as user "root" and group "root". This could be dangerous. 
frame='82' time='212.059176' src='192.168.1.2' srcport='35132' dst='192.168.1.3' dstport='3868' proto='diameter' msgnr='0' is_request='1' cmd='257' req_frame='82' ans_frame='0' resp_time='0.000000' Origin-Host='backend.eap.testbed.aaa' 
frame='84' time='212.078807' src='192.168.1.3' srcport='3868' dst='192.168.1.2' dstport='35132' proto='diameter' msgnr='0' is_request='0' cmd='257' req_frame='82' ans_frame='84' resp_time='0.019631' Origin-Host='gw.eap.testbed.aaa' 
frame='126' time='225.283773' src='192.168.1.4' srcport='2844' dst='192.168.1.3' dstport='3868' proto='diameter' msgnr='0' is_request='1' cmd='257' req_frame='126' ans_frame='0' resp_time='0.000000' Origin-Host='opendiam.eap.testbed.aaa' 
frame='130' time='225.295815' src='192.168.1.3' srcport='3868' dst='192.168.1.4' dstport='2844' proto='diameter' msgnr='0' is_request='0' cmd='257' req_frame='126' ans_frame='130' resp_time='0.012042' Origin-Host='gw.eap.testbed.aaa' 
=== Diameter Summary === 
requset count:  2 
answer count:   2 
req/ans pairs:  2

Display Statistics for Specific Protocol

You can also display statistics from a cpatured file for a specific protocol.

# tshark  -q -r a.pcap -R http -z http,tree 
Running as user "root" and group "root". This could be dangerous. 

=================================================================== 
 HTTP/Packet Counter           value            rate         percent 
------------------------------------------------------------------- 
 Total HTTP Packets               7       0.000375                
  HTTP Request Packets            4       0.000214          57.14% 
   GET                            4       0.000214         100.00% 
  HTTP Response Packets           3       0.000161          42.86% 
   2xx: Success                   2       0.000107          66.67% 
    200 OK                        2       0.000107         100.00% 
   3xx: Redirection               1       0.000054          33.33% 
    302 Found                     1       0.000054         100.00% 
   5xx: Server Error              0       0.000000           0.00% 
  Other HTTP Packets              0       0.000000           0.00%
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s