how to merge fragmented packets comming from same source? - wireshark

I have fragmented packets coming from multiple sources stored in a *.pcap file. I need to merge all these payloads coming from the same source and extract the payloads in a file.
I need to do the above task using tcpdump or tshark commands.
Please let me know if I have missed something or if you need more clarification.

With pdml2flow (pypi) you can merge/aggregate frames based on any fields extracted by tshark / wireshark and print them as JSON, XML or any other format. You can also easily create a new plugin which extracts, rearranges and saves the payload for your use-case.
For example if you'd like to aggregate all frames with the same source and destination mac and print them as JSON you could do:
tshark -i interface -Tpdml | pdml2flow -f eth.src -f eth.dst +json
This might help if you can find a set of fields based on which you would like to merge/aggregate.
Disclosure: I am the author of pdml2flow.

Related

What is the best way to access data from a particular field in wireshark decoded packets

I am using wireshark to decode gsm packets. Wireshark picks up all communication at that frequency and decodes it.
Overview of the packets obtained.
Now in the system information 5 packet, we have the required parameter.Details of system information 5 packet
I wish to write a code such that if there is only a single value in the last entry of the packet i.e. the neighbour list, an alert inform of a pop up message or something is generated.
These packets have to captured and processed in real time.
I have installed pyshark but cant figure out how to move forward.
Please help
I can only give a partial answer, which is how to detect if there's only a single value or not. My suggestion is to use tshark and then post-process the data using another tool, such as wc. For example:
tshark -i lo -Y "gsm_a.rr.arfcn_list" -T fields -e gsm_a.rr.arfcn_list | wc -w
If the result is 1, then there's only 1 entry in the list.
How you generate an alert from this, I'm not sure.

Is it possible to apply a read filter on a .pcap file using tshark based on the interface?

Can I do something like :
tshark -r filename.pcap -R -i wan0 ?
Where filename.pcap is the packet capture file being analysed and wan0 is the interface for which I need to apply the filter?
The normal pcap format as used by tcpdump does not contain information about the interface name where a packet was captured. The pcapng format as used by tshark or wireshark by default does have this information. With pcapng one could apply a display filter like this:
tshark -r file.pcapng -Y 'frame.interface_name == "wan0"'
Of course, this makes only sense if the pcapng file contains packets captured on multiple interfaces. Otherwise this filter would just result in no packets or all packets. Specifically it will not help to capture on the any pseudo-interface since the pcapng will not contain the names of the various interfaces on the system but just show all packets captured on the single any pseudo-interface.

How to preserve timestamps in tshark output file?

I'm using tshark to extract specific TCP streams and write that to an output pcap file using the -w option.
But, the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).
Is there any way to ensure that the original timestamps (from the original pcap file) are preserved in the output pcap?
I'm using TShark 1.10.5 (SVN Rev 54262 from /trunk-1.10) on MacOS.
Thanks!
the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).
That is what is technically known as a "bug". Please file it as a bug on the Wireshark Bugzilla; if you can attach your original pcap file for testing purposes, that would be good. (If not, please run the file command on it and show the results, just so we know what file type the input file is - it might, for example, be a pcap-ng file rather than a pcap file).

NS-3 trace file packet ID

I have a simple point to point UDP WiFi simulation in NS-3 that outputs data to a trace file. It provides lots of useful data but there is no information that gives a unique ID for each packet. I can't find anything in wireshark either when I open the pcap files.
I have output the results of my simulation to an ascii trace file and pcap files for both nodes but I can't find any packet identifier. I can see the sequence numbers of the packets but that's it.
I am new to NS-3 so I am not sure how to produce this information.
Here is some of the output from the trace file.
t 2.00082 /NodeList/0/DeviceList/0/$ns3::WifiNetDevice/Phy/State/Tx ns3::WifiMacHeader (DATA ToDS=0, FromDS=0, MoreFrag=0, Retry=0, MoreData=0 Duration/ID=0usDA=ff:ff:ff:ff:ff:ff, SA=00:00:00:00:00:01, BSSID=00:00:00:00:00:01, FragNumber=0, SeqNumber=0) ns3::LlcSnapHeader (type 0x806) ns3::ArpHeader (request source mac: 00-06-00:00:00:00:00:01 source ipv4: 10.1.1.1 dest ipv4: 10.1.1.2) ns3::WifiMacTrailer ()
Any suggestions are appreciated.
Thanks.
In case you might not be aware of this already, let me first point out what might seem to be the obvious but: "there is no such thing as unique packet id in real networks" and since pcap traces are designed to contain dumps of real packets in real networks, there is zero chance you will be able to find a unique packet id in a pcap trace generated by ns-3.
Now, ns-3 does contain a per-packet unique id that is available with the Packet::GetId method and you can trivially change the source code of the function that generates your ascii dump to add this in src/wifi/helper/yans-wifi-helper.cc. Grep for "Ascii".
Now if you want to know why it does not do this by default because it is so useful, I honestly can't remember but:
there is probably something related to the ns2 trace format that inspired this ascii format. Compatibility with existing tools might have been an issue
adding a packet id goes against the ns-3 philosophy of matching what real networks do

wireshark: Capture Data Layer Only

Is there a way to capture only the data layer and disregard the upper layers in wireshark? If not, is there a different packet dump utility that can do this? PREFERABLY 1 file per packet!
What I am looking for: A utility that dumps only the data (the payload) layer to a file.
This is programming related...! What I really want to do is to compare all of the datagrams in order to start to understand a third party encoding/protocol. Ideally, and what would be great, would be a hex compare utility that compares multiple files!
You should try right-clicking on a packet and select "Follow TCP Stream". Then you can save the TCP communication into a raw file for further processing. This way you won't get all the TCP/IP protocoll junk.
There is a function to limit capture size in Wireshark, but it seems that 68bytes is the smallest value. There are options to starting new files after a certain number of kilo, mega, gigabytes, but again the smallest is 1-kilobyte, so probably not useful.
I would suggest looking at the pcap library and rolling your own. I've done this in the past using the PERL Net::Pcap library, but it could easily be done it other languages too.
If you have Unix/Linux available you might also look into tcpdump. You can limit amount of data captured with -s. For example "-s 14" would typically get you the Ethernet header, which I assume is what you mean by the datalink layer. There are also options for controlling how often files are created by specifying file size with -C. So theoretically if you set the file size to the capture size, you'll get one file per packet.
Using tshark I was able to print data only, by decoding as telnet and printing field telnet.data
tshark -r file.pcap -d tcp.port==80,telnet -T fields -e telnet.data
GET /test.js HTTP/1.1\x0d\x0a,User-Agent: curl/7.35.0\x0d\x0a,Host: 127.0.0.1\x0d\x0a,Accept: */*\x0d\x0a,\x0d\x0a
HTTP/1.1 404 Not Found\x0d\x0a,Server: nginx/1.4.6 (Ubuntu)\x0d\x0a,Date: Fri, 15 Jan 2016 11:32:58 GMT\x0d\x0a,Content-Type: text/html\x0d\x0a,Content-Length: 177\x0d\x0a,Connection: keep-alive\x0d\x0a,\x0d\x0a,<html>\x0d\x0a,<head><title>404 Not Found</title></head>\x0d\x0a,<body bgcolor=\"white\">\x0d\x0a,<center><h1>404 Not Found</h1></center>\x0d\x0a,<hr><center>nginx/1.4.6 (Ubuntu)</center>\x0d\x0a,</body>\x0d\x0a,</html>\x0d\x0a
Not perfect but it was good enough for what I needed, I hope it helps some one.

Resources