Counting packets in Wireshark - wireshark

Is it possible to re-do numbering in Wireshark. For example i have filtered packets to one side:
So the numbers are (they are not in order because of filtering):
416,419,420,423,424,426,427.
But i would like to number them like this, line by line:
1,2,3,4,5,6,7
The reason is that it would be easier to count all the packets. I know tshark has statistical operation COUNT, but for quick counting this would be a lot better.

You can export the displayed packets into a new file via File -> Export Specified Packets... -> All packets: Displayed. The new capture file will contain sequentially numbered packets starting from 1.
But if you just want to know how many displayed packets there are, you could just look at the Wireshark status line where it will indicate the number of displayed packets.
Statistics -> Capture File Properties will also tell you the number of displayed packets.

Related

Wireshark display filter for Protocol != 802.11

I've set Wireshark's capture filter set to capture only packets from the MAC address of interest, but the result is dominated by zillions of packets whose Protocol is "802.11". I want to view all of the packets that are NOT 802.11, e.g. ARP, DCHP, DNS, TCP, etc.
For example, in the following, I'd like to hide all of the 802.11 packets and show the DHCP packets (and any others that are NOT 802.11):
I tried "wlan.fc.type != 0", but clearly that's not correct. What's the magic keyword for such a filter?
update
#ChristopherMaynard's comment is close, and I now understand that a simple filter of:
ip
is almost what I want, but it fails to display packets of type ARP, EAPOL, LLC, MDP and perhaps others.
[Converted comment to answer and added an alternate solution while I'm at it.]
If you just want data frames but those without un-dissected data (which would still show 802.11 in the Protocol column), then you could try wlan.fc.type == 2 and !data. Or you could try !(frame.protocols == "radiotap:wlan_radio:wlan:data" or frame.protocols == "radiotap:wlan_radio:wlan").
Another alternative is to download the filtcols.lua script written by Chuck Craft, save it to your plugins directory (Wireshark: Help -> About Wireshark -> Folders -> Personal Lua Plugins), the [re]start Wireshark. Now you can apply a display filter such as wlan and !(filtcols.protocol == "802.11").

What is the best way to access data from a particular field in wireshark decoded packets

I am using wireshark to decode gsm packets. Wireshark picks up all communication at that frequency and decodes it.
Overview of the packets obtained.
Now in the system information 5 packet, we have the required parameter.Details of system information 5 packet
I wish to write a code such that if there is only a single value in the last entry of the packet i.e. the neighbour list, an alert inform of a pop up message or something is generated.
These packets have to captured and processed in real time.
I have installed pyshark but cant figure out how to move forward.
Please help
I can only give a partial answer, which is how to detect if there's only a single value or not. My suggestion is to use tshark and then post-process the data using another tool, such as wc. For example:
tshark -i lo -Y "gsm_a.rr.arfcn_list" -T fields -e gsm_a.rr.arfcn_list | wc -w
If the result is 1, then there's only 1 entry in the list.
How you generate an alert from this, I'm not sure.

Reading TCP Stream from TShark without Bytes in Packet

I'm using TShark to read in existing *.pcap and *.pcapng files. When I output the TCPStream as an ASCII string using -z follow,tcp,ascii,33 (for stream number 33), I see all the ASCII data, but I also see that between packets, the ASCII stream is split by the the size of that packet in Bytes.
So, an example of the TCP Stream is below. The first half before the number is in one packet, followed by the remaining data found in a different template.
"website.templ
842
tes.output/name"
Assuming that I'm trying to regex on "templates" in this TCPStream, this split causes the regex to miss this occurrence of "templates" because it's split between two different packets.
Is there anyway to export the TCPStream as ASCII without the bytes field?
I attempted to use the -o flag to change the default setting of tcp.track_bytes_in_flight, but this only applies to live captures vs what I'm doing, analyzing static files.

Writing a Wireshark dissector to count number of TCP flows

I have a very large tcpdump file that I split into 1 minute intervals. I am able to use tshark to extract TCP statistics for each of the 1 minute files using a loop code and save the results as a CSV file so I can perform further analysis in Excel. Now I want to be able to count the number of TCP flows in each 1 minute file for all the 1 minute files and save the data in a CSV file. A TCP flow here represents group of packets going from a specific source to a specific destination. Each flow has statistics such as source IP, dest IP, #pcakets from A->B, #bytes from A->B, #packets from B->A, #bytes from B->A, total packets, total bytes, etc. And I just want to count the number of TCP flows in each of the 1 minute files. From what I’ve read so far, it seems I need to create a dissector to do that. Can anyone give me pointers or code on how to get started? Thanks.
Tshark has a command to dump all of the necessary information: tshark -qz conv,tcp -r FILE. This writes one line per flow (plus a header and footer) so to count the flows just count the lines and subtract the header/footer.
Not a dissector, but a tap. See the Wireshark README.tapping document, and see the TShark iousers tap for a, sadly, not at all simple example in C.
It's also possible to write taps in Lua; see, for example, the Lua/Taps page in the Wireshark Wiki and the Lua Support in Wireshark section of the Wireshark User's Manual.
The C structure passed to TCP taps for each packet is:
/* the tcp header structure, passed to tap listeners */
typedef struct tcpheader {
guint32 th_seq;
guint32 th_ack;
gboolean th_have_seglen; /* TRUE if th_seglen is valid */
guint32 th_seglen;
guint32 th_win; /* make it 32 bits so we can handle some scaling */
guint16 th_sport;
guint16 th_dport;
guint8 th_hlen;
guint16 th_flags;
guint32 th_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
address ip_src;
address ip_dst;
/* This is the absolute maximum we could find in TCP options (RFC2018, section 3) */
#define MAX_TCP_SACK_RANGES 4
guint8 num_sack_ranges;
guint32 sack_left_edge[MAX_TCP_SACK_RANGES];
guint32 sack_right_edge[MAX_TCP_SACK_RANGES];
} tcp_info_t;
So, for C-language taps, the "data" argument to the tap listener's "packet" routine points to a structure of that sort.
For Lua taps, the "tapinfo" table passed as the third argument to the tap listener's "packet" routine is described as "a table of info based on the Listener's type, or nil.". For a TCP tap, the entries in the table include all the fields in that structure except for sack_left_edge and sack_right_edge; the keys in the table are the structure member names.
The th_stream field identifies the connection; each time the TCP dissector finds a new connection, it assigns a new value. As the comment indicates, "this stream index field is included to help differentiate when address/port pairs are reused", so that if a given connection is closed, and a later connection uses the same endpoints, the two connections have different th_stream values even though they have the same endpoints.
So you'd have a table using the th_stream value as a key. The table would store the endpoints (addresses and ports) and counts of packets and bytes in each direction. For each packet passed to the listener's "packet" routine, you'd look up the th_stream value in the table and, if you don't find it, you'd create a new entry, starting the counts off at zero, and use that new entry; otherwise, you'd use the entry you found. You'd then figure out whether the packet was going from A to B or B to A, and increase the appropriate packet count and byte count.
You'd also keep track of the time stamp. For the first packet, you'd store the time stamp for that packet. For each packet, you'd look at the time stamp and, if it's one minute or more later than the stored time stamp, you'd:
dump out the statistics from the table of connections;
empty out the table of connections;
store the new packet's time stamp, replacing the previous stored time stamp.

Wireshark dissect function

When writing a dissector in Wireshark, is the dissect function in the dissector's source called on each packet in order, only once?
What could be possible reasons for tree values changing as I click on packets multiple times?
It is called once when the packet is first to display the high level information.
if (check_col(pinfo->cinfo, COL_PROTOCOL))
or
if (check_col(pinfo->cinfo,COL_INFO))
And called again when showing the body, ie when you click on that one packet.
if (tree)
I'd assume that the second call results are discarded, as if you have a large number of packets to decode keeping the details for each would be too large an overhead.
But as always some quick testing would be able to show if this is the case. (via a static counter)

Resources