How to preserve timestamps in tshark output file? - wireshark

I'm using tshark to extract specific TCP streams and write that to an output pcap file using the -w option.
But, the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).
Is there any way to ensure that the original timestamps (from the original pcap file) are preserved in the output pcap?
I'm using TShark 1.10.5 (SVN Rev 54262 from /trunk-1.10) on MacOS.
Thanks!

the frames in the output pcap do not have any timestamps or delta times (they're all zero while in the original pcap there are timestamps and delta times for the frames).
That is what is technically known as a "bug". Please file it as a bug on the Wireshark Bugzilla; if you can attach your original pcap file for testing purposes, that would be good. (If not, please run the file command on it and show the results, just so we know what file type the input file is - it might, for example, be a pcap-ng file rather than a pcap file).

Related

how to merge fragmented packets comming from same source?

I have fragmented packets coming from multiple sources stored in a *.pcap file. I need to merge all these payloads coming from the same source and extract the payloads in a file.
I need to do the above task using tcpdump or tshark commands.
Please let me know if I have missed something or if you need more clarification.
With pdml2flow (pypi) you can merge/aggregate frames based on any fields extracted by tshark / wireshark and print them as JSON, XML or any other format. You can also easily create a new plugin which extracts, rearranges and saves the payload for your use-case.
For example if you'd like to aggregate all frames with the same source and destination mac and print them as JSON you could do:
tshark -i interface -Tpdml | pdml2flow -f eth.src -f eth.dst +json
This might help if you can find a set of fields based on which you would like to merge/aggregate.
Disclosure: I am the author of pdml2flow.

Advanced filtering in wireshark

I have a pcap file where I have a proprietary header from 13th byte to 110th byte. Is there a way I can strip of this portion from every packet in pcap file and then use wireshark to display the remaining packet ?
If you know for certain that every packet has the same proprietary header in the same location and is the same size, then you can use editcap to remove the unwanted bytes. For example:
editcap -C 12:98 file_with_prop_hdr.pcap file_without_prop_hdr.pcap

How can I convert the RTP payload containing SILK-encoded audio into a file?

I have the pcap of a VoIP call involving SILK.
I'm able to see in Wireshark the RTP payload.
From the RTP headers I can understand the sample rate (e.g. 24 KHz) and the frame size (e.g. 20 ms).
What I'd like to do is extract the RTP payload and generate a file containing the SILK-encoded audio.
From the RTP payload format description I can see that in the case of storage in a file, each block of audio needs a block header, to specify the sample rate and block size (because the block size is variable and can be different on each frame).
How can I generate a file with the correct file header ("magic number") and add a block header for each block of audio?
I can use a few different programming languages so I'm mainly interested in the required algorithm, but would appreciate references to code implementations (or perhaps some existing tool?).
Use pcaputil of pjproject: Converts captured RTP packets in PCAP file to WAV file or play it to audio device. Can filter the PCAP file on source or destination IP or port, is able to deal with SRTP and supports all codecs in PJMEDIA, including SILK (have not tried this myself).
Examples:
pcaputil file.pcap output.wav
pcaputil -c AES_CM_128_HMAC_SHA1_80 -k VLDONbsbGl2Puqy+0PV7w/uGfpSPKFevDpxGsxN3 file.pcap output.wav

Is there a way to pad files with a few extra bytes to get a different md5 checksum?

I have video files, that I want to pad with a random number of extra bytes, in order to create a different md5 checksum. Is there a way to do that, and keep them playable?
It depends on the video file format, but you should be able to just add the extra bytes to the end, and most video players should ignore them. Most video formats contain a lot of metadata about the video data (such as "the total video size is X bytes"), so they're robust against this sort of change.
One simple way to do this is to use the >> shell redirection operator to append data, e.g.:
# Add 32 random bytes to the end of the movie.avi
head -c 32 /dev/urandom >> movie.avi
Metadata would be a good thing to change. If the file has metadata about the time the film was made or the software used for encoding, changes to those values should not have any effect on the final result. You'd need to specify the format.
Yegor,
It depends entirely on the video format. Look it up on wikipedia, some have a end of file flag byte sequence, simply adding bytes after it will achieve your effect, others will not work out so simply.

wireshark: Capture Data Layer Only

Is there a way to capture only the data layer and disregard the upper layers in wireshark? If not, is there a different packet dump utility that can do this? PREFERABLY 1 file per packet!
What I am looking for: A utility that dumps only the data (the payload) layer to a file.
This is programming related...! What I really want to do is to compare all of the datagrams in order to start to understand a third party encoding/protocol. Ideally, and what would be great, would be a hex compare utility that compares multiple files!
You should try right-clicking on a packet and select "Follow TCP Stream". Then you can save the TCP communication into a raw file for further processing. This way you won't get all the TCP/IP protocoll junk.
There is a function to limit capture size in Wireshark, but it seems that 68bytes is the smallest value. There are options to starting new files after a certain number of kilo, mega, gigabytes, but again the smallest is 1-kilobyte, so probably not useful.
I would suggest looking at the pcap library and rolling your own. I've done this in the past using the PERL Net::Pcap library, but it could easily be done it other languages too.
If you have Unix/Linux available you might also look into tcpdump. You can limit amount of data captured with -s. For example "-s 14" would typically get you the Ethernet header, which I assume is what you mean by the datalink layer. There are also options for controlling how often files are created by specifying file size with -C. So theoretically if you set the file size to the capture size, you'll get one file per packet.
Using tshark I was able to print data only, by decoding as telnet and printing field telnet.data
tshark -r file.pcap -d tcp.port==80,telnet -T fields -e telnet.data
GET /test.js HTTP/1.1\x0d\x0a,User-Agent: curl/7.35.0\x0d\x0a,Host: 127.0.0.1\x0d\x0a,Accept: */*\x0d\x0a,\x0d\x0a
HTTP/1.1 404 Not Found\x0d\x0a,Server: nginx/1.4.6 (Ubuntu)\x0d\x0a,Date: Fri, 15 Jan 2016 11:32:58 GMT\x0d\x0a,Content-Type: text/html\x0d\x0a,Content-Length: 177\x0d\x0a,Connection: keep-alive\x0d\x0a,\x0d\x0a,<html>\x0d\x0a,<head><title>404 Not Found</title></head>\x0d\x0a,<body bgcolor=\"white\">\x0d\x0a,<center><h1>404 Not Found</h1></center>\x0d\x0a,<hr><center>nginx/1.4.6 (Ubuntu)</center>\x0d\x0a,</body>\x0d\x0a,</html>\x0d\x0a
Not perfect but it was good enough for what I needed, I hope it helps some one.

Resources