I want to parse the standard header outputs of tshark. Since the default doesn't work, I am using a custom field parser that does almost the same thing. What I am missing is the resolution of the name of the protocol. My command is:
sudo tshark -b 256 -P -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ip.proto -e ip.len -e col.Info -E separator=';' -b filesize:65535 -b files:10 -w tshark_tmp
This almost works, what I get is (this example is capturing two pings):
1378869929.862628000;192.168.78.252;192.168.78.53;1;84;Echo (ping) request id=0x0abe, seq=65/16640, ttl=64
1378869929.863188000;192.168.78.53;192.168.78.252;1;84;Echo (ping) reply id=0x0abe, seq=65/16640, ttl=64 (request in 1)
The same two pings look like this in the normal, no custom field tshark:
0.000000 192.168.78.252 -> 192.168.78.53 ICMP 98 Echo (ping) request id=0x0abe, seq=13/3328, ttl=64
0.000707 192.168.78.53 -> 192.168.78.252 ICMP 98 Echo (ping) reply id=0x0abe, seq=13/3328, ttl=64 (request in 1)
The main difference that I need to solve is in mine I get 84 for the protocol, whereas tshark prints ICMP 98. I could implement my own lookup table, but there is a large number of protocols and tshark already knows how to decode them, I just need to figure out how to get that in my parsing.
As of the 1.11.x and 1.12 versions of tshark, the field names are _ws.col.Protocol and _ws.col.Info, instead of col.Protocol and col.Info.
Example:
tshark -T fields -e _ws.col.Protocol -e _ws.col.Info
Source: col.Protocol missing from tshark 1.11.3 and 1.12.0-rc2
Found the answer
-e col.Protocol
Like always happens, you work on a problem for days, post the question then find the answer.
Related
I have a fwcapture.cap file, which is used by Wireshark.
in it, there have many IP addresses source IPs and destination IPs.
How can I extract the unique IP addresses(no mater source or destination) as a list?
You can use tshark, which already in Wireshark installation.
tshark -T json -e 'ip.src' -e 'ip.dst' -r filename.pcap | grep '\.[0-9]' | sort -u
After googling for hours and trying not to get lost in the different tshark versions I still can't figure out what command line options to tshark I should use to get the full (reassembled) JSON requests and responses (the JSON data structrues).
tshark 2.2.2 used on a live eth0 interface, not to parse pcap.files.
The requests and responses are gziped and need to be decoded.
All the related wireshark issues that seemed related are marked as "fixed" so I think in the 2.2.2 it should be possible.
I found a working solution. It doesn't work on a live interface and requires to first save a pcap file but it is the best I managed to do with tshark.
Step1 (capture network trafic):
tshark -i eth0 -f "port 9088" -w capture.pcap
Step2 (list captured tcp streams):
tshark -r capture.pcap -T fields -e tcp.stream | sort -u
Step3 (dump the content of one particular tcp stream):
tshark -nr capture.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number
Noice the "-d tcp.port==9088,http" option to force http decoding on this port as in my case it is a socks5 proxy running on that port.
Most importantly "-z follow,http,ascii,_your_stream_number" where the "follow,http" feature decodes gziped http body content and is undocumented and only available from version 2.2.0 of wireshark/tshark.
Using tshark, how would I get it to just decode and display the application layer?
For example, I can capture and decode snmp traffic using:
sudo tshark -V -i lo -d udp.port==161,snmp
This will decode all layers, from the physical layer up to the application layer (output snipped):
Frame 120: 134 bytes on wire (1072 bits), ...
Interface id: 0
....
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00...
Destination: 00:00:00_00:00:00 ...
....
Internet Protocol Version 4, Src: 127.0.0.1...
Version: 4
....
User Datagram Protocol, Src Port: snmp (161), ....
Source port: snmp (161)
....
Simple Network Management Protocol
version: v2c (1)
community: public
....
(I just want the decode from "Simple Network Management Protocol" onwards).
Other things I've considered
I'm aware of using fields output (eg -e snmp.community). Specifying all the fields for snmp would take forever...
I could use pdml output, and transform the results using XSLT. But pdml output is slow and using XSLT seems like overkill:
sudo tshark -V -T pdml -i lo -d udp.port==161,snmp
<proto name="udp" showname="User Datagram Protocol...
<field name="udp.srcport"...
<proto name="snmp" showname="Simple...
<field name="snmp.version" showname="version: v2c...
You can use the -O option, as indicated by the help output:
-O <protocols> Only show packet details of these protocols, comma separated
$ tshark -i 4 -O snmp -q -V > snmp.txt
See also the TShark man-page:
-O Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols specified, rather than a detailed view of all protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.
Red Hat Enterprise Linux Server release 5.4 (Tikanga)
2.6.18-164.el5
I am trying to use the watch command combined with the netstat to see the 2 programs using certain ports.
However, with the command I using below doesn't work for both words:
watch -n1 "netstat -upnlt | grep gateway\|MultiMedia"
Is this the correct way to grep for both program names.
If I use one its ok, but both together doesn't work.
For the grep you need:
"grep gateway\|MultiMedia"
So perhaps try:
watch -n1 'netstat -upnlt | grep "gateway\|MultiMedia"'
There's also the new way of doing things... grep -E is nice and portable (Or egrep, which is simply quick for grep -E on linux&bsd) so you don't have to escape the quote. From the man pages:
-E Interpret pattern as an extended regular expression (i.e. force
grep to behave as egrep).
So...
watch "netstat -upnlt | grep -E 'gateway|multimedia'"
or
watch "netstat -upnlt | egrep 'gateway|multimedia'"
I had a similar problem monitoring an ssh connection.
> netstat -tulpan|grep ssh
tcp 0 0 192.168.2.52:58072 192.168.2.1:22 ESTABLISHED 31447/ssh
However watch -n 1 'netstat -tulpan|grep ssh' shows no output (apart from message from watch).
If I change it to watch -n 1 'netstat -tulpan|grep ":22"' I get the required output line. It seems as if the -p option is ignored when netstat is run through watch. Strange.
When capturing H460 data on wireshark (on multiplexed mode), wireshark does not parse RTP data correctly. it should discard first 4 bytes on any RTP packet. looking for hints how to do that
Thanks
Amit
shark (packaged with wireshark) has this functionality built in.
Make sure that wireshark/tshark is in your PATH variable, and open a new command line window if you've just set it. Let me know if you want me to be more clear there.
If you want to discard the first 4 packets of rtp data on the fly :
tcpdump -i eth0 port ! 5060 and dst 192.168.1.101 -T rtp -n -s0 -w- | editcap -F libpcap -C 4 - - | tcpdump -nlvvv -r - -w output.pcap
For already captured file (capture.pcap):
tcpdump -r capture.pcap | editcap -F libpcap -C 4 - - | tcpdump -nlvvv -r - -w output.pcap
or
editcap capture.pcap output.pcap -C 4
I didn't test these exact examples myself, but I think tshark's "chop" (-C) option might be what you're looking for.