6
PACKET ANALYSIS ON THE COMMAND LINE
While many scenarios can be addressed using a GUI, in some cases, using command line tools—such as TShark or tcpdump—is necessary or preferable. Here are some situations in which a command line tool might be used instead of Wireshark:
• Wireshark provides a lot of information at once. By using a command line tool, you can limit displayed information to only pertinent data, such as a single line showing IP addresses.
• Command line tools are best suited for filtering a packet capture file and providing the results directly to another tool using Unix pipes.
• Dealing with a very large capture file can often overwhelm Wireshark because the entire file must be loaded into RAM. Stream processing of large capture files with command line tools can allow you to quickly filter the file down to the relevant packets.
• If you are dealing with a server and don’t have access to a graphical tool, you may be forced to rely on command line tools.
In this chapter, I’ll demonstrate the features of two common command line packet analysis tools, TShark and tcpdump. I think it’s helpful to be familiar with both, but I generally find myself using TShark on Windows systems and tcpdump on Unix systems. If you exclusively use Windows, you may want to skip the parts on tcpdump.
Installing TShark
Terminal-based Wireshark, or TShark, is a packet analysis application that provides a lot of the same functionality as Wireshark but exclusively from a command line interface with no GUI. If you’ve installed Wireshark, then you likely have TShark as well unless you explicitly chose not to install it during Wireshark installation. You can verify that TShark is installed by following these steps:
Open a command prompt. Click the Start Menu, enter cmd, and click Command Prompt.
Browse to the directory where Wireshark is installed. If you installed it to the default location, you can go there by entering cd C:Program Files Wireshark in the command prompt.
Run TShark and print its version information by entering tshark –v. If TShark isn’t installed, you’ll get an error saying the command is not recognized. If TShark is installed on your system, you’ll get an output with the TShark version information:
C:Program FilesWireshark>tshark –v
TShark (Wireshark) 2.0.0 (v2.0.0-0-g9a73b82 from master-2.0
--snip--
If you didn’t install TShark and would like to use it now, you can simply rerun the Wireshark installation and make sure TShark is selected. (It is by default.)
If you’d like to immediately start learning more about TShark’s capabilities, you can print the available commands with the –h argument. We’ll cover some of these commands in this chapter.
C:Program FilesWireshark>tshark -h
Like Wireshark, TShark can run on multiple operating systems, but since it’s not dependent on OS-specific graphics libraries, the user experience is more consistent across different OS platforms. Because of this, TShark operates very similarly on Windows, Linux, and OS X. However, there are still some differences in how TShark runs on each platform. In this book, we’ll focus on running TShark on Windows because that is the primary operating system it was designed to work with.
Installing tcpdump
While Wireshark is the most popular graphical packet analysis application in the world, tcpdump is by far the most popular command line packet analysis application. Designed to work on Unix-based operating systems, tcpdump is very easy to install via popular package management applications and even comes preinstalled on many flavors of Linux.
Even though the majority of this book is Windows focused, sections on tcpdump are included for Unix users. Specifically, we’ll be using Ubuntu 14.04 LTS. If you would like to use tcpdump on a Windows device, then you can download and install its Windows counterpart, WinDump, from http://www.winpcap.org/windump/. While the experience of tcpdump and that of WinDump aren’t entirely the same, these packet analyzers function similarly. Note, however, that WinDump isn’t nearly as actively maintained as tcpdump. As a result, a few newer features might be missing, and security vulnerabilities may exist. (We won’t be covering WinDump in this book.)
Ubuntu doesn’t come with tcpdump preinstalled, but installing it is very easy thanks to the APT package management system. To install tcpdump, follow these steps:
Open a terminal window and run the command sudo apt-get update to ensure that your package repositories are up-to-date with the latest package versions.
Run the command sudo apt-get install tcpdump.
You’ll be asked to install a number of prerequisites that are needed to run tcpdump. Allow these installations by typing Y and pressing ENTER when prompted.
Once the installation has completed, run the command tcpdump –h to execute tcpdump and print its version information. You’re ready to start using tcpdump if the command is successful and you see text like this in the terminal window:
sanders@ppa:~$ tcpdump -h
tcpdump version 4.5.1
libpcap version 1.5.3
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -Q metadata-filter-expression ]
[ -r file ] [ -s snaplen ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]
You can print all of tcpdump’s available commands by invoking the man tcpdump command, like this:
sanders@ppa:~$ man tcpdump
We’ll talk about how to use several of these commands.
Capturing and Saving Packets
The first order of business is to capture packets from the wire and display them on the screen. To start a capture in TShark, simply execute the command tshark. This command will start the process of capturing packets from a network interface and dumping them on screen in your terminal window, which will look something like this:
C:Program FilesWireshark>tshark
1 0.000000 172.16.16.128 -> 74.125.95.104 TCP 66 1606 80 [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
2 0.030107 74.125.95.104 -> 172.16.16.128 TCP 66 80 1606 [SYN, ACK]
Seq=0 Ack=1 Win=5720 Len=0 MSS=1406 SACK_PERM=1 WS=64
3 0.030182 172.16.16.128 -> 74.125.95.104 TCP 54 1606 80 [ACK]
Seq=1 Ack=1 Win=16872 Len=0
4 0.030248 172.16.16.128 -> 74.125.95.104 HTTP 681 GET / HTTP/1.1
5 0.079026 74.125.95.104 -> 172.16.16.128 TCP 60 80 1606 [ACK]
Seq=1 Ack=628 Win=6976 Len=0
To start a capture in tcpdump, execute the command tcpdump. After you run this command, your terminal window should look something like this:
sanders@ppa:~$ tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:18:39.618072 IP 172.16.16.128.slm-api > 74.125.95.104.http: Flags [S],
seq 2082691767, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK],
length 0
21:18:39.648179 IP 74.125.95.104.http > 172.16.16.128.slm-api:
Flags [S.], seq 2775577373, ack 2082691768, win 5720, options [mss
1406,nop,nop,sackOK,nop,wscale 6], length 0
21:18:39.648254 IP 172.16.16.128.slm-api > 74.125.95.104.http: Flags [.],
ack 1, win 4218, length 0
21:18:39.648320 IP 172.16.16.128.slm-api > 74.125.95.104.http: Flags [P.],
seq 1:628, ack 1, win 4218, length 627: HTTP: GET / HTTP/1.1
21:18:39.697098 IP 74.125.95.104.http > 172.16.16.128.slm-api: Flags [.],
ack 628, win 109, length 0
NOTE
Since administrative privileges are required to capture packets on Unix systems, you’ll likely either have to execute tcpdump as the root user or use the sudo command in front of the commands listed in this book. In many cases, you’ll probably be accessing your Unix-based system as a user with limited privileges. If you encounter a permissions error while following along, this is probably the reason why.
Depending on how your system is configured, TShark or tcpdump may not default to the network interface you want to capture traffic from. If that happens, you will need to specify it. You can list the interfaces available to TShark by using the –D argument, which outputs the interfaces as a numbered list, as shown here:
C:Program FilesWireshark>tshark -D
1. DeviceNPF_{1DE095C2-346D-47E6-B855-11917B74603A} (Local Area Connection*
2)
2. DeviceNPF_{1A494418-97D3-42E8-8C0B-78D79A1F7545} (Ethernet 2)
To use a specific interface, use the –i argument with the interface’s assigned number from the interface list, like this:
C:Program FilesWireshark>tshark –i 1
This command will capture packets exclusively from the interface named Local Area Connection 2, which is assigned the number 1 in the interface list. I recommend always specifying which interface you are capturing from. It’s common for virtual machine tools or VPNs to add interfaces, and you want to be certain that the packets you are capturing are coming from the correct source.
On a Linux or OS X system running tcpdump, use the ifconfig command to list the available interfaces:
sanders@ppa:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:1f:a7:55
inet addr:172.16.16.139 Bcast:172.16.16.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe1f:a755/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5119 errors:0 dropped:0 overruns:0 frame:0
TX packets:3088 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:876746 (876.7 KB) TX bytes:538083 (538.0 KB)
Specifying the interface is also done by using the –i argument:
sanders@ppa:~$ tcpdump –i eth0
This command will capture packets exclusively from the eth0 interface.
Once you have everything properly configured, you can start capturing packets. If the device you’re capturing traffic from is even remotely busy on the network, then you’ll probably notice that lines representing individual packets are flying by rather quickly—potentially too quickly for you to read. We can remedy this by saving the packets to a file and then reading only a few of them from that file.
To save collected packets to a file in both tools, use the –w argument along with the name of the file. The capture will continue running until you stop it by pressing CTRL-C. The file will be saved to whatever directory the program was executed from, unless otherwise specified.
Here’s an example of this command in TShark:
C:Program FilesWireshark>tshark –i 1 –w packets.pcap
This command will write all of the packets captured from the first interface in the interface list to packets.pcap.
In tcpdump, the same command would look like this:
sanders@ppa:~$ tcpdump –i eth0 –w packets.pcap
To read packets back from a saved file, use the –r argument along with the name of the file:
C:Program FilesWireshark>tshark –r packets.pcap
This command will read all the packets from packets.pcap onto the screen.
The tcpdump command is nearly identical:
sanders@ppa:~$ tcpdump –r packets.pcap
You may notice that if the file you are attempting to read from contains a lot of packets, you’ll encounter a situation similar to the one just described, with the packets scrolling across your screen too fast for you to read. You can limit the number of packets displayed when reading from a file by using the –c argument.
For example, the following command will show only the first 10 packets of the capture file in TShark:
C:Program FilesWireshark>tshark –r packets.pcap –c10
In tcpdump, the same argument can be used:
sanders@ppa:~$ tcpdump –r packets.pcap –c10
The –c argument can also be used at capture time. Executing this command will capture only the first 10 packets that are observed. They can also be saved when –c is combined with the –w argument.
Here’s what this command looks like in TShark:
C:Program FilesWireshark>tshark –i 1 –w packets.pcap –c10
And in tcpdump:
sanders@ppa:~$ tcpdump –i eth0 –w packets.pcap –c10
Manipulating Output
A benefit of using command line tools is that the output is usually considered more carefully. A GUI typically shows you everything and it’s up to you to find what you want. Command line tools typically only show the bare minimum and force you to use additional commands to dig deeper. TShark and tcpdump are no different. They both show a single line of output for each packet, requiring you to use additional commands to view information such as protocol details or individual bytes.
In the TShark output, each line represents a single packet, and the format of the line depends on the protocols used in that packet. TShark uses the same dissectors as Wireshark and analyzes packet data in the same way, so TShark output will mirror Wireshark’s Packet List pane when the two are run side by side. Because TShark has dissectors for layer 7 protocols, it can provide a lot more information about packets containing headers than can tcpdump.
In tcpdump, each line also represents one packet, which is formatted differently based on the protocol being used. Since tcpdump doesn’t use Wireshark’s protocol dissectors, layer 7 protocol information isn’t interpreted by the tool. This is one of tcpdump’s biggest limitations. Instead, single-line packets are formatted based on their transport layer protocol, which is either TCP or UDP (we’ll learn more about these in Chapter 8).
TCP packets use this format:
[Timestamp] [Layer 3 Protocol] [Source IP].[Source Port] > [Destination IP].
[Destination Port]: [TCP Flags], [TCP Sequence Number], [TCP Acknowledgement
Number], [TCP Windows Size], [Data Length]
While UDP packets use this format:
[Timestamp] [Layer 3 Protocol] [Source IP].[Source Port] > [Destination IP].
[Destination Port]: [Layer 4 Protocol], [Data Length]
These basic one-line summaries are great for quick analysis, but you’ll eventually need to perform a deep dive into a packet. In Wireshark, you would do this by clicking a packet in the Packet List pane, which would display information in the Packet Details and Packet Bytes panes. You can access the same information on the command line using a few options.
The simplest way to gain more information about each packet is to increase the verbosity of the output.
In TShark, a capital V is used to increase verbosity:
C:Program FilesWireshark>tshark –r packets.pcap –V
This will provide an output similar to Wireshark’s Packet Details pane for packets read from the packets.pcap capture file. Examples of a packet with normal verbosity (a basic summary) and expanded verbosity (more detailed summaries obtained through the –V argument) are shown here.
First the standard output:
C:Program FilesWireshark>tshark -r packets.pcap -c1
1 0.000000 172.16.16.172 -> 4.2.2.1 ICMP Echo (ping) request
id=0x0001, seq=17/4352, ttl=128
And now a portion of the more in-depth information produced with expanded verbosity:
C:Program FilesWireshark>tshark -r packets.pcap -V -c1
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on
interface 0
Interface id: 0 (DeviceNPF_{C30671C1-579D-4F33-9CC0-73EFFFE85A54})
Encapsulation type: Ethernet (1)
Arrival Time: Dec 21, 2015 12:52:43.116551000 Eastern Standard Time
[Time shift for this packet: 0.000000000 seconds]
--snip--
In tcpdump, the lowercase v is used to increase verbosity. Unlike TShark, tcpdump allows multiple levels of verbosity to be displayed for each packet. You can add up to three levels of verbosity by appending additional vs, as seen here:
sanders@ppa:~$ tcpdump –r packets.pcap –vvv
An example of the same packet displayed with normal verbosity and one level of expanded verbosity is shown below. Even with full verbosity, this output isn’t nearly as verbose as what TShark produces.
sanders@ppa:~$ tcpdump -r packets.pcap -c1
reading from file packets.pcap, link-type EN10MB (Ethernet)
13:26:25.265937 IP 172.16.16.139 > a.resolvers.level3.net: ICMP echo request,
id 1759, seq 150, length 64
sanders@ppa:~$ tcpdump -r packets.pcap -c1 -v
reading from file packets.pcap, link-type EN10MB (Ethernet)
13:26:25.265937 IP (tos 0x0, ttl 64, id 37322, offset 0, flags [DF], proto
ICMP (1), length 84)
172.16.16.139 > a.resolvers.level3.net: ICMP echo request, id 1759, seq
150, length 64
The levels of verbosity available will depend on the protocol of the packet you’re examining. While expanded verbosity is useful, it still doesn’t show us everything there is to see. TShark and tcpdump store the entire contents of each packet, which can also be viewed in hexadecimal or ASCII form.
In TShark, you can view the hex and ASCII representation of packets by using the –x argument, which can be combined with the r argument to read and display a packet from file:
C:Program FilesWireshark>tshark –xr packets.pcap
This view, which is similar to Wireshark’s Packet Bytes pane, is shown in Figure 6-1.
Figure 6-1: Viewing raw packets in hex and ASCII in TShark
In tcpdump, you can view the hex and ASCII representation by using the –X switch. You can also combine –X with the r argument to read from a packet file, like this:
sanders@ppa:~$ tcpdump –Xr packets.pcap
The output from this command is shown in Figure 6-2.
Figure 6-2: Viewing raw packets in hex and ASCII in tcpdump
tcpdump also lets you get a bit more granular if you need to. You can view only the hexadecimal output using the –x (lowercase) argument or only the ASCII output using the –A argument.
It’s easy to become overwhelmed with data when you start experimenting with these data output options. I find it most efficient to use the least amount of information needed when doing analysis from the command line. Start by viewing packets in their default list view and use more verbose output when you narrow your analysis down to a few interesting packets. This approach will keep you from being overwhelmed with data.
Name Resolution
Like Wireshark, TShark and tcpdump will attempt to perform name resolution to convert addresses and port numbers to names. If you followed along with any of the earlier examples, you may have noticed that this occurs by default. As mentioned previously, I typically prefer to disable this functionality to prevent the possibility of my analysis generating more packets on the wire.
You can disable name resolution in TShark by using the –n argument. This argument, like many others, can be combined with other commands to enhance readability:
C:Program FilesWireshark>tshark –ni 1
You can enable or disable certain aspects of name resolution with the –N argument. If you use the –N argument, all name resolution will be disabled except for any you explicitly enable using the appropriate values. For instance, the following command will enable only transport layer (port name) resolution:
C:Program FilesWireshark>tshark –i 1 –Nt
You can combine multiple values. This command will enable transport layer and MAC resolution:
C:Program FilesWireshark>tshark –i 1 -Ntm
The following values are available when using this option:
m MAC address resolution
n Network address resolution
t Transport layer (port name) resolution
N Use external resolvers
C Concurrent DNS lookups
In tcpdump, using –n will disable IP name resolution, and using –nn will disable port name resolution as well.
This argument can also be combined with other commands, like this:
sanders@ppa:~$ tcpdump –nni eth1
The following examples show a packet capture first with port resolution enabled and then with it disabled (-n).
sanders@ppa:~$ tcpdump -r tcp_ports.pcap -c1
reading from file tcp_ports.pcap, link-type EN10MB (Ethernet)
14:38:34.341715 IP 172.16.16.128.2826 > 212.58.226.142. ➊http: Flags [S], seq
3691127924, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
sanders@ppa:~$ tcpdump -nr tcp_ports.pcap -c1
reading from file tcp_ports.pcap, link-type EN10MB (Ethernet)
14:38:34.341715 IP 172.16.16.128.2826 > 212.58.226.142. ➋80: Flags [S], seq
3691127924, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
Both of these commands read just the first packet from the capture file tcp_ports.pcap. With the first command, port name resolution is on and resolves port 80 to http ➊, but with the second command, the port is just displayed by number ➋.
Applying Filters
Filtering in TShark and tcpdump is very flexible because both allow the use of BPF capture filters. TShark can also use Wireshark display filters. Just as with Wireshark, capture filters in TShark can be used only at capture time, and display filters can be used at capture time or while displaying already captured packets. We’ll start by looking at TShark filters.
Capture filters can be applied using the –f argument, followed by the BPF syntax you wish to use in quotation marks. This command will only capture and save packets with a destination of port 80 and using the TCP protocol:
C:Program FilesWireshark>tshark –ni 1 –w packets.pcap –f "tcp port 80"
Display filters can be applied using the –Y argument, followed by the Wireshark filter syntax you wish to use in quotation marks. This can be applied at capture time like this:
C:Program FilesWireshark>tshark –ni 1 –w packets.pcap –Y "tcp.dstport == 80"
Display filters can be applied on already captured packets using the same argument. This command will display only packets from packets.pcap that match the filter:
C:Program FilesWireshark>tshark –r packets.pcap –Y "tcp.dstport == 80"
With tcpdump, you specify filters inline at the end of a command within single quotes. This command will also capture and save only packets destined to TCP port 80:
sanders@ppa:~$ tcpdump –nni eth0 –w packets.pcap "tcp dst port 80"
You can specify a filter when reading packets as well. This command will display only packets from packets.pcap that match the filter:
sanders@ppa:~$ tcpdump –r packets.pcap 'tcp dst port 80'
It’s important to keep in mind that if the original capture file was created without a filter, then it still contains other packets; you are just limiting what is shown on the screen when reading from an existing file.
What if you have a capture file that contains a large variety of packets, but you want to filter out a subset of them and save that subset to a separate file? You can do this by combining the –w and –r arguments:
sanders@ppa:~$ tcpdump –r packets.pcap 'tcp dst port 80' –w http_packets.pcap
This command will read the file packets.pcap, filter out only the traffic destined for TCP port 80 (which is used for http), and write those packets to a new file called http_packets.pcap. This is a very common technique to use when you want to maintain a larger source .pcap file but only analyze a small portion of it at a time. I frequently use this technique to whittle down very large capture files with tcpdump so that I can analyze a subset of the packets in Wireshark. Smaller capture files are much easier to wrangle.
In addition to specifying a filter inline, tcpdump allows you to reference a BPF file containing a series of filters. This is handy when you’d like to apply an extremely large or complex filter that might otherwise be unwieldy to edit and maintain inline with the tcpdump command. You can specify a filter file using the –F argument, like this:
sanders@ppa:~$ tcpdump –nni eth0 –F dns_servers.bpf
If your file gets too large, you might be tempted to add notes or comments to it to keep track of what each part of the filter does. Keep in mind that a BPF filter file does not allow for comments and will generate an error if anything other than a filtering statement is encountered. Since comments are very helpful for deciphering large filter files, I usually maintain two copies of every file: one for use with tcpdump that doesn’t contain comments and one that contains comments for reference.
Time Display Formats in TShark
One thing that often confuses new analysts is the default timestamp used by TShark. It shows packet timestamps in relation to the start of the packet capture. There are times when such timestamping is preferable, but in many cases you may want to see the time the packet was captured, as is the default for tcpdump timestamps. You can get this same output from TShark by using the –t argument with the value ad for absolute date:
C:Program FilesWireshark>tshark –r packets.pcap –t ad
Here’s a comparison of the same packets as before with the default relative timestamps ➊ and absolute timestamps ➋:
➊ C:Program FilesWireshark>tshark -r packets.pcap -c2
1 0.000000 172.16.16.172 -> 4.2.2.1 ICMP Echo (ping)
request id=0x0001, seq=17/4352, ttl=128
2 0.024500 4.2.2.1 -> 172.16.16.172 ICMP Echo (ping)
reply id=0x0001, seq=17/4352, ttl=54 (request in 1)
➋ C:Program FilesWireshark>tshark -r packets.pcap -t ad -c2
1 2015-12-21 12:52:43.116551 172.16.16.172 -> 4.2.2.1 ICMP Echo (ping)
request id=0x0001, seq=17/4352, ttl=128
2 2015-12-21 12:52:43.141051 4.2.2.1 -> 172.16.16.172 ICMP Echo (ping)
reply id=0x0001, seq=17/4352, ttl=54 (request in 1)
By using the –t argument, you can specify any time display format you would find in Wireshark. These formats are shown in Table 6-1.
Table 6-1: Time Display Formats Available in TShark
Value |
Timestamp |
Example |
a |
Absolute time the packet was captured (in your time zone) |
15:47:58.004669 |
ad |
Absolute time the packet was captured with date (in your time zone) |
2015-10-09 15:47:58.004669 |
d |
Delta (time difference) since previous captured packet |
0.000140 |
dd |
Delta since previous displayed packet |
0.000140 |
e |
Epoch time (seconds since January 1, 1970, UTC) |
1444420078.004669 |
r |
Elapsed time between the first packet and the current packet |
0.000140 |
u |
Absolute time the packet was captured (UTC) |
19:47:58.004669 |
ud |
Absolute time the packet was captured with date (UTC) |
2015-10-09 19:47:58.004669 |
Unfortunately, tcpdump doesn’t provide this level of control for manipulating how timestamps are shown.
Summary Statistics in TShark
Another useful TShark feature (and one that sets it apart from tcpdump) is its ability to generate a subset of statistics from a capture file. These statistics mirror many of the capabilities found in Wireshark but provide easy command line access. Statistics are generated by using the –z argument and specifying the name of the output you would like to generate. You can view a full listing of available statistics by using this command:
C:Program FilesWireshark>tshark –z help
Many of the features we’ve already covered are available using the –z argument. They include the ability to output endpoint and conversation statistics using this command:
C:Program FilesWireshark>tshark -r packets.pcap –z conv,ip
This command prints a table of statistics with information about the IP conversations in the file packets.pcap, as shown in Figure 6-3.
You can also use this argument to view protocol-specific information. As shown in Figure 6-4, you can use the http,tree option to see a breakdown of HTTP requests and responses in table form.
C:Program FilesWireshark>tshark -r packets.pcap –z http,tree
Figure 6-3: Using TShark to view conversation statistics
Figure 6-4: Using TShark to view HTTP request and response statistics
Another useful feature is the ability to view reassembled stream output, similar to what we did earlier by right-clicking packets in Wireshark and choosing the Follow TCP Stream option. To get this output, we have to use the follow option and specify the type of stream, the output mode, and which stream we want to display. You can identify a stream with the number assigned to it in the leftmost column when outputting conversation statistics (as seen in Figure 6-3). A command might look like this:
C:Program FilesWireshark>tshark -r http_google.pcap -z follow,tcp,ascii,0
This command will print TCP stream 0 to the screen in ASCII format from the file http_google.pcap. The output for this command looks like this:
C:Program FilesWireshark>tshark -r http_google.pcap -z
--snip--
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 172.16.16.128:1606
Node 1: 74.125.95.104:80
627
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7)
Gecko/20091221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PREF=ID=257913a938e6c248:U=267c896b5f39fb0b:FF=4:LD=e
n:NR=10:TM=1260730654:LM=1265479336:GM=1:S=h1UBGonTuWU3D23L;
NID=31=Z-nhwMjUP63e0tYMTp-3T1igMSPnNS1eM1kN1_DUrnO2zW1cPM4JE3AJec9b_
vG-YFibFXszOApfbhBA1BOX4dKx4L8ZDdeiKwqekgP5_kzELtC2mUHx7RHx3PIttcuZ
1406
HTTP/1.1 200 OK
Date: Tue, 09 Feb 2010 01:18:37 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Server: gws
Content-Length: 4633
X-XSS-Protection: 0
You can also specify which stream you’d like to view by providing the address details. For example, the following command will retrieve a UDP stream for the specified endpoints and ports:
C:Program FilesWireshark>tshark –r packets.pcap –z follow,udp,ascii,192.168.
1.5:23429➊,4.2.2.1:53➋
This command will print the UDP stream for the endpoints 192.168.1.5 on port 23429 ➊ and 4.2.2.1 on port 53 ➋ from packets.pcap.
Here are some of my favorite statistical options:
ip_hosts,tree Displays every IP address in a capture, along with the rate and percentage of traffic each address is responsible for
io,phs Displays a protocol hierarchy showing all protocols found within the capture file
http,tree Displays statistics related to HTTP requests and responses
http_req,tree Displays statistics for every HTTP request
smb,srt Displays statistics related to SMB commands for analyzing Windows communication
endpoints,wlan Displays wireless endpoints
expert Displays expert information (chats, errors, and so on) from the capture
There are a lot of useful options available using the –z argument. It would take far too many pages to cover them all here, but if you plan to use TShark frequently, you should invest time in reviewing the official documentation to learn more about everything that is available. You can find that documentation here: https://www.wireshark.org/docs/man-pages/tshark.html.
Comparing TShark and tcpdump
Both command line packet analysis applications we’ve examined in this chapter are well suited to their respective tasks, and either of them will allow you to accomplish whatever task is at hand with varying degrees of effort. There are a few differences worth highlighting so you can choose the best tool for the job:
Operating system tcpdump is only available for Unix-based operating systems, while TShark can function on Windows and Unix-based systems.
Protocol support Both tools support common layer 3 and 4 protocols, but tcpdump has limited layer 7 protocol support. TShark provides a rich level of layer 7 protocol support because it has access to Wireshark’s protocol dissectors.
Analysis features Both tools rely heavily on human analysis to produce meaningful results, but TShark also provides a robust set of analytical and statistical features, similar to those in Wireshark, that can aid analysis when a GUI isn’t available.
Tool availability and personal preference are usually the ultimate deciders of which application to use. Fortunately, the tools are similar enough that learning one will inherently teach you something about the other, making you more versatile and increasing the size of your tool kit.