Community support list for Wireshark ()

Markus Amend | 2 Feb 08:39

tshark -z conv, type no sorting according to the total number of bytes

Hello,

in manual to tshark "-z conv,type" function stands:

"The table is presented with one line for each conversation and displays 
the number of packets/bytes in each direction as well as the total 
number of packets/bytes. The table is sorted according to the total 
number of bytes."

Tested with "tshark -r pcap_file -z conv, ip", "tshark -r pcap_file -z 
conv, udp", "tshark -r pcap_file -z conv, tcp", there is no sorting to 
the total number of bytes, but to the toal number of frames.

Look at:

                                                                           | <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | 
Frames  Bytes | | Frames  Bytes |
xxx:nfs <-> ggg:933               1343   1176990    1666   1157928    
3009   2334918
yyy:51290 <-> ccc:http-alt     1104   1004903    1104     72864    
2208   1077767
hhh:nfs <-> mmm:919            687     49210    1334   1997824    2021   
2047034

This is verified with tshark v1.0.5 and v1.6.5.

Greetings
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>

(Continue reading)

headers

julius | 7 Feb 12:48

capture filter

Hi,

i found this ftp filter on the wireshark mailing list:

tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"

in combination with this:
tshark -w ftp.capture -f "host SOMEIP"

it works, but how do you combine these two to only capture the ftp login 
attempts?
and why is it that capture filters do differ from display filters?

greets
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

Sake Blok | 7 Feb 13:19

Re: capture filter

On 7 feb 2012, at 12:48, julius wrote:

To answer yur second question first:

> and why is it that capture filters do differ from display filters?

Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks
without having to discard packets. That's why they use the BPF engine which runs in the kernel. The BPF
engine is limited in its possibilities in favor of being very fast.

Display filters are very powerful as they take advantage of the full dissection of packets. Including
re-assembly and decompression for instance.

> i found this ftp filter on the wireshark mailing list:
> 
> tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
> == "PASS") || (ftp.request.command == "USER")"
> 
> in combination with this:
> tshark -w ftp.capture -f "host SOMEIP"
> 
> it works, but how do you combine these two to only capture the ftp login attempts?

Assuming the FTP requests and responses are always at the beginning of the TCP payload, you can create a
capture filter to check for the strings "230", "PASS" and "USER" at the beginning of the TCP payload.

Since the TCP header can be of variable length, we first need to find the offset at which the TCP payload
begins. This can be done with the following:

tcp[12:1] & 0xf0) >> 2

(Continue reading)

headers

rouli | 7 Feb 16:47

How to decrypt SSL in TShark 1.6.5 (giving the key file in the parameters)?

I'm using tshark to decrypt ssl traffic in pcaps, using the -o "ssl.keys_list:..." option to specify the keyfile.

It worked well for tshark 1.6.2 and lower.

Here's an example:

"c:\Program Files\Wireshark\tshark.exe" -r "C:\temp\input.pcap" -o "http.tcp.port:80,80,8080,8888" -o "ssl.keys_list:172.30.2.31,443,http,"C:/temp/private.key"" -R "http" -T pdml

However, I can't find the right command line to make it work with 1.6.5. Trying the one above, tshark crashes - apparently it's missing the extra password parameter. Trying to add a blank password (ssl.keys_list:172.30.2.31,443,http,"C:/temp/private.key","") doesn't work either - tshark doesn't crash, but doesn't decrypt the traffic either. In the ssl debug log it says

ssl_parse: Can't load UAT string "172.30.2.31","443","http","C:/temp/private.key,"","": ssl_keys:1: unexpected char '"'

while looking for field keyfile

I've tried several other options, with similar errors in the log file, or an error that it can find my key file. One important thing to mention - my key file is not encrypted, and setting this params using the UI (which I don't want to do, I need automation capabilities) works fine.

Any ideas?

Thanks,

-rouli

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

sean bzd | 7 Feb 18:45

Strip off protocol layers

Hi,

I'm using tshark to convert .pcap to .txt format using the -r option and redirecting the output to a file. eg. tshark -r file.pcap -V>file.txt

The problem is that the size of the txt file is about 30x larger than the pcap since I'm using the -V(erbose) option. I'm wondering if there is a way to strip off some of the protocol headers that I'm not interested in. e.g. I want to strip off the 'Frame', 'Ethernet' and 'IP' protocol layers before redirecting the output to a txt. Is that possible? Another idea is to selectively expand (Verbose) only the protocols i'm interested in. Is any of this possible. If yes, i'd appreciate some advice. Thanks a lot.

Sean.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

j.snelders | 7 Feb 19:30

Re: Strip off protocol layers

Hi Sean,

You can use the option -O

$ tshark -h
-O protocols: Only show packet details of these protocols, comma separated

$ tshark -r Clmt_04.pcap -O http -V > clmt_04a.txt
$ tshark -r Clmt_04.pcap -O tcp,http -V > clmt_04b.txt

BTW
I'm running TShark 1.6.5

Best regards
Joke

On Tue, 7 Feb 2012 12:45:49 -0500 sean wrote:
>Hi,
>I'm using tshark to convert .pcap to .txt format using the -r option and
>redirecting the output to a file. eg. tshark -r file.pcap -V>file.txt
>The problem is that the size of the txt file is about 30x larger than the
>pcap since I'm using the -V(erbose) option. I'm wondering if there is a
way
>to strip off some of the protocol headers that I'm not interested in. e.g.
>I want to strip off the 'Frame', 'Ethernet' and 'IP' protocol layers before
>redirecting the output to a txt. Is that possible? Another idea is to
>selectively expand (Verbose) only the protocols i'm interested in. Is any
>of this possible. If yes, i'd appreciate some advice. Thanks a lot.
>Sean.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

Christopher Maynard | 7 Feb 19:48

Re: tshark -z conv, type no sorting according to the total number of bytes

Markus Amend <markusa@...> writes:

> in manual to tshark "-z conv,type" function stands:
> 
> "The table is presented with one line for each conversation and displays 
> the number of packets/bytes in each direction as well as the total 
> number of packets/bytes. The table is sorted according to the total 
> number of bytes."

The documentation has been updated in r40911 and the change has been scheduled
for 1.6.6 and 1.4.12.
- Chris

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

Guy Harris | 7 Feb 20:13

Re: capture filter


On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:

> Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks
without having to discard packets. That's why they use the BPF engine which runs in the kernel. The BPF
engine is limited in its possibilities in favor of being very fast.

*And* in favor of not being capable of doing anything that involves loops, as that could allow an infinite
loop to be stuffed into a kernel code path (without a lot of extra checking in the kernel that would, I think,
require dataflow analysis and detection of run-time checks in the BPF code in cases where that's the
*only* way to avoid an infinite loop).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

Guy Harris | 7 Feb 20:21

Re: capture filter


On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:

> Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks
without having to discard packets. That's why they use the BPF engine which runs in the kernel.

...so that as little work can be done on the packet in the capture path if it doesn't pass the packet filter -
for example, so that it won't be copied up to userland or into a buffer shared between the kernel and
userland if the capturing program would just discard it afterwards.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

sean bzd | 7 Feb 20:32

Re: Strip off protocol layers

Thank you so much. Thats exactly what i needed. I earlier went through the documentation for tshark but missed that option.

On Tue, Feb 7, 2012 at 1:30 PM, j.snelders <j.snelders-gV1cAGbgYeXz+pZb47iToQ@public.gmane.org> wrote:

Hi Sean,

You can use the option -O

$ tshark -h
-O protocols: Only show packet details of these protocols, comma separated

$ tshark -r Clmt_04.pcap -O http -V > clmt_04a.txt
$ tshark -r Clmt_04.pcap -O tcp,http -V > clmt_04b.txt

BTW
I'm running TShark 1.6.5

Best regards
Joke

On Tue, 7 Feb 2012 12:45:49 -0500 sean wrote:
>Hi,
>I'm using tshark to convert .pcap to .txt format using the -r option and
>redirecting the output to a file. eg. tshark -r file.pcap -V>file.txt
>The problem is that the size of the txt file is about 30x larger than the
>pcap since I'm using the -V(erbose) option. I'm wondering if there is a
way
>to strip off some of the protocol headers that I'm not interested in. e.g.
>I want to strip off the 'Frame', 'Ethernet' and 'IP' protocol layers before
>redirecting the output to a txt. Is that possible? Another idea is to
>selectively expand (Verbose) only the protocols i'm interested in. Is any
>of this possible. If yes, i'd appreciate some advice. Thanks a lot.
>Sean.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A@public.gmane.org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

51	May 2012
102	April 2012
64	March 2012
39	February 2012
122	January 2012
121	December 2011
168	November 2011
156	October 2011
104	September 2011
99	August 2011
90	July 2011
131	June 2011
47	May 2011
74	April 2011
130	March 2011
117	February 2011
148	January 2011
82	December 2010
139	November 2010
117	October 2010
205	September 2010
270	August 2010
259	July 2010
269	June 2010
392	May 2010
310	April 2010
330	March 2010
233	February 2010
272	January 2010
160	December 2009
254	November 2009
219	October 2009
267	September 2009
256	August 2009
273	July 2009
217	June 2009
210	May 2009
302	April 2009
288	March 2009
235	February 2009
281	January 2009
184	December 2008
201	November 2008
242	October 2008
250	September 2008
322	August 2008
228	July 2008
289	June 2008
263	May 2008
402	April 2008
325	March 2008
259	February 2008
316	January 2008
197	December 2007
177	November 2007
173	October 2007
161	September 2007
176	August 2007
239	July 2007
156	June 2007
243	May 2007
225	April 2007
206	March 2007
311	February 2007
243	January 2007
167	December 2006
228	November 2006
300	October 2006
183	September 2006
180	August 2006
108	July 2006
37	June 2006

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29