This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have been working with some fun forensic command line tools. I have realized that while wireshark is fabulously powerful, it is not the easiest to get a "baseline" network reading or easily analyze network traffic for forensic evidence. I have used TCPdSTAT for a while, but it seems to be under developed for PCAP-NG file formats (at least as far as i can tell). I have since been working on one of my own LUA scripts as a TCPdSTAT-esque port. It is called TCPdShark. It needs some more development. But I have focused it on IRC, FTP, SSH, Telnet, ARP, and a few others. I created a simple dissector that looks for protocol names in the packet. I have been wanting to parse text captured from IRC packets much like how follow tcp stream does. However, it appears that dissectors only go partway into the packet details, and in order to get to the irc.request.trailer section of the packet wireshark only dissects the packet when its been clicked on.

I am trying to write my script that is more for offline analysis, and very automated. Is there a way to get wireshark to rip every packet down to its basic elements automatically, without requiring the user to click on each one? or use follow tcp stream?

I was also wondering if there is a way to make packet counts more accurate? I have a packet counting method to perform statistical analysis on the pcap file. However, some times TCP and UDP packet counts add ip to over 100% of the total packets captured. does anyone know how to explain this discrepancy?

I would also like to donate this script to the wireshark community for further use and development. is there a forum for that kind of stuff?

thanks again!

asked 10 Mar '13, 14:10

T3CHKOMMIE's gravatar image

T3CHKOMMIE
11235
accept rate: 0%

I have used TCPdSTAT for a while, but it seems to be under developed for PCAP-NG file formats

The two versions of tcpdstat I've seen both use libpcap to read the capture file, so they should be able to read single-link-layer-header-type pcap-ng files on systems with libpcap 1.1.0 or later, such as OS X Snow Leopard or later, Solaris 11, sufficiently recent *BSDs and Linux distributions, and systems that don't come with libpcap on which you've installed libpcap 1.1.0 or later.

(10 Mar '13, 15:30) Guy Harris ♦♦

I created a simple dissector that looks for protocol names in the packet.

If you want to look at what protocols appear in the packet, create a tap that looks at the "frame.protocols" field, which is a string containing a colon-separated list of protocol names ("filter names", so TCP shows up as "tcp", for example).

(10 Mar '13, 15:32) Guy Harris ♦♦

Note that there's a bug in the IRC dissector in which it looses track of where it's dissecting, causing a malformed exception. Bug report has yet to be filed.

(11 Mar '13, 05:50) Jaap ♦

Good to know guys. Thank you for the heads up. Anyone know where I can put my script to allow people to collaborate? is there a wireshark repo? or should i just host it and post a link?

thanks again for the IRC bug. I have noticed those error I thought it was just the way I was taking in the dissected chunks!

(11 Mar '13, 12:25) T3CHKOMMIE
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×431
×3
×1

question asked: 10 Mar '13, 14:10

question was seen: 2,580 times

last updated: 11 Mar '13, 12:25

p​o​w​e​r​e​d by O​S​Q​A