I have been working with some fun forensic command line tools. I have realized that while wireshark is fabulously powerful, it is not the easiest to get a "baseline" network reading or easily analyze network traffic for forensic evidence. I have used TCPdSTAT for a while, but it seems to be under developed for PCAP-NG file formats (at least as far as i can tell). I have since been working on one of my own LUA scripts as a TCPdSTAT-esque port. It is called TCPdShark. It needs some more development. But I have focused it on IRC, FTP, SSH, Telnet, ARP, and a few others. I created a simple dissector that looks for protocol names in the packet. I have been wanting to parse text captured from IRC packets much like how follow tcp stream does. However, it appears that dissectors only go partway into the packet details, and in order to get to the irc.request.trailer section of the packet wireshark only dissects the packet when its been clicked on. I am trying to write my script that is more for offline analysis, and very automated. Is there a way to get wireshark to rip every packet down to its basic elements automatically, without requiring the user to click on each one? or use follow tcp stream? I was also wondering if there is a way to make packet counts more accurate? I have a packet counting method to perform statistical analysis on the pcap file. However, some times TCP and UDP packet counts add ip to over 100% of the total packets captured. does anyone know how to explain this discrepancy? I would also like to donate this script to the wireshark community for further use and development. is there a forum for that kind of stuff? thanks again! asked 10 Mar '13, 14:10  T3CHKOMMIE |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
The two versions of tcpdstat I've seen both use libpcap to read the capture file, so they should be able to read single-link-layer-header-type pcap-ng files on systems with libpcap 1.1.0 or later, such as OS X Snow Leopard or later, Solaris 11, sufficiently recent *BSDs and Linux distributions, and systems that don't come with libpcap on which you've installed libpcap 1.1.0 or later.
If you want to look at what protocols appear in the packet, create a tap that looks at the "frame.protocols" field, which is a string containing a colon-separated list of protocol names ("filter names", so TCP shows up as "tcp", for example).
Note that there's a bug in the IRC dissector in which it looses track of where it's dissecting, causing a malformed exception. Bug report has yet to be filed.
Good to know guys. Thank you for the heads up. Anyone know where I can put my script to allow people to collaborate? is there a wireshark repo? or should i just host it and post a link?
thanks again for the IRC bug. I have noticed those error I thought it was just the way I was taking in the dissected chunks!