I have been working with some fun forensic command line tools. I have realized that while wireshark is fabulously powerful, it is not the easiest to get a "baseline" network reading or easily analyze network traffic for forensic evidence. I have used TCPdSTAT for a while, but it seems to be under developed for PCAP-NG file formats (at least as far as i can tell). I have since been working on one of my own LUA scripts as a TCPdSTAT-esque port. It is called TCPdShark. It needs some more development. But I have focused it on IRC, FTP, SSH, Telnet, ARP, and a few others. I created a simple dissector that looks for protocol names in the packet. I have been wanting to parse text captured from IRC packets much like how follow tcp stream does. However, it appears that dissectors only go partway into the packet details, and in order to get to the irc.request.trailer section of the packet wireshark only dissects the packet when its been clicked on.
I am trying to write my script that is more for offline analysis, and very automated. Is there a way to get wireshark to rip every packet down to its basic elements automatically, without requiring the user to click on each one? or use follow tcp stream?
I was also wondering if there is a way to make packet counts more accurate? I have a packet counting method to perform statistical analysis on the pcap file. However, some times TCP and UDP packet counts add ip to over 100% of the total packets captured. does anyone know how to explain this discrepancy?
I would also like to donate this script to the wireshark community for further use and development. is there a forum for that kind of stuff?
asked 10 Mar '13, 14:10