This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark http dissection of captured dump

0

Hi,

please I have the following challenges using Tshark, though I have achieved it in wireshark, but it cost me too many time. So want to autorun tshark to do same. But I have been having difficulty achieving any.

  1. merge and filter series of dumped traffic for sequence of IP addressed (example 10.1.1.2, 10.2.4.12, 10.5.3.6 and so on), combined with same argument (as in "http.request.method==GET or ((tcp.flag.syn==1 && tcp.flag.ack==0 && tcp.port==443) or (tcp.flag.syn==1 && tcp.flag.ack==0 && tcp.port==22) ).
  2. export this filtered output as a .csv file.

Please how can I do it... in tshark?

asked 22 Aug '13, 21:22

Hunted's gravatar image

Hunted
11334
accept rate: 0%

edited 24 Aug '13, 01:13

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

One Answer:

1

The display filter part would be the same for Wireshark and Tshark. You can set the display filter for tshark with the option "-Y" (or "-R" in versions up to 1.8):

tshark -r <file> -Y "(ip.addr==10.1.1.2 or ip.addr==10.2.4.12 or ip.addr==10.5.3.6) and ("http.request.method==GET or (tcp.flag.syn==1 && tcp.flag.ack==0 && tcp.port==443) or (tcp.flag.syn==1 && tcp.flag.ack==0 && tcp.port==22) )"

As for the CSV output, have a look at the -T field options of tshark:

  -T pdml|ps|psml|text|fields
                           format of text output (def: text)
  -e <field>               field to print if -Tfields selected (e.g. tcp.port, col.Info);
                           this option can be repeated to print multiple fields
  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values

(from "tshark -h")

answered 24 Aug '13, 01:18

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

thanks, its now working...

tshark -r <file> -Y "(ip.addr==10.1.1.2 or ip.addr==10.2.4.12 or ip.addr==10.5.3.6) and ("http.request.method==GET" or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==443) or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==22) )"

However, I have another challenge. when i attempt to autorun this code using batch file process (using windows), I discovered that it does not accept it, rather it attempts to capture the traffic on my network. I want it to dissect the specified file. Is there a way to instruct it (tshark) to dissect the given file, and not to capture another traffic..?

Thanks in anticipation of your response.

(25 Aug '13, 09:38) Hunted

Your other challenge has been converted into a separate question; that's how a Q&A site such as this should work (Q&A sites aren't forums).

(25 Aug '13, 10:10) Guy Harris ♦♦