Help with a tshark cmd

Question

Hey guys, Im not new to tshark but I'm trying to make my life quite a bit easier with command lines and Im having quite a bit of difficulty.

I can convert .pcap's to .txt's just fine, but the summary information isn't enough. What I was hoping to get is [SEQ/ACK Analysis] that are located in the TCP files and the [Domain Name System Query] information in the DNS files.

Is it possible to convert a pcap to a txt file and retain this information?

Thanks Guys, Z

Accepted Answer

The more I dig into tshark, the more I realize how little I know. I am providing the following examples to help people that come across this that are at the same skill level that I was when I first asked this. The man page is great for when you have a handle on things, but impossible to read until then.

Basics:

tshark -r C:\this.pcap > C:\that.txt  //writes the pcap to txt single line

tshark -r C:\this.pcap -V > C:\that.txt //writes all the lines of pcap to text

tshark -r C:\this.pcap -VV > C:\that.txt //single line but more information

tshark -r C:\this.pcap -VVV > C:\that.txt //single line and even more information

tshark -r C:\this.pcap -t a > C:\that.txt //single line but uses the Real Time instead of log time

tshark -r C:\this.pcap -t ad > C:\that.txt //single line but uses the Real Time with date

tshark -r C:\this.pcap -t d > C:\that.txt //single line with delta between frames

More Complicated:

tshark -r C:\this.pcap -T Fields -e frame.number -e frame.time > C:\that.txt 
//converts the file but only display the frame number and the frame time

tshark -r C:\this.pcap -T Fields -e frame.number -e frame.time -e ip.src -e ip.dst > C:\that.txt //Same as above but adds the ip source and destination fields

tshark -r C:\this.pcap -T Fields -e frame.number -e frame.time -E separator=\ > C:\that.txt 
//Same as the first one but seperates the column with a "\" (any single character can be used)

tshark -r C:\this.pcap -T Fields -e frame.number -e frame.time -E separator=\ -Y DNS > C:\that.txt //Same as the last one but filters out all DNS packets

tshark -r C:\this.pcap -T Fields -e frame.number -e frame.time -E separator=\ -2 -Y "tcp.flags.syn && tcp.flags.fin" 
//Same as the last one but this time filters for .syn and .fin requests (notice the -2)

For reference on syntax, please refer to the "Man Page": http://www.wireshark.org/docs/man-pages/tshark.html

For reference on all possible field options "-e": http://www.wireshark.org/docs/dfref/

For reference on possible filters -Y or -R: The easiest of I have found is too just go into wireshark and create the filter string as needed.

I hope this is as useful as it was too me once I finally figured it out. Enjoy : )

Answer 2

0

Does tshark -O tcp,dns give you what you're looking for?

If not, feel free to experiment with the various tshark options, such as -T fields -e field1 -e field2, etc., as maybe that would be more useful to you?

permanent link

answered 24 Oct '13, 14:56

cmaynard ♦♦
9.3k●10●38●142
accept rate: 20%

Can you give me a couple commands of each one? Im still trying to get a hang of the snytax. Say my pcap file is C:\this.pcap, what would a few commands be to start playing with the fields? This website http://www.wireshark.org/docs/man-pages/tshark.html seems only useful to someone that has the basics of the cmd line down already.

(24 Oct '13, 15:16) Nefarii

The man page provides an example:

tshark -T fields -e frame.number -e ip.addr -e udp -e col.info

Here's another one for some TCP-related stuff you might be interested in:

tshark -r file -Y tcp.analysis.flags -T fields -e frame.number -e tcp.analysis.duplicate_ack -e tcp.analysis.lost_segment -e tcp.analysis.bytes_in_flight

(24 Oct '13, 15:37) cmaynard ♦♦

How do you use the -V option?

(25 Oct '13, 09:18) Nefarii

How do you use the -V option?

tshark -V

It's that simple. But I doubt it's what you're after.

(25 Oct '13, 09:27) cmaynard ♦♦

lol sorry I should of been more specific, how do you use the -v option while outputting a file? right now the best I can gather is tshark -i - < C:\this.pcap > -V C:\this.txt or tshark -r C:\this.pcap -V -w C:\this.txt neither of which seems to work

(25 Oct '13, 09:59) Nefarii

tshark -r C:\this.pcap -V -w C:\thiscopy.pcap

The file specified with the -w option is a pcap file, not a text file. If you want a text file as output, but you also want to see the packets on the screen at the same time, then you should look into using something like tee, as in:

tshark -r C:\this.pcap -V | tee C:\this.txt

If you're on Windows, then tee is available with cygwin.

(25 Oct '13, 10:15) cmaynard ♦♦

showing 5 of 6 show 1 more comments

Help with a tshark cmd

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions