This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Wireshark to determine port usage

0

Hi all,

We are interested in developing a baseline for our network traffic between sites. This will be used to create port-based ACLs on the routers.

In order to reduce the size of our captures, we are planning to use a capture filter to look for SYN packets. However, ideally the end-game is to have a list of ports for each site and therefore we only need ONE SYN packet for each IP address/port pair. I can massage the data after the capture, but I'm wondering if anyone has any advice of clever and easy ways to do this in Wireshark.

Thanks, - Steve

asked 30 Sep '10, 12:12

RSteveKadish's gravatar image

RSteveKadish
6113
accept rate: 0%


One Answer:

2

This is something that Wireshark can't do, but fortunately, tshark can. Tshark is part of the CLI tools that are installed too when you install Wireshark.

You can use the following:

tshark -nlr <capture-file> -R "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.dst -e tcp.dstport | sort | uniq

If you also would like to know from which IP's the traffic is coming from, you can use:

tshark -nlr <capture-file> -R "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq

And if you are interested in how often sessions are set up, just add "-c" at the end. If you would like to have a top 10 of destination host/ports, you can use:

tshark -nlr <capture-file> -R "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.dst -e tcp.dstport | sort | uniq -c | sort -rn | head

(if you use windows, these commands can be used within a cygwin shell, have a look at http://www.cygwin.com)

answered 30 Sep '10, 12:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi Sake,

Thanks very much! This is great info.

I already have a capture running with the tcp[0xd]&18=2 filter (because there simply isn't going to be enough disk space for a full capture.) So I assume that I should use the tshark syntaxes you provided and just leave out the -R option?

Thanks, - Steve

(30 Sep '10, 13:00) RSteveKadish

Sure thing, if the tracefile only contains the SYN-packets, it's not needed to filter for SYN-packets again :-)

(30 Sep '10, 13:03) SYN-bit ♦♦

Hi Sake,

I wanted to let you know that I played around with these commands (after a week of capturing) and they are extremely helpful. They will save me a lot of work by not having to massage the data manually.

Best, - Steve

(08 Oct '10, 07:32) RSteveKadish

Glad this worked for you! And thanks for the feedback :-)

(08 Oct '10, 10:50) SYN-bit ♦♦