This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering Captures via Scripts

0

I'd like to write a script (I'm on Windows) to open a WS capture, apply filters to it and write the output to a file.

I can get the correct information out of Wireshark by applying the filters there. How/what should I write a script in to run the file through WS, apply the filters, and then dump the output to a file?

Thanks!

asked 01 Dec '11, 14:16

sideslope's gravatar image

sideslope
1111
accept rate: 0%


2 Answers:

1

You just call up tshark.exe, which is the command line version of Wireshark, tell it to read the file, filter for whatever display filter you like, and write the file back out again. Here's an example, reading the file "sample.pcap", filter it for ARP packets and write it to "result.pcap":

tshark -r "sample.pcap" -R "arp" -w "result.pcap"

tshark.exe can be found in the Wireshark installation directory.

answered 01 Dec '11, 14:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper! This does what I need. Is there a filter list of paramers somewhere? I need to filter on TCP conversation + Get requests. I see how to do the gets, but I don't see how to filter on conversations too.

Thanks again!

(05 Dec '11, 13:43) sideslope

If I need to filter a conversation I usually use the popup menu of the packet list and select "Conversation Filter" -> "TCP", which will apply a display filter the sockets of sender and receiver. It can be a bit annoying to filter on conversations by hand, so maybe you can take a look at the tcp stream index and filter on that without having to look for packets of each conversation.

(06 Dec '11, 01:51) Jasper ♦♦

0

Use TShark to get an overview of the TCP Conversations:

$ tshark -r Clmt_04.pcap -q -z conv,tcp
===============================================================================
TCP Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |
                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |

192.168.1.2:1386 <-> 93.184.220.20:80 111 142403 57 3618 168 146021 192.168.1.2:1367 <-> 93.184.220.20:80 54 73813 30 2061 84 75874 192.168.1.2:1344 <-> 204.9.178.11:80 43 57501 29 3622 72 61123

Some examples:

tshark -r Clmt_04.pcap -R "(ip.addr==192.168.1.2 && tcp.port==1386 && ip.addr==93.184.220.20 && tcp.port==80) || http.request"
tshark -r Clmt_04.pcap -R "(ip.addr==192.168.1.2 && tcp.port==1386 && ip.addr==93.184.220.20 && tcp.port==80) && http.request"  -w output1.pcap
tshark -r Clmt_04.pcap -R"(ip.addr==192.168.1.2 && tcp.port==1367 && ip.addr==93.184.220.20 && tcp.port==80) || (ip.addr==192.168.1.2 && tcp.port==1344 && ip.addr==204.9.178.11 && tcp.port==80)"
tshark -r Clmt_04.pcap -R"((ip.addr==192.168.1.2 && tcp.port==1367 && ip.addr==93.184.220.20 && tcp.port==80) || (ip.addr==192.168.1.2 && tcp.port==1344 && ip.addr==204.9.178.11 && tcp.port==80)) && http.request"  -w output4.pcap

You can find more information in the TShark man-page.

answered 05 Dec '11, 21:34

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 06 Dec '11, 01:07

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196