• Save
OSTU - Sake Blok on Controlling tshark Display Format
Upcoming SlideShare
Loading in...5
×
 

OSTU - Sake Blok on Controlling tshark Display Format

on

  • 3,857 views

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who ...

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Statistics

Views

Total Views
3,857
Views on SlideShare
3,656
Embed Views
201

Actions

Likes
0
Downloads
0
Comments
0

5 Embeds 201

http://www.lovemytool.com 197
http://72.14.235.104 1
http://66.102.9.104 1
http://translate.googleusercontent.com 1
http://web.archive.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OSTU - Sake Blok on Controlling tshark Display Format OSTU - Sake Blok on Controlling tshark Display Format Presentation Transcript

  • Controlling tsharks displaying behavior October 2008
  • Welcome Back!
    • Fifth episode of monthly series about using the wireshark CLI tools
    • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html
  • This months topic
    • In this fifth episode, I will show you how you can change the way tshark displays packets
    • You will learn how to:
      • Select the columns to display
      • Control name resolution
      • Use a time format of your choice
      • Use "decode as…" functionality
  • Select the columns to display
    • Change the column.format preference value with '-o column.format:<str>'
    • Example:
    • Format definitions can be found at: http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?revision=24964&view=markup
    $ tshark -r client.cap -R http -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;src&quot;, &quot;%hs&quot;, &quot;dst&quot;, &quot;%hd&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;len&quot;, &quot;%L&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' 4 0.002689 IntelCor_61:3a:ad -> JuniperN_bb:d1:3b 192.168.1.46 -> 192.168.1.20 43426 http 160 HTTP GET / HTTP/1.0 6 0.024024 JuniperN_bb:d1:3b -> IntelCor_61:3a:ad 192.168.1.20 -> 192.168.1.46 http 43426 429 HTTP HTTP/1.1 200 OK $
  • Control name resolution (1)
    • Use the -n option to disable all name resolution
    • Default is only mac and transport layer resolving
    $ tshark -n -r client.cap -R http -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;src&quot;, &quot;%hs&quot;, &quot;dst&quot;, &quot;%hd&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;len&quot;, &quot;%L&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' 4 0.002689 00:1c:bf:61:3a:ad -> 00:12:1e:bb:d1:3b 192.168.1.46 -> 192.168.1.20 43426 80 160 HTTP GET / HTTP/1.0 6 0.024024 00:12:1e:bb:d1:3b -> 00:1c:bf:61:3a:ad 192.168.1.20 -> 192.168.1.46 80 43426 429 HTTP HTTP/1.1 200 OK $
  • Control name resolution (2)
    • Use the '-N <arg>' option to enable name resolution for certain layers only. The argument is a string that may contain the letters:
      • m to enable MAC address resolution
      • n to enable network address resolution
      • t to enable transport-layer port number resolution
      • C to enable concurrent (asynchronous) DNS lookups
    • Example: '-Nnt' to resolve hostnames and port numbers
  • Use a time format of your choice (1)
    • Use the -t option to select a time format:
      • '-t ad' for absolute date and time
      • '-t a' for absolute time
      • '-t r' for relative to start of capture
      • '-t d' for delta to previous captured packet
      • '-t did' for delta to previous displayed packet'
  • Use a time format of your choice (2) $ tshark -r client.cap -R http -tad 4 2008-09-23 22:31:59.249141 192.168.1.46 -> 192.168.1.20 HTTP G 6 2008-09-23 22:31:59.270476 192.168.1.20 -> 192.168.1.46 HTTP H $ $ tshark -r client.cap -R http -ta 4 22:31:59.249141 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1 6 22:31:59.270476 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 $ $ tshark -r client.cap -R http -tr 4 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 6 0.024024 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK $ $ tshark -r client.cap -R http -td 4 0.000589 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 6 0.019966 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK $ $ tshark -r client.cap -R http -tdd 4 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 6 0.021335 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK $
  • Use &quot;decode as…&quot; functionality
    • Use the -d option to dissect data on non standard ports or protocols &quot;-d <layer_type>==<selector>,<decode_as_protocol> ...&quot;
    • Example:
    $ bittwiste -I client.cap -O port8000.cap -T tcp -s 80,8000 -d 80,8000 $ $ tshark -n -r port8000.cap -R 'tcp.len>0' -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' 4 0.002689 192.168.1.46 -> 192.168.1.20 43426 8000 TCP 43426 > 8000 [PSH, ACK] Seq=1 Ack=1 Win=128000 Len=106 6 0.024024 192.168.1.20 -> 192.168.1.46 8000 43426 TCP 8000 > 43426 [PSH, ACK] Seq=1 Ack=107 Win=5888 Len=375 $ $ tshark -n -r port8000.cap -R 'tcp.len>0' -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' -d 'tcp.port==8000,http' 4 0.002689 192.168.1.46 -> 192.168.1.20 43426 8000 HTTP GET / HTTP/1.0 6 0.024024 192.168.1.20 -> 192.168.1.46 8000 43426 HTTP HTTP/1.1 200 OK (text/html) $
  • That's all folks!
    • More info:
      • see the manpages at: http://www.wireshark.org/docs/man-pages/
    • Next months episode: &quot;Using tsharks output formats&quot;
    • e-mail: [email_address]
    • LoveMyTool.com Community for Network Monitoring & Management Tools
    • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html