Your SlideShare is downloading. ×
OSTU - Sake Blok on Scripting with TShark
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OSTU - Sake Blok on Scripting with TShark

1,684

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who …

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,684
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Scripting with Tshark (1) May 2009
  • 2. This months topic
    • Use tshark output as input for other commands
    • You will learn:
      • make a top-X list of field values (in our example a top-3 of http response content-types)
  • 3. "Prerequisites"
    • Use "linux", "*nix" or "windows with Cygwin"
    • Understand the "|" directive (see "pipelines" in the bash manpage)
    • Have a look at the manpage of:
      • sort
      • uniq
      • head
  • 4. Steps to take
    • Select only the packets that contain a http response
    • Print only the content type
    • sort and count the different content-type values
    • sort by amount of occurances and show only the top-3
  • 5. 1: printing only http 200 responses $ tshark -r sharkfest-1.cap -R http.response.code==200 83 352.917830 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/css) 93 352.970553 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/css) 107 353.025471 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) 125 353.080799 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 128 353.087864 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 144 353.155244 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 154 353.183083 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (JPEG JFIF image) 167 353.214642 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 172 353.225952 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 193 353.537070 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 197 353.541326 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (JPEG JFIF image) 211 353.576094 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 217 353.589100 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 231 353.640987 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 237 353.659747 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 252 353.705038 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) 257 353.712542 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 272 353.756810 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 278 353.766229 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 292 353.803751 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 298 353.819321 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 308 353.851438 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) 344 356.368190 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (JPEG JFIF image) 362 356.421249 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 411 368.893444 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/html) 484 390.172144 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/css) 509 390.270855 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) [...] $
  • 6. 2: print only content type $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type text/css text/css application/x-javascript image/gif image/gif image/gif image/jpeg image/gif image/gif image/gif image/jpeg image/gif image/gif image/gif image/gif application/x-javascript [...] $
  • 7. 3: sort & count $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type | sort | uniq -c 6 application/x-javascript 58 image/gif 12 image/jpeg 5 text/css 22 text/html $
  • 8. 4: sort again and show top-3 $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type | sort | uniq -c | sort -rn 58 image/gif 22 text/html 12 image/jpeg 6 application/x-javascript 5 text/css $ $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type | sort | uniq -c | sort -rn | head -3 58 image/gif 22 text/html 12 image/jpeg $
  • 9. Use also for other fields
    • top 10 requested hosts
    • top 10 requested URIs
    • top 10 http response codes
    • top 10 IP TTLs
    • top 10 src-mac addresses
    • top 10 etc…
  • 10. That's all folks!
    • More info:
      • see the manpages at: http://www.wireshark.org/docs/man-pages/
    • Next months episode: "Scripting with Tshark (2)"
    • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html
    • e-mail: [email_address]
  • 11.
    • LoveMyTool.com Community for Network Monitoring & Management Tools
    • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html

×