OSTU - Sake Blok on Scripting with TShark

1,939 views
1,831 views

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,939
On SlideShare
0
From Embeds
0
Number of Embeds
461
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OSTU - Sake Blok on Scripting with TShark

  1. 1. Scripting with Tshark (1) May 2009
  2. 2. This months topic <ul><li>Use tshark output as input for other commands </li></ul><ul><li>You will learn: </li></ul><ul><ul><li>make a top-X list of field values (in our example a top-3 of http response content-types) </li></ul></ul>
  3. 3. &quot;Prerequisites&quot; <ul><li>Use &quot;linux&quot;, &quot;*nix&quot; or &quot;windows with Cygwin&quot; </li></ul><ul><li>Understand the &quot;|&quot; directive (see &quot;pipelines&quot; in the bash manpage) </li></ul><ul><li>Have a look at the manpage of: </li></ul><ul><ul><li>sort </li></ul></ul><ul><ul><li>uniq </li></ul></ul><ul><ul><li>head </li></ul></ul>
  4. 4. Steps to take <ul><li>Select only the packets that contain a http response </li></ul><ul><li>Print only the content type </li></ul><ul><li>sort and count the different content-type values </li></ul><ul><li>sort by amount of occurances and show only the top-3 </li></ul>
  5. 5. 1: printing only http 200 responses $ tshark -r sharkfest-1.cap -R http.response.code==200 83 352.917830 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/css) 93 352.970553 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/css) 107 353.025471 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) 125 353.080799 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 128 353.087864 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 144 353.155244 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 154 353.183083 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (JPEG JFIF image) 167 353.214642 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 172 353.225952 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 193 353.537070 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 197 353.541326 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (JPEG JFIF image) 211 353.576094 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 217 353.589100 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 231 353.640987 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 237 353.659747 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 252 353.705038 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) 257 353.712542 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 272 353.756810 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 278 353.766229 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 292 353.803751 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 298 353.819321 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 308 353.851438 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) 344 356.368190 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (JPEG JFIF image) 362 356.421249 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (GIF89a) 411 368.893444 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/html) 484 390.172144 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (text/css) 509 390.270855 194.134.109.48 -> 192.168.1.30 HTTP HTTP/1.1 200 OK (application/x-javascript) [...] $
  6. 6. 2: print only content type $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type text/css text/css application/x-javascript image/gif image/gif image/gif image/jpeg image/gif image/gif image/gif image/jpeg image/gif image/gif image/gif image/gif application/x-javascript [...] $
  7. 7. 3: sort & count $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type | sort | uniq -c 6 application/x-javascript 58 image/gif 12 image/jpeg 5 text/css 22 text/html $
  8. 8. 4: sort again and show top-3 $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type | sort | uniq -c | sort -rn 58 image/gif 22 text/html 12 image/jpeg 6 application/x-javascript 5 text/css $ $ tshark -r sharkfest-1.cap -R http.response.code==200 -T fields -e http.content_type | sort | uniq -c | sort -rn | head -3 58 image/gif 22 text/html 12 image/jpeg $
  9. 9. Use also for other fields <ul><li>top 10 requested hosts </li></ul><ul><li>top 10 requested URIs </li></ul><ul><li>top 10 http response codes </li></ul><ul><li>top 10 IP TTLs </li></ul><ul><li>top 10 src-mac addresses </li></ul><ul><li>top 10 etc… </li></ul>
  10. 10. That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at: http://www.wireshark.org/docs/man-pages/ </li></ul></ul><ul><li>Next months episode: &quot;Scripting with Tshark (2)&quot; </li></ul><ul><li>Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html </li></ul><ul><li>e-mail: [email_address] </li></ul>
  11. 11. <ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html </li></ul>

×