• Save
OSTU - Sake Blok on TShark Output Formats
Upcoming SlideShare
Loading in...5
×
 

OSTU - Sake Blok on TShark Output Formats

on

  • 2,868 views

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who ...

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Statistics

Views

Total Views
2,868
Views on SlideShare
2,307
Embed Views
561

Actions

Likes
0
Downloads
0
Comments
0

4 Embeds 561

http://www.lovemytool.com 557
http://translate.googleusercontent.com 2
http://www.slideshare.net 1
http://web.archive.org 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OSTU - Sake Blok on TShark Output Formats OSTU - Sake Blok on TShark Output Formats Presentation Transcript

  • Tsharks output formats December 2008
  • Welcome Back!
    • Sixth episode of monthly series about using the wireshark CLI tools
    • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html
  • This months topic
    • In this sixth episode, I will show you how you can use tsharks different output formats
    • You will learn how to:
      • Add output of protocol tree
      • Add output of hex and ASCII dump
      • Use machine parseable output with the fields of your choice
      • Use XML output formats
  • Add output of protocol tree
    • Use -V to see the whole protocol tree
    • Same format as in Wireshark
    • All sub trees expanded, no way to control this
    • Very verbose output:
    $ tshark -r client.cap -R http.request | wc 1 9 66 $ tshark -r client.cap -R http.request -V | wc 78 399 3331
  • Example of output with -V $ tshark -r client.cap -R http.request -V Frame 4 (160 bytes on wire, 160 bytes captured) Arrival Time: Sep 23, 2008 22:31:59.249141000 [Time delta from previous captured frame: 0.000589000 seconds] [Time delta from previous displayed frame: 0.002689000 seconds] [Time since reference or first frame: 0.002689000 seconds] Frame Number: 4 Frame Length: 160 bytes Capture Length: 160 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp:http] Ethernet II, Src: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad), Dst: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b) Destination: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b) Address: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad) Address: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 192.168.1.46 (192.168.1.46), Dst: 192.168.1.20 (192.168.1.20) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 146 Identification: 0x588c (22668) Flags: 0x04 (Don't Fragment) [ rest of output omitted ]
  • Add output of hex and ASCII dump
    • Use -x to add the packet bytes to the output (remember to use -s)
    • Can be used with summary as well as protocol tree output
    $ tshark -r client.cap -R http.request 4 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 $ tshark -r client.cap -R http.request -x 4 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 0000 00 12 1e bb d1 3b 00 1c bf 61 3a ad 08 00 45 00 .....;...a:...E. 0010 00 92 58 8c 40 00 80 06 1e 47 c0 a8 01 2e c0 a8 [email_address] 0020 01 14 a9 a2 00 50 9f e7 2d 1b ec 3b 0e 47 50 18 .....P..-..;.GP. 0030 fa 00 7d 5b 00 00 47 45 54 20 2f 20 48 54 54 50 ..}[..GET / HTTP 0040 2f 31 2e 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 /1.0..User-Agent 0050 3a 20 57 67 65 74 2f 31 2e 31 31 2e 33 0d 0a 41 : Wget/1.11.3..A 0060 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 74 ccept: */*..Host 0070 3a 20 62 72 75 74 75 73 2e 6e 65 74 63 63 2e 6c : brutus.netcc.l 0080 6f 63 61 6c 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e ocal..Connection 0090 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d 0a : Keep-Alive.... $
  • Use fields of your choice as output
    • Use -T fields with multiple -e <field> options
    • Add header with -E header=y
    • Choose a different separator with -E separator=<char>
    • Using quoting with -E quote=d (or s)
  • Example of output with -T fields $ tshark -r client.cap -R &quot;tcp.len>0&quot; -T fields -e frame.time_relative -e ip.src -e ip.dst -e tcp.len 0.002689000 192.168.1.46 192.168.1.20 106 0.024024000 192.168.1.20 192.168.1.46 375 $ $ tshark -r client.cap -R http.response -T fields -E header=y -e frame.time -e http.response.code -e http.content_length frame.time http.response.code http.content_length Sep 23, 2008 22:31:59.270476000 200 45 $ $ tshark -r client.cap -R http.response -T fields -E header=y -E separator=',' -E quote=d -e frame.time_relative -e http.response.code -e http.content_length frame.time_relative,http.response.code,http.content_length &quot;0.024024000&quot;,&quot;200&quot;,&quot;45&quot; $
  • Use XML output format
    • Use -T pdml to see the whole protocol tree in XML
    • Same tree as in Wireshark
    • All sub trees expanded, no way to control this
    • Extremely verbose output:
    $ tshark -r client.cap -R http.request | wc 1 9 66 $ tshark -r client.cap -R http.request -V | wc 78 399 3331 $ tshark -r client.cap -R http.request -T pdml | wc 116 1042 12074 $
  • Example of output with -T pdml $ tshark -r client.cap -R http.request -T pdml <?xml version=&quot;1.0&quot;?> <pdml version=&quot;0&quot; creator=&quot;wireshark/1.1.2-SVN-26732&quot;> <packet> <proto name=&quot;geninfo&quot; pos=&quot;0&quot; showname=&quot;General information&quot; size=&quot;160&quot;> <field name=&quot;num&quot; pos=&quot;0&quot; show=&quot;4&quot; showname=&quot;Number&quot; value=&quot;4&quot; size=&quot;160&quot;/> <field name=&quot;len&quot; pos=&quot;0&quot; show=&quot;160&quot; showname=&quot;Packet Length&quot; value=&quot;a0&quot; size=&quot;160&quot;/> <field name=&quot;caplen&quot; pos=&quot;0&quot; show=&quot;160&quot; showname=&quot;Captured Length&quot; value=&quot;a0&quot; size=&quot;160&quot;/> <field name=&quot;timestamp&quot; pos=&quot;0&quot; show=&quot;Sep 23, 2008 22:31:59.249141000&quot; showname=&quot;Captured Time&quot; value=&quot;1222201919.249141000&quot; size=&quot;160&quot;/> </proto> <proto name=&quot;frame&quot; showname=&quot;Frame 4 (160 bytes on wire, 160 bytes captured)&quot; size=&quot;160&quot; pos=&quot;0&quot;> <field name=&quot;frame.time&quot; showname=&quot;Arrival Time: Sep 23, 2008 22:31:59.249141000&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;Sep 23, 2008 22:31:59.249141000&quot;/> <field name=&quot;frame.time_delta&quot; showname=&quot;Time delta from previous captured frame: 0.000589000 seconds&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;0.000589000&quot;/> <field name=&quot;frame.time_delta_displayed&quot; showname=&quot;Time delta from previous displayed frame: 0.002689000 seconds&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;0.002689000&quot;/> <field name=&quot;frame.time_relative&quot; showname=&quot;Time since reference or first frame: 0.002689000 seconds&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;0.002689000&quot;/> <field name=&quot;frame.number&quot; showname=&quot;Frame Number: 4&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;4&quot;/> <field name=&quot;frame.pkt_len&quot; showname=&quot;Packet Length: 160 bytes&quot; hide=&quot;yes&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;160&quot;/> <field name=&quot;frame.len&quot; showname=&quot;Frame Length: 160 bytes&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;160&quot;/> <field name=&quot;frame.cap_len&quot; showname=&quot;Capture Length: 160 bytes&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;160&quot;/> <field name=&quot;frame.marked&quot; showname=&quot;Frame is marked: False&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;0&quot;/> <field name=&quot;frame.protocols&quot; showname=&quot;Protocols in frame: eth:ip:tcp:http&quot; size=&quot;0&quot; pos=&quot;0&quot; show=&quot;eth:ip:tcp:http&quot;/> </proto> <proto name=&quot;eth&quot; showname=&quot;Ethernet II, Src: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad), Dst: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b)&quot; size=&quot;14&quot; pos=&quot;0&quot;> [ rest of output omitted ]
  • That's all folks!
    • More info:
      • see the manpages at: http://www.wireshark.org/docs/man-pages/
    • Next months episode: &quot;using tsharks -z options (1)&quot;
    • e-mail: [email_address]
    • LoveMyTool.com Community for Network Monitoring & Management Tools
    • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html