OSTU - Sake Blok on Wireshark Capture File Manipulation (Part I)

3,152 views
3,074 views

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology, Art & Photos
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,152
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OSTU - Sake Blok on Wireshark Capture File Manipulation (Part I)

  1. 1. Capture file manipulation Part I : packet selection August 2008
  2. 2. Welcome Back! <ul><li>Third episode of monthly series about using the wireshark CLI tools </li></ul><ul><li>Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html </li></ul>
  3. 3. This months topic <ul><li>In this third episode, I will show you how to manipulate capture files so that they contain only the packets that you want </li></ul><ul><li>You will learn to use: </li></ul><ul><ul><li>capinfos to show a capture file summary </li></ul></ul><ul><ul><li>tshark to extract packets </li></ul></ul><ul><ul><li>mergecap to merge capture files </li></ul></ul><ul><ul><li>editcap to split capture files </li></ul></ul>
  4. 4. Use capinfos to get quick info (1) $ capinfos test01.cap File name: test01.cap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Number of packets: 7387 File size: 4194809 bytes Data size: 4076593 bytes Capture duration: 113.756167 seconds Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:47 2008 Data rate: 35836.24 bytes/s Data rate: 286689.90 bits/s Average packet size: 551.86 bytes Average packet rate: 64.94 packets/s $
  5. 5. Use capinfos to get quick info (2) $ capinfos -ae test*cap File name: test01.cap Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:47 2008 File name: test02.cap Start time: Wed Aug 13 19:49:47 2008 End time: Wed Aug 13 19:50:30 2008 File name: test03.cap Start time: Wed Aug 13 19:50:30 2008 End time: Wed Aug 13 19:51:27 2008 File name: test04.cap Start time: Wed Aug 13 19:51:27 2008 End time: Wed Aug 13 19:51:42 2008 $
  6. 6. Use tshark to extract packets $ tshark -r test03.cap -R &quot;tcp.port==34421&quot; -w port-34421.cap $ $ capinfos -aec test03.cap port-34421.cap File name: test03.cap Number of packets: 5900 Start time: Wed Aug 13 19:50:30 2008 End time: Wed Aug 13 19:51:27 2008 File name: port-34421.cap Number of packets: 110 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:19 2008 $ $ tshark -C clean -c 10 -r port-34421.cap 1 0.000000 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 0.333175 195.12.3.3 -> 192.168.1.46 TCP http > 34421 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 3 0.333227 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [ACK] Seq=1 Ack=1 Win=128000 Len=0 4 0.334018 192.168.1.46 -> 195.12.3.3 HTTP GET /images/menubar/menu_on_5.gif HTTP/1.1 5 0.615100 195.12.3.3 -> 192.168.1.46 TCP [TCP segment of a reassembled PDU] 6 0.615203 195.12.3.3 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (GIF89a) 7 0.615241 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [ACK] Seq=700 Ack=1473 Win=128000 Len=0 8 0.615849 192.168.1.46 -> 195.12.3.3 HTTP GET /images/buttonBG.gif HTTP/1.1 9 0.966606 195.12.3.3 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (GIF89a) 10 0.967238 192.168.1.46 -> 195.12.3.3 HTTP GET /images/nav_02_dn.gif HTTP/1.1 $
  7. 7. Use mergecap to merge capture files $ tshark -r test03.cap -R &quot;tcp.port==34421&quot; -w tmp03.cap $ tshark -r test04.cap -R &quot;tcp.port==34421&quot; -w tmp04.cap $ mergecap -w port-34421.cap tmp03.cap tmp04.cap $ $ capinfos -aec tmp03.cap tmp04.cap port-34421.cap File name: tmp03.cap Number of packets: 110 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:19 2008 File name: tmp04.cap Number of packets: 64 Start time: Wed Aug 13 19:51:32 2008 End time: Wed Aug 13 19:51:36 2008 File name: port-34421.cap Number of packets: 174 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:36 2008 $
  8. 8. Use editcap to split capture files (1) <x> packets per file $ editcap -c 2500 test01.cap tmp01.cap $ $ capinfos -aec tmp01.cap* File name: tmp01.cap-00000 Number of packets: 2500 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:09 2008 File name: tmp01.cap-00001 Number of packets: 2500 Start time: Wed Aug 13 19:49:09 2008 End time: Wed Aug 13 19:49:27 2008 File name: tmp01.cap-00002 Number of packets: 2387 Start time: Wed Aug 13 19:49:27 2008 End time: Wed Aug 13 19:49:47 2008 $
  9. 9. Use editcap to split capture files (2) <x> seconds per file $ editcap -i 30 test01.cap tmp01.cap $ $ capinfos -ae tmp01.cap* File name: tmp01.cap-00000 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:48:17 2008 File name: tmp01.cap-00001 Start time: Wed Aug 13 19:48:30 2008 End time: Wed Aug 13 19:48:48 2008 File name: tmp01.cap-00002 Start time: Wed Aug 13 19:48:57 2008 End time: Wed Aug 13 19:49:23 2008 File name: tmp01.cap-00003 Start time: Wed Aug 13 19:49:23 2008 End time: Wed Aug 13 19:49:47 2008 $
  10. 10. Use editcap to select packets (1) by packet numbers $ editcap -r test01.cap tmp01.cap 1-10 21-30 Add_Selected: 1-10 Inclusive ... 1, 10 Add_Selected: 21-30 Inclusive ... 21, 30 $ $ capinfos -aec tmp01.cap File name: tmp01.cap Number of packets: 20 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:47:54 2008 $
  11. 11. Use editcap to select packets (2) by time $ editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:48:59&quot; test01.cap tmp01.cap $ $ capinfos -aec tmp01.cap File name: tmp01.cap Number of packets: 844 Start time: Wed Aug 13 19:48:00 2008 End time: Wed Aug 13 19:48:59 2008 $
  12. 12. All together now :-) $ mergecap -w total.cap test*cap $ editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:50:59&quot; total.cap clean.cap $ editcap -i 60 clean.cap by-minute.cap $ $ capinfos -ae by-minute.cap* File name: by-minute.cap-00000 Start time: Wed Aug 13 19:48:00 2008 End time: Wed Aug 13 19:48:59 2008 File name: by-minute.cap-00001 Start time: Wed Aug 13 19:49:01 2008 End time: Wed Aug 13 19:49:59 2008 File name: by-minute.cap-00002 Start time: Wed Aug 13 19:50:00 2008 End time: Wed Aug 13 19:50:59 2008 $
  13. 13. That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at: http://www.wireshark.org/docs/man-pages/ </li></ul></ul><ul><li>Next months episode: &quot;Capture file manipulation Part II : changing packets&quot; </li></ul><ul><li>e-mail: [email_address] </li></ul>
  14. 14. <ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html </li></ul>

×