OSTU - Sake Blok on Controlling tshark Display Format

3,113 views

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,113
On SlideShare
0
From Embeds
0
Number of Embeds
214
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OSTU - Sake Blok on Controlling tshark Display Format

  1. 1. Controlling tsharks displaying behavior October 2008
  2. 2. Welcome Back! <ul><li>Fifth episode of monthly series about using the wireshark CLI tools </li></ul><ul><li>Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html </li></ul>
  3. 3. This months topic <ul><li>In this fifth episode, I will show you how you can change the way tshark displays packets </li></ul><ul><li>You will learn how to: </li></ul><ul><ul><li>Select the columns to display </li></ul></ul><ul><ul><li>Control name resolution </li></ul></ul><ul><ul><li>Use a time format of your choice </li></ul></ul><ul><ul><li>Use &quot;decode as…&quot; functionality </li></ul></ul>
  4. 4. Select the columns to display <ul><li>Change the column.format preference value with '-o column.format:<str>' </li></ul><ul><li>Example: </li></ul><ul><li>Format definitions can be found at: http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?revision=24964&view=markup </li></ul>$ tshark -r client.cap -R http -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;src&quot;, &quot;%hs&quot;, &quot;dst&quot;, &quot;%hd&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;len&quot;, &quot;%L&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' 4 0.002689 IntelCor_61:3a:ad -> JuniperN_bb:d1:3b 192.168.1.46 -> 192.168.1.20 43426 http 160 HTTP GET / HTTP/1.0 6 0.024024 JuniperN_bb:d1:3b -> IntelCor_61:3a:ad 192.168.1.20 -> 192.168.1.46 http 43426 429 HTTP HTTP/1.1 200 OK $
  5. 5. Control name resolution (1) <ul><li>Use the -n option to disable all name resolution </li></ul><ul><li>Default is only mac and transport layer resolving </li></ul>$ tshark -n -r client.cap -R http -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;src&quot;, &quot;%hs&quot;, &quot;dst&quot;, &quot;%hd&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;len&quot;, &quot;%L&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' 4 0.002689 00:1c:bf:61:3a:ad -> 00:12:1e:bb:d1:3b 192.168.1.46 -> 192.168.1.20 43426 80 160 HTTP GET / HTTP/1.0 6 0.024024 00:12:1e:bb:d1:3b -> 00:1c:bf:61:3a:ad 192.168.1.20 -> 192.168.1.46 80 43426 429 HTTP HTTP/1.1 200 OK $
  6. 6. Control name resolution (2) <ul><li>Use the '-N <arg>' option to enable name resolution for certain layers only. The argument is a string that may contain the letters: </li></ul><ul><ul><li>m to enable MAC address resolution </li></ul></ul><ul><ul><li>n to enable network address resolution </li></ul></ul><ul><ul><li>t to enable transport-layer port number resolution </li></ul></ul><ul><ul><li>C to enable concurrent (asynchronous) DNS lookups </li></ul></ul><ul><li>Example: '-Nnt' to resolve hostnames and port numbers </li></ul>
  7. 7. Use a time format of your choice (1) <ul><li>Use the -t option to select a time format: </li></ul><ul><ul><li>'-t ad' for absolute date and time </li></ul></ul><ul><ul><li>'-t a' for absolute time </li></ul></ul><ul><ul><li>'-t r' for relative to start of capture </li></ul></ul><ul><ul><li>'-t d' for delta to previous captured packet </li></ul></ul><ul><ul><li>'-t did' for delta to previous displayed packet' </li></ul></ul>
  8. 8. Use a time format of your choice (2) $ tshark -r client.cap -R http -tad 4 2008-09-23 22:31:59.249141 192.168.1.46 -> 192.168.1.20 HTTP G 6 2008-09-23 22:31:59.270476 192.168.1.20 -> 192.168.1.46 HTTP H $ $ tshark -r client.cap -R http -ta 4 22:31:59.249141 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1 6 22:31:59.270476 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 $ $ tshark -r client.cap -R http -tr 4 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 6 0.024024 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK $ $ tshark -r client.cap -R http -td 4 0.000589 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 6 0.019966 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK $ $ tshark -r client.cap -R http -tdd 4 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 6 0.021335 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK $
  9. 9. Use &quot;decode as…&quot; functionality <ul><li>Use the -d option to dissect data on non standard ports or protocols &quot;-d <layer_type>==<selector>,<decode_as_protocol> ...&quot; </li></ul><ul><li>Example: </li></ul>$ bittwiste -I client.cap -O port8000.cap -T tcp -s 80,8000 -d 80,8000 $ $ tshark -n -r port8000.cap -R 'tcp.len>0' -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' 4 0.002689 192.168.1.46 -> 192.168.1.20 43426 8000 TCP 43426 > 8000 [PSH, ACK] Seq=1 Ack=1 Win=128000 Len=106 6 0.024024 192.168.1.20 -> 192.168.1.46 8000 43426 TCP 8000 > 43426 [PSH, ACK] Seq=1 Ack=107 Win=5888 Len=375 $ $ tshark -n -r port8000.cap -R 'tcp.len>0' -o column.format:'&quot;No.&quot;, &quot;%m&quot;, &quot;Time&quot;, &quot;%t&quot;, &quot;Source&quot;, &quot;%s&quot;, &quot;Destination&quot;, &quot;%d&quot;, &quot;srcport&quot;, &quot;%S&quot;, &quot;dstport&quot;, &quot;%D&quot;, &quot;Protocol&quot;, &quot;%p&quot;, &quot;Info&quot;, &quot;%i&quot;' -d 'tcp.port==8000,http' 4 0.002689 192.168.1.46 -> 192.168.1.20 43426 8000 HTTP GET / HTTP/1.0 6 0.024024 192.168.1.20 -> 192.168.1.46 8000 43426 HTTP HTTP/1.1 200 OK (text/html) $
  10. 10. That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at: http://www.wireshark.org/docs/man-pages/ </li></ul></ul><ul><li>Next months episode: &quot;Using tsharks output formats&quot; </li></ul><ul><li>e-mail: [email_address] </li></ul>
  11. 11. <ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html </li></ul>

×