Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Capture file manipulation Part I : packet selection August 2008
Welcome Back! <ul><li>Third episode of monthly series about using the wireshark CLI tools </li></ul><ul><li>Previous episo...
This months topic <ul><li>In this third episode, I will show you how to manipulate capture files so that they contain only...
Use capinfos to get quick info (1) $  capinfos test01.cap  File name: test01.cap File type: Wireshark/tcpdump/... - libpca...
Use capinfos to get quick info (2) $  capinfos -ae test*cap File name: test01.cap Start time: Wed Aug 13 19:47:53 2008 End...
Use tshark to extract packets $  tshark -r test03.cap -R &quot;tcp.port==34421&quot; -w port-34421.cap $ $ capinfos -aec t...
Use mergecap to merge capture files $ tshark -r test03.cap -R &quot;tcp.port==34421&quot; -w tmp03.cap $ tshark -r test04....
Use editcap to split capture files (1) <x> packets per file $  editcap -c 2500 test01.cap tmp01.cap $ $ capinfos -aec tmp0...
Use editcap to split capture files (2) <x> seconds per file $ editcap -i 30 test01.cap tmp01.cap $ $ capinfos -ae tmp01.ca...
Use editcap to select packets (1) by packet numbers $  editcap -r test01.cap tmp01.cap 1-10 21-30 Add_Selected: 1-10 Inclu...
Use editcap to select packets (2) by time $  editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:48:59&quot;...
All together now :-) $  mergecap -w total.cap test*cap $  editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 1...
That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at:  http://www.wireshark.org/docs/man-pages/ ...
<ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational vi...
Upcoming SlideShare
Loading in …5
×

OSTU - Sake Blok on Wireshark Capture File Manipulation (Part I)

3,332 views

Published on

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Published in: Technology, Art & Photos
  • Be the first to comment

OSTU - Sake Blok on Wireshark Capture File Manipulation (Part I)

  1. 1. Capture file manipulation Part I : packet selection August 2008
  2. 2. Welcome Back! <ul><li>Third episode of monthly series about using the wireshark CLI tools </li></ul><ul><li>Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html </li></ul>
  3. 3. This months topic <ul><li>In this third episode, I will show you how to manipulate capture files so that they contain only the packets that you want </li></ul><ul><li>You will learn to use: </li></ul><ul><ul><li>capinfos to show a capture file summary </li></ul></ul><ul><ul><li>tshark to extract packets </li></ul></ul><ul><ul><li>mergecap to merge capture files </li></ul></ul><ul><ul><li>editcap to split capture files </li></ul></ul>
  4. 4. Use capinfos to get quick info (1) $ capinfos test01.cap File name: test01.cap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Number of packets: 7387 File size: 4194809 bytes Data size: 4076593 bytes Capture duration: 113.756167 seconds Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:47 2008 Data rate: 35836.24 bytes/s Data rate: 286689.90 bits/s Average packet size: 551.86 bytes Average packet rate: 64.94 packets/s $
  5. 5. Use capinfos to get quick info (2) $ capinfos -ae test*cap File name: test01.cap Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:47 2008 File name: test02.cap Start time: Wed Aug 13 19:49:47 2008 End time: Wed Aug 13 19:50:30 2008 File name: test03.cap Start time: Wed Aug 13 19:50:30 2008 End time: Wed Aug 13 19:51:27 2008 File name: test04.cap Start time: Wed Aug 13 19:51:27 2008 End time: Wed Aug 13 19:51:42 2008 $
  6. 6. Use tshark to extract packets $ tshark -r test03.cap -R &quot;tcp.port==34421&quot; -w port-34421.cap $ $ capinfos -aec test03.cap port-34421.cap File name: test03.cap Number of packets: 5900 Start time: Wed Aug 13 19:50:30 2008 End time: Wed Aug 13 19:51:27 2008 File name: port-34421.cap Number of packets: 110 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:19 2008 $ $ tshark -C clean -c 10 -r port-34421.cap 1 0.000000 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 0.333175 195.12.3.3 -> 192.168.1.46 TCP http > 34421 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 3 0.333227 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [ACK] Seq=1 Ack=1 Win=128000 Len=0 4 0.334018 192.168.1.46 -> 195.12.3.3 HTTP GET /images/menubar/menu_on_5.gif HTTP/1.1 5 0.615100 195.12.3.3 -> 192.168.1.46 TCP [TCP segment of a reassembled PDU] 6 0.615203 195.12.3.3 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (GIF89a) 7 0.615241 192.168.1.46 -> 195.12.3.3 TCP 34421 > http [ACK] Seq=700 Ack=1473 Win=128000 Len=0 8 0.615849 192.168.1.46 -> 195.12.3.3 HTTP GET /images/buttonBG.gif HTTP/1.1 9 0.966606 195.12.3.3 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (GIF89a) 10 0.967238 192.168.1.46 -> 195.12.3.3 HTTP GET /images/nav_02_dn.gif HTTP/1.1 $
  7. 7. Use mergecap to merge capture files $ tshark -r test03.cap -R &quot;tcp.port==34421&quot; -w tmp03.cap $ tshark -r test04.cap -R &quot;tcp.port==34421&quot; -w tmp04.cap $ mergecap -w port-34421.cap tmp03.cap tmp04.cap $ $ capinfos -aec tmp03.cap tmp04.cap port-34421.cap File name: tmp03.cap Number of packets: 110 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:19 2008 File name: tmp04.cap Number of packets: 64 Start time: Wed Aug 13 19:51:32 2008 End time: Wed Aug 13 19:51:36 2008 File name: port-34421.cap Number of packets: 174 Start time: Wed Aug 13 19:51:11 2008 End time: Wed Aug 13 19:51:36 2008 $
  8. 8. Use editcap to split capture files (1) <x> packets per file $ editcap -c 2500 test01.cap tmp01.cap $ $ capinfos -aec tmp01.cap* File name: tmp01.cap-00000 Number of packets: 2500 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:49:09 2008 File name: tmp01.cap-00001 Number of packets: 2500 Start time: Wed Aug 13 19:49:09 2008 End time: Wed Aug 13 19:49:27 2008 File name: tmp01.cap-00002 Number of packets: 2387 Start time: Wed Aug 13 19:49:27 2008 End time: Wed Aug 13 19:49:47 2008 $
  9. 9. Use editcap to split capture files (2) <x> seconds per file $ editcap -i 30 test01.cap tmp01.cap $ $ capinfos -ae tmp01.cap* File name: tmp01.cap-00000 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:48:17 2008 File name: tmp01.cap-00001 Start time: Wed Aug 13 19:48:30 2008 End time: Wed Aug 13 19:48:48 2008 File name: tmp01.cap-00002 Start time: Wed Aug 13 19:48:57 2008 End time: Wed Aug 13 19:49:23 2008 File name: tmp01.cap-00003 Start time: Wed Aug 13 19:49:23 2008 End time: Wed Aug 13 19:49:47 2008 $
  10. 10. Use editcap to select packets (1) by packet numbers $ editcap -r test01.cap tmp01.cap 1-10 21-30 Add_Selected: 1-10 Inclusive ... 1, 10 Add_Selected: 21-30 Inclusive ... 21, 30 $ $ capinfos -aec tmp01.cap File name: tmp01.cap Number of packets: 20 Start time: Wed Aug 13 19:47:53 2008 End time: Wed Aug 13 19:47:54 2008 $
  11. 11. Use editcap to select packets (2) by time $ editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:48:59&quot; test01.cap tmp01.cap $ $ capinfos -aec tmp01.cap File name: tmp01.cap Number of packets: 844 Start time: Wed Aug 13 19:48:00 2008 End time: Wed Aug 13 19:48:59 2008 $
  12. 12. All together now :-) $ mergecap -w total.cap test*cap $ editcap -A &quot;2008-08-13 19:48:00&quot; -B &quot;2008-08-13 19:50:59&quot; total.cap clean.cap $ editcap -i 60 clean.cap by-minute.cap $ $ capinfos -ae by-minute.cap* File name: by-minute.cap-00000 Start time: Wed Aug 13 19:48:00 2008 End time: Wed Aug 13 19:48:59 2008 File name: by-minute.cap-00001 Start time: Wed Aug 13 19:49:01 2008 End time: Wed Aug 13 19:49:59 2008 File name: by-minute.cap-00002 Start time: Wed Aug 13 19:50:00 2008 End time: Wed Aug 13 19:50:59 2008 $
  13. 13. That's all folks! <ul><li>More info: </li></ul><ul><ul><li>see the manpages at: http://www.wireshark.org/docs/man-pages/ </li></ul></ul><ul><li>Next months episode: &quot;Capture file manipulation Part II : changing packets&quot; </li></ul><ul><li>e-mail: [email_address] </li></ul>
  14. 14. <ul><li>LoveMyTool.com Community for Network Monitoring & Management Tools </li></ul><ul><li>For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html </li></ul>

×