Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

tshark outputting all fields?

Is it possible to get tshark output every field (within the packet) using the -T fields option, or similar?

e.g. For every field in the packet/reconstruction, I would like something like this:

eth.src:f2:3c:91:96:fd:09,ip.src:1.2.3.4,tcp.dst_port:80,http.request.uri:/index.html

(The comma could be replaced with a \xff to make parsing better when values contain commas.)

I realise there is the -e option but it seems that I would have to put in every single possible field in the command line. On top of that, only a small fraction of fields will be used in each packet, which makes for a lot of data to parse.

I currently plan to use the tshark -V option and parse that, but ideally I would like more machine style terms such as http.request.uri instead of "human readable" e.g.:

Hypertext Transfer Protocol
    GET /main.php HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /main.php HTTP/1.1\r\n]
            [Message: GET /main.php HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /main.php
like image 795
gak Avatar asked Mar 06 '13 06:03

gak


People also ask

What is the difference between Tshark and tcpdump?

TShark is the command line version of Wireshark. It works similarly to tcpdump but is capable of parsing hundreds of protocols directly. It is therefore very useful for in-depth protocol analysis.

Which command will give you a full listing of available statistics in Tshark?

Type tshark -D and tshark will list all the available interfaces. Note that not all the listed interfaces will be working. Type ifconfig to find working interfaces on your system. In my case, it's enp0s3.

How do you capture Tshark packets?

Once you start capturing data, you'll see packets displayed in real-time, as shown below. And at any point, you can press Ctrl+C to stop from capturing packets. Like other popular data-network packet analyzer tools, such as tcpdump and Wireshark, Tshark uses the pcap library (libpcap) to capture packets.

What is the difference between Wireshark and Tshark?

Wireshark is a graphical application. tshark is that application without the GUI. (i.e. command line.) dumpcap , per Wireshark's documentation, is "a small program whose only purpose is to capture network traffic, while retaining advanced features like capturing to multiple files (since version 0.99.


1 Answers

Just stumbled across:

tshark -T pdml

which is exactly what I need:

<packet>
  <proto name="geninfo" pos="0" showname="General information" size="173">
    <field name="num" pos="0" show="323" showname="Number" value="143" size="173"/>
    <field name="len" pos="0" show="173" showname="Frame Length" value="ad" size="173"/>
    <field name="caplen" pos="0" show="173" showname="Captured Length" value="ad" size="173"/>
    <field name="timestamp" pos="0" show="Aug  7, 2011 16:16:13.579504000 EST" showname="Captured Time" value="1312697773.579504000" size="173"/>
  </proto>
  <proto name="frame" showname="Frame 323: 173 bytes on wire (1384 bits), 173 bytes captured (1384 bits)" size="173" pos="0">
    <field name="frame.time" showname="Arrival Time: Aug  7, 2011 16:16:13.579504000 EST" size="0" pos="0" show="Aug  7, 2011 16:16:13.579504000"/>
    ... etc.

It includes the Wireshark filter name, as well as all the fields that are included in the packet.

Update: This is quite slow, and hacking up tshark.c so -V prints out the abbrev instead of the name in the header_field_info *hfinfo; does the trick too. I should probably contribute this an a option when I get the chance.

like image 184
gak Avatar answered Oct 18 '22 23:10

gak