This tutorial explains few practical and useful scenarios in using the tshark command.
You’ll understand how to auto-save captures to multiple files, auto-save captures based on time limits, specify your own buffer size for capture, extract specific fields from the capture, and display statistics for a specific protocol from a capture.
1. Auto-save Captures to Multiple Files
For example on your production server, you want to capture traffic data for an extended period of time. You like to use these captures later to analyze the data.
In that situation, instead of storing all the outputs in a single file, you may want to automatically break down the captures into multiple files based on a size that you specify.
The following example will capture the network traffic to 20 files, each sized 100 KB, and then the capture will stop automatically.
# tshark -b filesize:100 -a files:20 -w temp.pcap Running as user "root" and group "root". This could be dangerous. Capturing on eth0 28 # ls -lrt total 12 -rw------- 1 root root 1088 Apr 10 16:02 capture_00001_20140410160213.pcap -rw------- 1 root root 1088 Apr 10 16:02 capture_00002_20140410160215.pcap
In the above:
- -b is the ring buffer option
- filesize:100 indicates that the maximum size of the output capture file is 100 KB
- files:20 indicates that the total number of output files that should be created is 20
- -a indicates auto-stop
2. Auto-save Captures Based on Time Limit
The following example will capture the network traffic to multiple files. But, it will switch to new files when file size reaches 10240 KB or when 1 second is elapsed. You can use auto-stop conditions accordingly.
# tshark -b filesize:10240 -b duration:1 -w temp.pcap Running as user "root" and group "root". This could be dangerous. Capturing on eth0 34 # ls -lrt -rw------- 1 root root 1863 Apr 10 16:13 temp_00001_20140410161312.pcap -rw------- 1 root root 1357 Apr 10 16:13 temp_00002_20140410161313.pcap -rw------- 1 root root 1476 Apr 10 16:13 temp_00003_20140410161314.pcap -rw------- 1 root root 1216 Apr 10 16:13 temp_00004_20140410161315.pcap
3. Specify Capture Buffer Size
This scenario is helpful when you are facing packet drops during capture.
In those situations, you can specify a capture buffer size in MB using -B option. The default capture size is 1MB.
This is used by the the capture driver to buffer packet data until that data can be written to disk. If you encounter packet drops while capturing, try to increase this size.
# tshark -B 2 2. Running as user "root" and group "root". This could be dangerous. 3. Capturing on eth0 4. 0.000000 LannerEl_24:eb:40 -> Broadcast ARP 60 Who has 10.30.59.101? Tell 10.30.32.1 5. 0.064507 LannerEl_24:eb:40 -> Broadcast ARP 60 Who has 10.70.11.143? Tell 10.70.0.1 6. 0.067515 LannerEl_24:eb:40 -> Broadcast ARP 60 Who has 10.70.11.143? Tell 10.70.0.1 7. 0.089554 LannerEl_24:eb:40 -> Broadcast ARP 60 Who has 10.30.50.212? Tell 10.30.32.1 8. 0.183726 LannerEl_24:eb:40 -> Broadcast ARP 60 Who has 10.30.36.86? Tell 10.30.32.1
4. Capture Using “decode as” option
This scenario is helpful when you need to specify how a layer type should be dissected.
This is same as wireshark “decode as” option, but sometimes specified selector value is different from the value present in packet. For example, suppose a diameter packet has source and destination port number different from 3868 (default port number), then you need to specify this value to tshark so that it can dissect it properly.
# tshark -r capture.pcap -d sctp.port==3869,diameter 82 212.059173 192.168.105.20 -> 192.168.105.30 DIAMETER 262 cmd=Capabilities-ExchangeRequest(257) flags=R--- appl=Diameter Common Messages(0) h2h=204a16 e2e=67700000 83 212.059330 192.168.105.30 -> 192.168.105.20 SCTP 62 SACK 84 212.078804 192.168.105.30 -> 192.168.105.20 DIAMETER 294 cmd=Capabilities-ExchangeAnswer(257) flags=---- appl=Diameter Common Messages(0) h2h=204a16 e2e=67700000 85 212.080569 192.168.105.30 -> 192.168.105.20 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a29 e2e=63d00002 86 212.084960 192.168.105.20 -> 192.168.105.30 SCTP 62 SACK 87 212.084998 192.168.105.20 -> 192.168.105.30 DIAMETER 178 SACK cmd=Device-WatchdogAnswer(280) flags=---- appl=Diameter Common Messages(0) h2h=5542a29 e2e=63d00002 88 212.100324 192.168.105.30 -> 192.168.105.20 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a2a e2e=63d00003 89 212.101629 192.168.105.20 -> 192.168.105.30 DIAMETER 178 SACK cmd=Device-WatchdogAnswer(280) flags=---- appl=Diameter Common Messages(0) h2h=5542a2a e2e=63d00003 90 212.110997 192.168.105.30 -> 192.168.105.20 SCTP 62 SACK 91 212.119855 192.168.105.30 -> 192.168.105.20 DIAMETER 146 cmd=Device-WatchdogRequest(280) flags=R--- appl=Diameter Common Messages(0) h2h=5542a2b e2e=63d00004
5. Extract Specific Fields
For example, this scenarios is helpful when you like to extracting specific fields from diameter protocol packets.
You already know how to capture data for services that runs on non-standard ports using tshark command.
Currently tshark supports this option for few set of protocols.
You can also do the same thing using -V option, and combining with a quick scripting or grep command. But, the method shown below is faster for very large files.
# tshark -q -r capture.pcap -R diameter -z diameter,avp,257,Origin-Host Running as user "root" and group "root". This could be dangerous. frame='82' time='212.059176' src='192.168.105.20' srcport='35132' dst='192.168.105.30' dstport='3868' proto='diameter' msgnr='0' is_request='1' cmd='257' req_frame='82' ans_frame='0' resp_time='0.000000' Origin-Host='backend.eap.testbed.aaa' frame='84' time='212.078807' src='192.168.105.30' srcport='3868' dst='192.168.105.20' dstport='35132' proto='diameter' msgnr='0' is_request='0' cmd='257' req_frame='82' ans_frame='84' resp_time='0.019631' Origin-Host='gw.eap.testbed.aaa' frame='126' time='225.283773' src='192.168.105.40' srcport='2844' dst='192.168.105.30' dstport='3868' proto='diameter' msgnr='0' is_request='1' cmd='257' req_frame='126' ans_frame='0' resp_time='0.000000' Origin-Host='opendiam.eap.testbed.aaa' frame='130' time='225.295815' src='192.168.105.30' srcport='3868' dst='192.168.105.40' dstport='2844' proto='diameter' msgnr='0' is_request='0' cmd='257' req_frame='126' ans_frame='130' resp_time='0.012042' Origin-Host='gw.eap.testbed.aaa' === Diameter Summary === requset count: 2 answer count: 2 req/ans pairs: 2
6. Display Statistics for Specific Protocol
You can also display statistics from a cpatured file for a specific protocol.
For example, the following prints the statistics from a captured file for HTTP protocol
# tshark -q -r a.pcap -R http -z http,tree
Running as user "root" and group "root". This could be dangerous.
===================================================================
HTTP/Packet Counter value rate percent
-------------------------------------------------------------------
Total HTTP Packets 7 0.000375
HTTP Request Packets 4 0.000214 57.14%
GET 4 0.000214 100.00%
HTTP Response Packets 3 0.000161 42.86%
2xx: Success 2 0.000107 66.67%
200 OK 2 0.000107 100.00%
3xx: Redirection 1 0.000054 33.33%
302 Found 1 0.000054 100.00%
5xx: Server Error 0 0.000000 0.00%
Other HTTP Packets 0 0.000000 0.00%
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
Comments on this entry are closed.
very interesting post.
is there an option, in case of multiple files save, to delete the oldest file?