osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/docbook/wsug_src/WSUG_app_tools.asciidoc

919 lines
40 KiB
Plaintext
Raw Blame History

++++++++++++++++++++++++++++++++++++++
<!-- WSUG Appendix Tools -->
++++++++++++++++++++++++++++++++++++++
[[AppTools]]
[appendix]
== Related command line tools
[[AppToolsIntroduction]]
=== Introduction
Along with the main application, Wireshark comes with an array of command line
tools which can be helpful for specialized tasks. These tools will be described
in this chapter. You can find more information about each command in the
link:wireshark-man-page-reference:[][Manual Pages].
[[AppToolstshark]]
=== __tshark__: Terminal-based Wireshark
TShark is a terminal oriented version of Wireshark designed for capturing and
displaying packets when an interactive user interface isn't necessary or
available. It supports the same options as `wireshark`. For more information on
`tshark` see the manual pages (`man tshark`).
[[AppToolstsharkEx]]
.Help information available from `tshark`
----
TShark 1.12.1 (Git Rev Unknown from unknown)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (- to read from stdin)
Processing:
-2 perform a two-pass analysis
-R <read filter> packet Read filter in Wireshark display filter syntax
-Y <display filter> packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtCd"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
-H <hosts file> read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
--disable-protocol <proto_name> disable dissection of proto_name
Repeat option for each protocol
--enable-heuristic <short_name> enable dissection of heuristic protocol
Repeat option for each protocol
--disable-heuristic <short_name> disable dissection of heuristic protocol
Repeat option for each protocol
Output:
-w <outfile|-> write packets to a pcap-format file named "outfile"
(or to the standard output for "-")
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is pcapng
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-P print packet summary even when writing to a file
-S <separator> the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
--capture-comment <comment>
add a capture comment to the newly created
output file (only for pcapng)
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G ?" for more help
WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable"
----
[[AppToolstcpdump]]
=== __tcpdump__: Capturing with `tcpdump` for viewing with Wireshark
It's often more useful to capture packets using `tcpdump` rather than
`wireshark`. For example, you might want to do a remote capture and either don't
have GUI access or don't have Wireshark installed on the remote machine.
Older versions of `tcpdump` truncate packets to 68 or 96 bytes. If this is the case,
use `-s` to capture full-sized packets:
----
$ tcpdump -i <interface> -s 65535 -w <some-file>
----
You will have to specify the correct _interface_ and the name of a _file_ to
save into. In addition, you will have to terminate the capture with ^C when you
believe you have captured enough packets.
+tcpdump+ is not part of the Wireshark distribution. You can get it from
link:$$http://www.tcpdump.org/:[]$$[http://www.tcpdump.org] or as a standard
package in most Linux distributions.
[[AppToolsdumpcap]]
=== __dumpcap__: Capturing with `dumpcap` for viewing with Wireshark
Dumpcap is a network traffic dump tool. It captures packet data from a live
network and writes the packets to a file. Dumpcap's native capture file format
is pcapng, which is also the format used by Wireshark.
Without any options set it will use the pcap library to capture traffic from the
first available network interface and write the received raw packet data, along
with the packets' time stamps into a pcapng file. The capture filter syntax
follows the rules of the pcap library.
[[AppToolsdumpcapEx]]
.Help information available from dumpcap
----
Dumpcap 1.12.1 (Git Rev Unknown from unknown)
Capture network packets and dump them into a pcapng file.
See http://www.wireshark.org for more information.
Usage: dumpcap [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback),
or for remote capturing, use one of these formats:
rpcap://<host>/<interface>
TCP@<host>:<port>
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer in MiB (def: 2MiB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
-d print generated BPF code for capture filter
-k set channel on wifi interface <freq>,[<type>]
-S print statistics for each interface once per second
-M for -D, -L, and -S, produce machine-readable output
Stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Output (files):
-w <filename> name of file to save (def: tempfile)
-g enable group read access on the output file(s)
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
-n use pcapng format instead of pcap (default)
-P use libpcap format instead of pcapng
--capture-comment <comment>
add a capture comment to the output file
(only for pcapng)
Miscellaneous:
-N <packet_limit> maximum number of packets buffered within dumpcap
-C <byte_limit> maximum number of bytes used for buffering packets
within dumpcap
-t use a separate thread per interface
-q don't report packet capture counts
-v print version information and exit
-h display this help and exit
WARNING: dumpcap will enable kernel BPF JIT compiler if available.
You might want to reset it
By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable"
Example: dumpcap -i eth0 -a duration:60 -w output.pcapng
"Capture packets from interface eth0 until 60s passed into output.pcapng"
Use Ctrl-C to stop capturing at any time.
----
[[AppToolscapinfos]]
=== __capinfos__: Print information about capture files
+capinfos+ can print information about binary capture files.
[[AppToolscapinfosEx]]
.Help information available from capinfos
----
Capinfos 1.12.1 (Git Rev Unknown from unknown)
Prints various information (infos) about capture files.
See http://www.wireshark.org for more information.
Usage: capinfos [options] <infile> ...
General infos:
-t display the capture file type
-E display the capture file encapsulation
-H display the SHA1, RMD160, and MD5 hashes of the file
-k display the capture comment
Size infos:
-c display the number of packets
-s display the size of the file (in bytes)
-d display the total length of all packets (in bytes)
-l display the packet size limit (snapshot length)
Time infos:
-u display the capture duration (in seconds)
-a display the capture start time
-e display the capture end time
-o display the capture file chronological status (True/False)
-S display start and end times as seconds
Statistic infos:
-y display average data rate (in bytes/sec)
-i display average data rate (in bits/sec)
-z display average packet size (in bytes)
-x display average packet rate (in packets/sec)
Output format:
-L generate long report (default)
-T generate table report
-M display machine-readable values in long reports
Table report options:
-R generate header record (default)
-r do not generate header record
-B separate infos with TAB character (default)
-m separate infos with comma (,) character
-b separate infos with SPACE character
-N do not quote infos (default)
-q quote infos with single quotes (')
-Q quote infos with double quotes (")
Miscellaneous:
-h display this help and exit
-C cancel processing if file open fails (default is to continue)
-A generate all infos (default)
Options are processed from left to right order with later options superceding
or adding to earlier options.
If no options are given the default is to display all infos in long report
output format.
----
[[AppToolsrawshark]]
=== __rawshark__: Dump and analyze network traffic.
Rawshark reads a stream of packets from a file or pipe, and prints a line
describing its output, followed by a set of matching fields for each packet on
stdout.
[[AppToolsrawsharkEx]]
.Help information available from rawshark
----
Rawshark 1.12.1 (Git Rev Unknown from unknown)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: rawshark [options] ...
Input file:
-r <infile> set the pipe or file name to read from
Processing:
-d <encap:linktype>|<proto:protoname>
packet encapsulation or protocol
-F <field> field to display
-n disable all name resolution (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtCd"
-p use the system's packet header format
(which may have 64-bit timestamps)
-R <read filter> packet filter in Wireshark display filter syntax
-s skip PCAP header on input
Output:
-l flush output after each packet
-S format string for fields
(%D - name, %S - stringval, %N numval)
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
Miscellaneous:
-h display this help and exit
-o <name>:<value> ... override preference setting
-v display version info and exit
----
[[AppToolseditcap]]
=== __editcap__: Edit capture files
+editcap+ is a general-purpose utility for modifying capture files. Its main
function is to remove packets from capture files, but it can also be used to
convert capture files from one format to another, as well as to print
information about capture files.
[[AppToolseditcapEx]]
.Help information available from editcap
----
Editcap 1.12.1 (Git Rev Unknown from unknown)
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.
Packet selection:
-r keep the selected packets; default is to delete them.
-A <start time> only output packets whose timestamp is after (or equal
to) the given time (format as YYYY-MM-DD hh:mm:ss).
-B <stop time> only output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss).
Duplicate packet removal:
-d remove packet if duplicate (window == 5).
-D <dup window> remove packet if duplicate; configurable <dup window>
Valid <dup window> values are 0 to 1000000.
NOTE: A <dup window> of 0 with -v (verbose option) is
useful to print MD5 hashes.
-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
LESS THAN <dup time window> prior to current packet.
A <dup time window> is specified in relative seconds
(e.g. 0.000001).
NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -v may not always work as expected.
Specifically the -r, -t or -S options will very likely NOT have the
desired effect if combined with the -d, -D or -w.
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
chop at the packet beginning, negative values at the
packet end. If an optional offset precedes the length,
then the bytes chopped will be offset from that value.
Positive offsets are from the packet beginning,
negative offsets are from the packet end. You can use
this option more than once, allowing up to 2 chopping
regions within a packet provided that at least 1
choplen is positive and at least 1 is negative.
-L adjust the frame length when chopping and/or snapping
-t <time adjustment> adjust the timestamp of each packet;
<time adjustment> is in relative seconds (e.g. -0.5).
-S <strict adjustment> adjust timestamp of packets if necessary to insure
strict chronological increasing order. The <strict
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E <error probability> set the probability (between 0.0 and 1.0 incl.) that
a particular packet byte will be randomly changed.
Output File(s):
-c <packets per file> split the packet output to different files based on
uniform packet counts with a maximum of
<packets per file> each.
-i <seconds per file> split the packet output to different files based on
uniform time intervals with a maximum of
<seconds per file> each.
-F <capture type> set the output file type; default is pcapng. An empty
"-F" option will list the file types.
-T <encap type> set the output file encapsulation type; default is the
same as the input file. An empty "-T" option will
list the encapsulation types.
Miscellaneous:
-h display this help and exit.
-v verbose output.
If -v is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-error.
----
[[AppToolseditcapEx1]]
.Capture file types available from `editcap -F`
----
$ editcap -F
editcap: option requires an argument -- 'F'
editcap: The available capture file types for the "-F" flag are:
5views - InfoVista 5View capture
btsnoop - Symbian OS btsnoop
commview - TamoSoft CommView
dct2000 - Catapult DCT2000 trace (.out format)
erf - Endace ERF capture
eyesdn - EyeSDN USB S0/E1 ISDN trace format
k12text - K12 text file
lanalyzer - Novell LANalyzer
logcat - Android Logcat Binary format
logcat-brief - Android Logcat Brief text format
logcat-long - Android Logcat Long text format
logcat-process - Android Logcat Process text format
logcat-tag - Android Logcat Tag text format
logcat-thread - Android Logcat Thread text format
logcat-threadtime - Android Logcat Threadtime text format
logcat-time - Android Logcat Time text format
modlibpcap - Modified tcpdump - libpcap
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
ngsniffer - Sniffer (DOS)
ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
ngwsniffer_2_0 - Sniffer (Windows) 2.00x
niobserver - Network Instruments Observer
nokialibpcap - Nokia tcpdump - libpcap
nseclibpcap - Wireshark - nanosecond libpcap
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
nstrace30 - NetScaler Trace (Version 3.0)
pcap - Wireshark/tcpdump/... - pcap
pcapng - Wireshark/... - pcapng
rf5 - Tektronix K12xx 32-bit .rf5 format
rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
snoop - Sun snoop
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
visual - Visual Networks traffic capture
----
[[AppToolseditcapEx2]]
.Encapsulation types available from editcap
----
$ editcap -T
editcap: option requires an argument -- 'T'
editcap: The available encapsulation types for the "-T" flag are:
ap1394 - Apple IP-over-IEEE 1394
arcnet - ARCNET
arcnet_linux - Linux ARCNET
ascend - Lucent/Ascend access equipment
atm-pdus - ATM PDUs
atm-pdus-untruncated - ATM PDUs - untruncated
atm-rfc1483 - RFC 1483 ATM
ax25 - Amateur Radio AX.25
ax25-kiss - AX.25 with KISS header
bacnet-ms-tp - BACnet MS/TP
bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
ber - ASN.1 Basic Encoding Rules
bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF
bluetooth-h4 - Bluetooth H4
bluetooth-h4-linux - Bluetooth H4 with linux header
bluetooth-hci - Bluetooth without transport layer
bluetooth-le-ll - Bluetooth Low Energy Link Layer
bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF
bluetooth-linux-monitor - Bluetooth Linux Monitor
can20b - Controller Area Network 2.0B
chdlc - Cisco HDLC
chdlc-with-direction - Cisco HDLC with Directional Info
cosine - CoSine L2 debug log
dbus - D-Bus
dct2000 - Catapult DCT2000
docsis - Data Over Cable Service Interface Specification
dpnss_link - Digital Private Signalling System No 1 Link Layer
dvbci - DVB-CI (Common Interface)
enc - OpenBSD enc(4) encapsulating interface
epon - Ethernet Passive Optical Network
erf - Extensible Record Format
ether - Ethernet
ether-nettl - Ethernet with nettl headers
fc2 - Fibre Channel FC-2
fc2sof - Fibre Channel FC-2 With Frame Delimiter
fddi - FDDI
fddi-nettl - FDDI with nettl headers
fddi-swapped - FDDI with bit-swapped MAC addresses
flexray - FlexRay
frelay - Frame Relay
frelay-with-direction - Frame Relay with Directional Info
gcom-serial - GCOM Serial
gcom-tie1 - GCOM TIE1
gprs-llc - GPRS LLC
gsm_um - GSM Um Interface
hhdlc - HiPath HDLC
i2c - I2C
ieee-802-11 - IEEE 802.11 Wireless LAN
ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header
ieee-802-11-avs - IEEE 802.11 plus AVS radio header
ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
infiniband - InfiniBand
ios - Cisco IOS internal
ip-over-fc - RFC 2625 IP-over-Fibre Channel
ip-over-ib - IP over Infiniband
ipfix - IPFIX
ipmb - Intelligent Platform Management Bus
ipmi-trace - IPMI Trace Data Collection
ipnet - Solaris IPNET
irda - IrDA
isdn - ISDN
ixveriwave - IxVeriWave header and stats block
jfif - JPEG/JFIF
juniper-atm1 - Juniper ATM1
juniper-atm2 - Juniper ATM2
juniper-chdlc - Juniper C-HDLC
juniper-ether - Juniper Ethernet
juniper-frelay - Juniper Frame-Relay
juniper-ggsn - Juniper GGSN
juniper-mlfr - Juniper MLFR
juniper-mlppp - Juniper MLPPP
juniper-ppp - Juniper PPP
juniper-pppoe - Juniper PPPoE
juniper-svcs - Juniper Services
juniper-vp - Juniper Voice PIC
k12 - K12 protocol analyzer
lapb - LAPB
lapd - LAPD
layer1-event - EyeSDN Layer 1 event
lin - Local Interconnect Network
linux-atm-clip - Linux ATM CLIP
linux-lapd - LAPD with Linux pseudo-header
linux-sll - Linux cooked-mode capture
logcat - Android Logcat Binary format
logcat_brief - Android Logcat Brief text format
logcat_long - Android Logcat Long text format
logcat_process - Android Logcat Process text format
logcat_tag - Android Logcat Tag text format
logcat_thread - Android Logcat Thread text format
logcat_threadtime - Android Logcat Threadtime text format
logcat_time - Android Logcat Time text format
ltalk - Localtalk
mime - MIME
most - Media Oriented Systems Transport
mp2ts - ISO/IEC 13818-1 MPEG2-TS
mpeg - MPEG
mtp2 - SS7 MTP2
mtp2-with-phdr - MTP2 with pseudoheader
mtp3 - SS7 MTP3
mux27010 - MUX27010
netanalyzer - netANALYZER
netanalyzer-transparent - netANALYZER-Transparent
netlink - Linux Netlink
nfc-llcp - NFC LLCP
nflog - NFLOG
nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
nstrace30 - NetScaler Encapsulation 3.0 of Ethernet
null - NULL
packetlogger - PacketLogger
pflog - OpenBSD PF Firewall logs
pflog-old - OpenBSD PF Firewall logs, pre-3.4
pktap - Apple PKTAP
ppi - Per-Packet Information header
ppp - PPP
ppp-with-direction - PPP with Directional Info
pppoes - PPP-over-Ethernet session
raw-icmp-nettl - Raw ICMP with nettl headers
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
raw-telnet-nettl - Raw telnet with nettl headers
rawip - Raw IP
rawip-nettl - Raw IP with nettl headers
rawip4 - Raw IPv4
rawip6 - Raw IPv6
redback - Redback SmartEdge
rtac-serial - RTAC serial-line
s4607 - STANAG 4607
s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)
sccp - SS7 SCCP
sctp - SCTP
sdh - SDH
sdlc - SDLC
sita-wan - SITA WAN packets
slip - SLIP
socketcan - SocketCAN
symantec - Symantec Enterprise Firewall
tnef - Transport-Neutral Encapsulation Format
tr - Token Ring
tr-nettl - Token Ring with nettl headers
tzsp - Tazmen sniffer protocol
unknown - Unknown
unknown-nettl - Unknown link-layer type with nettl headers
usb - Raw USB packets
usb-linux - USB packets with Linux header
usb-linux-mmap - USB packets with Linux header and padding
usb-usbpcap - USB packets with USBPcap header
user0 - USER 0
user1 - USER 1
user2 - USER 2
user3 - USER 3
user4 - USER 4
user5 - USER 5
user6 - USER 6
user7 - USER 7
user8 - USER 8
user9 - USER 9
user10 - USER 10
user11 - USER 11
user12 - USER 12
user13 - USER 13
user14 - USER 14
user15 - USER 15
v5-ef - V5 Envelope Function
whdlc - Wellfleet HDLC
wireshark-upper-pdu - Wireshark Upper PDU export
wpan - IEEE 802.15.4 Wireless PAN
wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
x2e-serial - X2E serial line capture
x2e-xoraya - X2E Xoraya
x25-nettl - X.25 with nettl headers
----
[[AppToolsmergecap]]
=== __mergecap__: Merging multiple capture files into one
Mergecap is a program that combines multiple saved capture files into a single
output file specified by the `-w` argument. Mergecap knows how to read libpcap
capture files, including those of tcpdump. In addition, Mergecap can read
capture files from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer
(compressed or uncompressed), Microsoft Network Monitor, AIX's iptrace, NetXray,
Sniffer Pro, RADCOM's WAN/LAN analyzer, Lucent/Ascend router debug output,
HP-UX's nettl, and the dump output from Toshiba's ISDN routers. There is no need
to tell Mergecap what type of file you are reading; it will determine the file
type by itself. Mergecap is also capable of reading any of these file formats if
they are compressed using `gzip`. Mergecap recognizes this directly from the
file; the ``$$.gz$$'' extension is not required for this purpose.
By default, it writes the capture file in pcapng format, and writes all of the
packets in the input capture files to the output file. The `-F` flag can be used
to specify the format in which to write the capture file; it can write the file
in libpcap format (standard libpcap format, a modified format used by some
patched versions of libpcap, the format used by Red Hat Linux 6.1, or the format
used by SuSE Linux 6.3), snoop format, uncompressed Sniffer format, Microsoft
Network Monitor 1.x format, and the format used by Windows-based versions of the
Sniffer software.
Packets from the input files are merged in chronological order based on each
frame's timestamp, unless the `-a` flag is specified. Mergecap assumes that
frames within a single capture file are already stored in chronological order.
When the `-a` flag is specified, packets are copied directly from each input
file to the output file, independent of each frame's timestamp.
If the `-s` flag is used to specify a snapshot length, frames in the input file
with more captured data than the specified snapshot length will have only the
amount of data specified by the snapshot length written to the output file. This
may be useful if the program that is to read the output file cannot handle
packets larger than a certain size (for example, the versions of snoop in
Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet frames larger than the
standard Ethernet MTU, making them incapable of handling gigabit Ethernet
captures if jumbo frames were used).
If the `-T` flag is used to specify an encapsulation type, the encapsulation
type of the output capture file will be forced to the specified type, rather
than being the type appropriate to the encapsulation type of the input capture
file. Note that this merely forces the encapsulation type of the output file to
be the specified type; the packet headers of the packets will not be translated
from the encapsulation type of the input capture file to the specified
encapsulation type (for example, it will not translate an Ethernet capture to an
FDDI capture if an Ethernet capture is read and `-T fddi` is specified).
[[AppToolsmergecapEx]]
.Help information available from mergecap
----
Mergecap 1.12.1 (Git Rev Unknown from unknown)
Merge two or more capture files into one.
See http://www.wireshark.org for more information.
Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type;
default is the same as the first input file.
an empty "-T" option will list the encapsulation types.
Miscellaneous:
-h display this help and exit.
-v verbose output.
----
A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into
`outfile.pcapng` is shown below.
[[AppToolsmergecapExSimple]]
.Simple example of using mergecap
----
$ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng
----
[[AppToolstext2pcap]]
=== __text2pcap__: Converting ASCII hexdumps to network captures
There may be some occasions when you wish to convert a hex dump of some network
traffic into a libpcap file.
+text2pcap+ is a program that reads in an ASCII hex dump and writes the data
described into a libpcap-style capture file. text2pcap can read hexdumps with
multiple packets in them, and build a capture file of multiple packets.
`text2pcap` is also capable of generating dummy Ethernet, IP and UDP headers, in
order to build fully processable packet dumps from hexdumps of application-level
data only.
+text2pcap+ understands a hexdump of the form generated by `od -A x -t x1`. In
other words, each byte is individually displayed and surrounded with a space.
Each line begins with an offset describing the position in the file. The offset
is a hex number (can also be octal - see `-o`), of more than two hex digits. Here
is a sample dump that `text2pcap` can recognize:
----
000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
000010 03 68 00 00 00 00 0a 2e ........
000018 ee 33 0f 19 08 7f 0f 19 ........
000020 03 80 94 04 00 00 10 01 ........
000028 16 a2 0a 00 03 50 00 0c ........
000030 01 01 0f 19 03 80 11 01 ........
----
There is no limit on the width or number of bytes per line. Also the text dump
at the end of the line is ignored. Bytes/hex numbers can be uppercase or
lowercase. Any text before the offset is ignored, including email forwarding
characters `>'. Any lines of text between the bytestring lines is ignored.
The offsets are used to track the bytes, so offsets must be correct. Any line
which has only bytes without a leading offset is ignored. An offset is
recognized as being a hex number longer than two characters. Any text after the
bytes is ignored (e.g. the character dump). Any hex numbers in this text are
also ignored. An offset of zero is indicative of starting a new packet, so a
single text file with a series of hexdumps can be converted into a packet
capture with multiple packets. Multiple packets are read in with timestamps
differing by one second each. In general, short of these restrictions, text2pcap
is pretty liberal about reading in hexdumps and has been tested with a variety
of mangled outputs (including being forwarded through email multiple times, with
limited line wrap etc.)
There are a couple of other special features to note. Any line where the first
non-whitespace character is '#' will be ignored as a comment. Any line beginning
with #TEXT2PCAP is a directive and options can be inserted after this command to
be processed by `text2pcap`. Currently there are no directives implemented; in the
future, these may be used to give more fine grained control on the dump and the
way it should be processed e.g. timestamps, encapsulation type etc.
+text2pcap+ also allows the user to read in dumps of application-level data, by
inserting dummy L2, L3 and L4 headers before each packet. Possibilities include
inserting headers such as Ethernet, Ethernet + IP, Ethernet + IP + UDP, or
Ethernet + Ip + TCP before each packet. This allows Wireshark or any other
full-packet decoder to handle these dumps.
[[AppToolstext2pcapEx]]
.Help information available from text2pcap
----
Text2pcap 1.12.1 (Git Rev Unknown from unknown)
Generate a capture file from an ASCII hexdump of packets.
See http://www.wireshark.org for more information.
Usage: text2pcap [options] <infile> <outfile>
where <infile> specifies input filename (use - for standard input)
<outfile> specifies output filename (use - for standard output)
Input:
-o hex|oct|dec parse offsets as (h)ex, (o)ctal or (d)ecimal;
default is hex.
-t <timefmt> treat the text before the packet as a date/time code;
the specified argument is a format string of the sort
supported by strptime.
Example: The time "10:15:14.5476" has the format code
"%H:%M:%S."
NOTE: The subsecond component delimiter, '.', must be
given, but no pattern is required; the remaining
number is assumed to be fractions of a second.
NOTE: Date/time fields from the current date/time are
used as the default for unspecified fields.
-D the text before the packet starts with an I or an O,
indicating that the packet is inbound or outbound.
This is only stored if the output format is PCAP-NG.
-a enable ASCII text dump identification.
The start of the ASCII text dump can be identified
and excluded from the packet data, even if it looks
like a HEX dump.
NOTE: Do not enable it if the input file does not
contain the ASCII text dump.
Output:
-l <typenum> link-layer type number; default is 1 (Ethernet). See
http://www.tcpdump.org/linktypes.html for a list of
numbers. Use this option if your dump is a complete
hex dump of an encapsulated packet and you wish to
specify the exact type of encapsulation.
Example: -l 7 for ARCNet packets.
-m <max-packet> max packet length in output; default is 65535
Prepend dummy header:
-e <l3pid> prepend dummy Ethernet II header with specified L3PID
(in HEX).
Example: -e 0x806 to specify an ARP packet.
-i <proto> prepend dummy IP header with specified IP protocol
(in DECIMAL).
Automatically prepends Ethernet header as well.
Example: -i 46
-4 <srcip>,<destip> prepend dummy IPv4 header with specified
dest and source address.
Example: -4 10.0.0.1,10.0.0.2
-6 <srcip>,<destip> replace IPv6 header with specified
dest and source address.
Example: -6 fe80:0:0:0:202:b3ff:fe1e:8329,2001:0db8:85a3:0000:0000:8a2e:0370:7334
-u <srcp>,<destp> prepend dummy UDP header with specified
source and destination ports (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -u 1000,69 to make the packets look like
TFTP/UDP packets.
-T <srcp>,<destp> prepend dummy TCP header with specified
source and destination ports (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -T 50,60
-s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified
source/dest ports and verification tag (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -s 30,40,34
-S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified
source/dest ports and verification tag 0.
Automatically prepends a dummy SCTP DATA
chunk header with payload protocol identifier ppi.
Example: -S 30,40,34
Miscellaneous:
-h display this help and exit.
-d show detailed debug of parser states.
-q generate no output at all (automatically disables -d).
-n use PCAP-NG instead of PCAP as output format.
----
[[AppToolsreordercap]]
=== __reordercap__: Reorder a capture file
+reordercap+ lets you reorder a capture file according to the packets timestamp.
[[AppToolsreordercapEx]]
.Help information available from reordercap
----
Reordercap 1.12.1
Reorder timestamps of input file frames into output file.
See http://www.wireshark.org for more information.
Usage: reordercap [options] <infile> <outfile>
Options:
-n don't write to output file if the input file is ordered.
-h display this help and exit.
----
++++++++++++++++++++++++++++++++++++++
<!-- End of WSUG Appendix Tools -->
++++++++++++++++++++++++++++++++++++++
View Git Blame Copy Permalink