2018-02-05 16:59:45 +00:00
|
|
|
|
// WSUG Appendix Tools
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppTools]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
[appendix]
|
|
|
|
|
== Related command line tools
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsIntroduction]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== Introduction
|
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
Wireshark comes with an array of
|
|
|
|
|
command line tools which can be helpful for packet analysis. Some of
|
|
|
|
|
these tools are described in this chapter. You can find more
|
2018-02-04 23:15:02 +00:00
|
|
|
|
information about all of Wireshark’s command line tools on
|
2017-09-25 21:06:37 +00:00
|
|
|
|
link:{wireshark-man-page-url}[the web site].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolstshark]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __tshark__: Terminal-based Wireshark
|
|
|
|
|
|
|
|
|
|
TShark is a terminal oriented version of Wireshark designed for capturing and
|
2018-02-26 01:50:01 +00:00
|
|
|
|
displaying packets when an interactive user interface isn’t necessary or
|
2014-11-09 19:39:15 +00:00
|
|
|
|
available. It supports the same options as `wireshark`. For more information on
|
2017-09-26 19:08:28 +00:00
|
|
|
|
`tshark` consult your local manual page (`man tshark`) or
|
|
|
|
|
link:{wireshark-man-page-url}tshark.html[the online version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolstsharkEx]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
.Help information available from `tshark`
|
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::tshark-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolstcpdump]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
=== __tcpdump__: Capturing with “tcpdump” for viewing with Wireshark
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
It’s often more useful to capture packets using `tcpdump` rather than
|
2018-02-26 01:50:01 +00:00
|
|
|
|
`wireshark`. For example, you might want to do a remote capture and either don’t
|
|
|
|
|
have GUI access or don’t have Wireshark installed on the remote machine.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
Older versions of `tcpdump` truncate packets to 68 or 96 bytes. If this is the case,
|
|
|
|
|
use `-s` to capture full-sized packets:
|
|
|
|
|
|
|
|
|
|
----
|
2019-06-14 23:03:17 +00:00
|
|
|
|
$ tcpdump -i <interface> -s 65535 -w <file>
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
You will have to specify the correct _interface_ and the name of a _file_ to
|
|
|
|
|
save into. In addition, you will have to terminate the capture with ^C when you
|
|
|
|
|
believe you have captured enough packets.
|
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`tcpdump` is not part of the Wireshark distribution. You can get it from
|
2016-11-01 21:35:29 +00:00
|
|
|
|
{tcpdump-main-url} or as a standard package in most Linux distributions.
|
2018-02-04 19:39:56 +00:00
|
|
|
|
For more information on `tcpdump` consult your local manual page (`man
|
2017-09-26 19:08:28 +00:00
|
|
|
|
tcpdump`) or link:{tcpdump-man-page-url}[the online version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsdumpcap]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
=== __dumpcap__: Capturing with “dumpcap” for viewing with Wireshark
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
Dumpcap is a network traffic dump tool. It captures packet data from a live
|
2018-02-04 23:15:02 +00:00
|
|
|
|
network and writes the packets to a file. Dumpcap’s native capture file format
|
2014-11-09 19:39:15 +00:00
|
|
|
|
is pcapng, which is also the format used by Wireshark.
|
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
By default, Dumpcap uses the pcap library to capture traffic
|
|
|
|
|
from the first available network interface and writes the received raw
|
2018-02-26 01:50:01 +00:00
|
|
|
|
packet data, along with the packets’ time stamps into a pcapng file. The
|
2017-09-26 19:08:28 +00:00
|
|
|
|
capture filter syntax follows the rules of the pcap library. For more
|
|
|
|
|
information on `dumpcap` consult your local manual page (`man dumpcap`)
|
|
|
|
|
or link:{wireshark-man-page-url}dumpcap.html[the online version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsdumpcapEx]
|
2017-09-25 21:06:37 +00:00
|
|
|
|
.Help information available from `dumpcap`
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::dumpcap-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolscapinfos]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __capinfos__: Print information about capture files
|
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`capinfos` can print information about capture files including the file
|
2017-09-26 19:08:28 +00:00
|
|
|
|
type, number of packets, date and time information, and file hashes.
|
|
|
|
|
Information can be printed in human and machine readable formats. For
|
|
|
|
|
more information on `capinfos` consult your local manual page (`man
|
|
|
|
|
capinfos`) or link:{wireshark-man-page-url}capinfos.html[the online
|
|
|
|
|
version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolscapinfosEx]
|
2017-09-25 21:06:37 +00:00
|
|
|
|
.Help information available from `capinfos`
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::capinfos-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsrawshark]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __rawshark__: Dump and analyze network traffic.
|
|
|
|
|
|
2017-09-26 19:08:28 +00:00
|
|
|
|
Rawshark reads a stream of packets from a file or pipe, and prints a
|
|
|
|
|
line describing its output, followed by a set of matching fields for
|
|
|
|
|
each packet on stdout. For more information on `rawshark` consult your
|
|
|
|
|
local manual page (`man rawshark`) or
|
|
|
|
|
link:{wireshark-man-page-url}rawshark.html[the online version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsrawsharkEx]
|
2017-09-25 21:06:37 +00:00
|
|
|
|
.Help information available from `rawshark`
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::rawshark-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolseditcap]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __editcap__: Edit capture files
|
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`editcap` is a general-purpose utility for modifying capture files. Its
|
2017-09-26 19:08:28 +00:00
|
|
|
|
main function is to remove packets from capture files, but it can also
|
|
|
|
|
be used to convert capture files from one format to another, as well as
|
|
|
|
|
to print information about capture files. For more information on
|
|
|
|
|
`editcap` consult your local manual page (`man editcap`) or
|
|
|
|
|
link:{wireshark-man-page-url}editcap.html[the online version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolseditcapEx]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
.Help information available from editcap
|
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::editcap-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolseditcapEx1]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
.Capture file types available from `editcap -F`
|
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::editcap-F.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolseditcapEx2]
|
2017-09-25 21:06:37 +00:00
|
|
|
|
.Encapsulation types available from `editcap -T`
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::editcap-T.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsmergecap]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __mergecap__: Merging multiple capture files into one
|
|
|
|
|
|
|
|
|
|
Mergecap is a program that combines multiple saved capture files into a single
|
2019-06-14 23:03:17 +00:00
|
|
|
|
output file specified by the `-w` argument. Mergecap can read libpcap
|
2014-11-09 19:39:15 +00:00
|
|
|
|
capture files, including those of tcpdump. In addition, Mergecap can read
|
|
|
|
|
capture files from snoop (including Shomiti) and atmsnoop, LanAlyzer, Sniffer
|
2018-02-04 23:15:02 +00:00
|
|
|
|
(compressed or uncompressed), Microsoft Network Monitor, AIX’s iptrace, NetXray,
|
|
|
|
|
Sniffer Pro, RADCOM’s WAN/LAN analyzer, Lucent/Ascend router debug output,
|
|
|
|
|
HP-UX’s nettl, and the dump output from Toshiba’s ISDN routers. There is no need
|
2014-11-09 19:39:15 +00:00
|
|
|
|
to tell Mergecap what type of file you are reading; it will determine the file
|
|
|
|
|
type by itself. Mergecap is also capable of reading any of these file formats if
|
|
|
|
|
they are compressed using `gzip`. Mergecap recognizes this directly from the
|
2018-02-04 23:15:02 +00:00
|
|
|
|
file; the “.gz” extension is not required for this purpose.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
By default, Mergecap writes all of the packets in the input capture files to a
|
|
|
|
|
pcapng file. The `-F` flag can be used
|
|
|
|
|
to specify the capture file's output format ; it can write the file
|
2014-11-09 19:39:15 +00:00
|
|
|
|
in libpcap format (standard libpcap format, a modified format used by some
|
|
|
|
|
patched versions of libpcap, the format used by Red Hat Linux 6.1, or the format
|
|
|
|
|
used by SuSE Linux 6.3), snoop format, uncompressed Sniffer format, Microsoft
|
|
|
|
|
Network Monitor 1.x format, and the format used by Windows-based versions of the
|
|
|
|
|
Sniffer software.
|
|
|
|
|
|
|
|
|
|
Packets from the input files are merged in chronological order based on each
|
2018-02-04 23:15:02 +00:00
|
|
|
|
frame’s timestamp, unless the `-a` flag is specified. Mergecap assumes that
|
2014-11-09 19:39:15 +00:00
|
|
|
|
frames within a single capture file are already stored in chronological order.
|
|
|
|
|
When the `-a` flag is specified, packets are copied directly from each input
|
2018-02-04 23:15:02 +00:00
|
|
|
|
file to the output file, independent of each frame’s timestamp.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
If the `-s` flag is used to specify a snapshot length, frames in the input file
|
|
|
|
|
with more captured data than the specified snapshot length will have only the
|
|
|
|
|
amount of data specified by the snapshot length written to the output file. This
|
|
|
|
|
may be useful if the program that is to read the output file cannot handle
|
|
|
|
|
packets larger than a certain size (for example, the versions of snoop in
|
|
|
|
|
Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet frames larger than the
|
|
|
|
|
standard Ethernet MTU, making them incapable of handling gigabit Ethernet
|
|
|
|
|
captures if jumbo frames were used).
|
|
|
|
|
|
|
|
|
|
If the `-T` flag is used to specify an encapsulation type, the encapsulation
|
|
|
|
|
type of the output capture file will be forced to the specified type, rather
|
|
|
|
|
than being the type appropriate to the encapsulation type of the input capture
|
|
|
|
|
file. Note that this merely forces the encapsulation type of the output file to
|
|
|
|
|
be the specified type; the packet headers of the packets will not be translated
|
|
|
|
|
from the encapsulation type of the input capture file to the specified
|
|
|
|
|
encapsulation type (for example, it will not translate an Ethernet capture to an
|
|
|
|
|
FDDI capture if an Ethernet capture is read and `-T fddi` is specified).
|
|
|
|
|
|
2017-09-26 19:08:28 +00:00
|
|
|
|
For more information on `mergecap` consult your local manual page (`man
|
|
|
|
|
mergecap`) or link:{wireshark-man-page-url}mergecap.html[the online
|
|
|
|
|
version].
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsmergecapEx]
|
2017-09-25 21:06:37 +00:00
|
|
|
|
.Help information available from `mergecap`
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::mergecap-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
A simple example merging `dhcp-capture.pcapng` and `imap-1.pcapng` into
|
|
|
|
|
`outfile.pcapng` is shown below.
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsmergecapExSimple]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
.Simple example of using mergecap
|
|
|
|
|
----
|
|
|
|
|
$ mergecap -w outfile.pcapng dhcp-capture.pcapng imap-1.pcapng
|
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolstext2pcap]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __text2pcap__: Converting ASCII hexdumps to network captures
|
|
|
|
|
|
|
|
|
|
There may be some occasions when you wish to convert a hex dump of some network
|
2022-05-12 02:13:42 +00:00
|
|
|
|
traffic into a capture file.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`text2pcap` is a program that reads in an ASCII hex dump and writes the data
|
2022-05-12 02:13:42 +00:00
|
|
|
|
described into any capture file format supported by libwiretap. `text2pcap` can
|
|
|
|
|
read hexdumps with multiple packets in them, and build a capture file of
|
|
|
|
|
multiple packets.
|
2018-11-21 18:36:18 +00:00
|
|
|
|
`text2pcap` is also capable of generating dummy Ethernet, IP, UDP, TCP or SCTP
|
|
|
|
|
headers, in order to build fully processable packet dumps from hexdumps of
|
|
|
|
|
application-level data only.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`text2pcap` understands a hexdump of the form generated by `od -A x -t x1`. In
|
2014-11-09 19:39:15 +00:00
|
|
|
|
other words, each byte is individually displayed and surrounded with a space.
|
2018-11-21 18:36:18 +00:00
|
|
|
|
Each line begins with an offset describing the position in the packet, each new
|
|
|
|
|
packet starts with an offset of 0 and there is a space separating the offset
|
|
|
|
|
from the following bytes. The offset
|
2014-11-09 19:39:15 +00:00
|
|
|
|
is a hex number (can also be octal - see `-o`), of more than two hex digits. Here
|
|
|
|
|
is a sample dump that `text2pcap` can recognize:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
000000 00 e0 1e a7 05 6f 00 10 ........
|
|
|
|
|
000008 5a a0 b9 12 08 00 46 00 ........
|
|
|
|
|
000010 03 68 00 00 00 00 0a 2e ........
|
|
|
|
|
000018 ee 33 0f 19 08 7f 0f 19 ........
|
|
|
|
|
000020 03 80 94 04 00 00 10 01 ........
|
|
|
|
|
000028 16 a2 0a 00 03 50 00 0c ........
|
|
|
|
|
000030 01 01 0f 19 03 80 11 01 ........
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
There is no limit on the width or number of bytes per line. Also the text dump
|
|
|
|
|
at the end of the line is ignored. Bytes/hex numbers can be uppercase or
|
|
|
|
|
lowercase. Any text before the offset is ignored, including email forwarding
|
2018-02-04 23:15:02 +00:00
|
|
|
|
characters “>”. Any lines of text between the bytestring lines is ignored.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
The offsets are used to track the bytes, so offsets must be correct. Any line
|
|
|
|
|
which has only bytes without a leading offset is ignored. An offset is
|
|
|
|
|
recognized as being a hex number longer than two characters. Any text after the
|
2022-03-02 23:07:10 +00:00
|
|
|
|
bytes is ignored (e.g., the character dump). Any hex numbers in this text are
|
2014-11-09 19:39:15 +00:00
|
|
|
|
also ignored. An offset of zero is indicative of starting a new packet, so a
|
|
|
|
|
single text file with a series of hexdumps can be converted into a packet
|
2018-11-21 18:36:18 +00:00
|
|
|
|
capture with multiple packets. Packets may be preceded by a timestamp. These
|
|
|
|
|
are interpreted according to the format given on the command line. If not, the
|
|
|
|
|
first packet is timestamped with the current time the conversion takes place.
|
|
|
|
|
Multiple packets are written with timestamps differing by one microsecond each.
|
2018-12-06 23:24:29 +00:00
|
|
|
|
In general, short of these restrictions, `text2pcap`
|
2014-11-09 19:39:15 +00:00
|
|
|
|
is pretty liberal about reading in hexdumps and has been tested with a variety
|
|
|
|
|
of mangled outputs (including being forwarded through email multiple times, with
|
|
|
|
|
limited line wrap etc.)
|
|
|
|
|
|
|
|
|
|
There are a couple of other special features to note. Any line where the first
|
2018-02-04 23:15:02 +00:00
|
|
|
|
non-whitespace character is “#” will be ignored as a comment. Any line beginning
|
2014-11-09 19:39:15 +00:00
|
|
|
|
with #TEXT2PCAP is a directive and options can be inserted after this command to
|
|
|
|
|
be processed by `text2pcap`. Currently there are no directives implemented; in the
|
2022-03-02 23:07:10 +00:00
|
|
|
|
future, these may be used to give more fine-grained control on the dump and the
|
|
|
|
|
way it should be processed e.g., timestamps, encapsulation type etc.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`text2pcap` also allows the user to read in dumps of application-level data, by
|
2014-11-09 19:39:15 +00:00
|
|
|
|
inserting dummy L2, L3 and L4 headers before each packet. Possibilities include
|
2018-11-21 18:36:18 +00:00
|
|
|
|
inserting headers such as Ethernet, Ethernet + IP, Ethernet + IP + UDP, or TCP,
|
|
|
|
|
or SCTP before each packet. This allows Wireshark or any other full-packet
|
|
|
|
|
decoder to handle these dumps.
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2017-09-26 19:08:28 +00:00
|
|
|
|
For more information on `text2pcap` consult your local manual page (`man
|
|
|
|
|
text2pcap`) or link:{wireshark-man-page-url}text2pcap.html[the online
|
|
|
|
|
version].
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolstext2pcapEx]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
.Help information available from text2pcap
|
|
|
|
|
|
|
|
|
|
----
|
2017-09-26 19:08:28 +00:00
|
|
|
|
include::text2pcap-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsreordercap]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
|
|
|
|
=== __reordercap__: Reorder a capture file
|
|
|
|
|
|
2018-02-04 19:39:56 +00:00
|
|
|
|
`reordercap` lets you reorder a capture file according to the packets
|
2017-09-26 19:08:28 +00:00
|
|
|
|
timestamp. For more information on `reordercap` consult your local
|
|
|
|
|
manual page (`man reordercap`) or
|
|
|
|
|
link:{wireshark-man-page-url}reordercap.html[the online version].
|
2014-11-09 19:39:15 +00:00
|
|
|
|
|
2022-01-16 18:55:52 +00:00
|
|
|
|
[#AppToolsreordercapEx]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
.Help information available from reordercap
|
|
|
|
|
----
|
2017-09-25 21:06:37 +00:00
|
|
|
|
include::reordercap-h.txt[]
|
2014-11-09 19:39:15 +00:00
|
|
|
|
----
|
|
|
|
|
|
2018-02-05 16:59:45 +00:00
|
|
|
|
// End of WSUG Appendix Tools
|