Tshark examples: howto capture and dissect network traffic


This page contains a collection of useful examples for using tshark, the network traffic capture and analysis tool.


Network Traffic Capture

tshark can be used to dump network traffic into capture files for later processing. For this, we need to tell tshark which interface to listen to and which traffic to capture. This is an example.

tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap
  • The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured.
  • The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.
  • The -w flag is used to specify a file where the captured traffic will be saved for later processing.

Network capture rules

Network capture rules or filters, specified by the -f option allows you to tell tshark which packets should be captured. The syntax for network capture filters is the same as tcpdump filters. For details on capture filters see man tcpdump. Byte matching is an advanced capture filter in tshark that I previously introduced in Tshark byte matching for selective packet capture.


Packet display rules

Packet display rules or filters as their name imply, allow you to control which packets are displayed by tshark when performing live network capture or when tshark is reading a capture file. The selection criteria is specified using the -R flag and a display filter expression. This is a simple example :

tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap

This example displays only IP packets that are issued by or in destination to the IP address 192.168.0.1.

The filter expression can be a logical combination of other filter expressions. Here is a list of various display filters for your reference (do man wireshark-filters for more details of display filters):

“Ethernet address 00:08:15:00:08:15” eth.addr == 00:08:15:00:08:15
“Ethernet type 0×0806 (ARP)” eth.type == 0×0806
“Ethernet broadcast” eth.addr == ff:ff:ff:ff:ff:ff
“No ARP” not arp
“IP only” ip
“IP address 192.168.0.1” ip.addr == 192.168.0.1
“IP address isn't 192.168.0.1, don't use != for this!” !(ip.addr == 192.168.0.1)
“IPX only” ipx
“TCP only” tcp
“UDP only” udp
“UDP port isn't 53 (not DNS), don't use != for this!” !(tcp.port == 53)
“TCP or UDP port is 80 (HTTP)” tcp.port == 80 || udp.port == 80
HTTPhttp
“No ARP and no DNSnot arp and not (udp.port == 53)
“Non-HTTP and non-SMTP to/from 192.168.0.1”not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1

Network Traffic Dissection

Tshark can process network capture files and produce an output that can be exploited for analyzing and troubleshooting network protocols. The dissection capability allows for example to display some specific fields/information about each packet in a network traffic capture file.

One of the dissection methods in tshark is by using the '-z' option as explained below (from man tshark) :

-z proto,colinfo,filter,field

Append all field values for the packet to the Info column
of the one-line summary output. This feature can be
used to append arbitrary fields to the Info column in
addition to the normal content of that column.  field is
the display-filter name of a field which value should
be placed in the Info column. filter is a filter string
that controls for which packets the field value will be
presented in the info column. field will only be presented
in the Info column for the packets which match filter.

NOTE: In order for TShark to be able to extract the
field value from the packet, field MUST be part of the
filter string. If not, TShark will not be able to extract
its value.

For a simple example to add the "nfs.fh.hash" field to the
Info column for all packets containing the "nfs.fh.hash"
field, use

This is a simple example of the ”-z proto,colinfo” usage. The command asks tshark to display the source port of all tcp packets in the file /tmp/capture.cap.

tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap

Here is a more advanced example:

tshark -R "http.response and http.content_type contains image" \
-z "proto,colinfo,http.content_length,http.content_length" \
-z "proto,colinfo,http.content_type,http.content_type" \
-r /tmp/capture.tmp

The example above asks tshark to display the content_type field and content_length field of all HTTP response packets carrying an image. The result is something that looks like this :

439  12.717117 66.249.89.127 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 35
452  12.828186 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 477
479  13.046184 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 105
499  13.075361 203.190.124.6 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 35
506  13.177414 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 4039
514  13.190000 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (JPEG JFIF image)  http.content_type == "image/jpeg"  http.content_length == 11997
519  13.231228 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (JPEG JFIF image)  http.content_type == "image/jpeg"  http.content_length == 1033
523  13.273888  72.233.69.4 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (PNG)  http.content_type == "image/png"  http.content_length == 1974
561  728  19.096984 60.254.185.58 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 592
805  19.471444 60.254.185.58 -> 192.168.1.108 HTTP HTTP/1.1 200 OK  (GIF89a)  http.content_type == "image/gif"  http.content_length == 259

This output shown above can be used for example to extract statistical information on image types and their sizes in a given HTTP traffic.

The command below counts the number of GIF images downloaded through HTTP.

tshark -R "http.response and http.content_type contains image" \
-z "proto,colinfo,http.content_length,http.content_length" \
-z "proto,colinfo,http.content_type,http.content_type" \
-r /tmp/capture.tmp | grep "image/gif" | wc -l

Links



Wireless Internet Security Performance RADIUS server Wireless Internet Security Performance RADIUS server