READING CAPTURE FILE

READING PCAP DATA

#reading entire pcap data
root@dco:~$ tshark -r demo.pcapng
    1   0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 
    2   0.911310 65.208.228.223 ? 145.254.160.237 TCP 80 ? 3372 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 SACK_PERM=1 
    3   0.911310 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [ACK] Seq=1 Ack=1 Win=9660 Len=0 
    
#reading by count, show only the first 2 packets.
root@dco:~$ tshark -r demo.pcapng -c 2
    1   0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 
    2   0.911310 65.208.228.223 ? 145.254.160.237 TCP 80 ? 3372 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 SACK_PERM=1

READING SPECIFIC PACKET

root@dco:~$ tshark -r Desktop/exercise-files/demo.pcapng -Y "frame.number == 29"
 29   4.105904 65.208.228.223 ? 145.254.160.237 TCP 1434 80 ? 3372 [PSH, ACK] Seq=12421 Ack=480 Win=6432 Len=1380 [TCP segment of a reassembled PDU]

 * the -Y flag in tshark is used to apply a display filter to the packets 
   being processed. it ensures that only packets matching the given filter 
   expression are displayed

READING AND WRITING FILTERED PCAP DATA

# Read the first packet of the demo.pcapng, create write-demo.pcap and save the first packet there.
root@dco:~$ tshark -r demo.pcapng -c 1 -w write-demo.pcap

# List the contents of the current folder.
root@dco:~$ ls
 demo.pcapng  write-demo.pcap

# Read the write-demo.pcap and show the packet bytes/details.
root@dco:~$ tshark -r write-demo.pcap 
    1   0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1

READING AND DISPLAYING PCAP DATA IN HEX/ASCII

it will be hard to spot anomalies with large data sets. reduce the number of packets prior to analysis

# Read the packets from write-demo.pcap
root@dco:~$ tshark -r write-demo.pcap 
    1   0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 

# Read the packets from write-demo.pcap and show the packet bytes/details.
root@dco:~$ tshark -r write-demo.pcap -x
0000  fe ff 20 00 01 00 00 00 01 00 00 00 08 00 45 00   .. ...........E.
0010  00 30 0f 41 40 00 80 06 91 eb 91 fe a0 ed 41 d0   .0.A@.........A.
0020  e4 df 0d 2c 00 50 38 af fe 13 00 00 00 00 70 02   ...,.P8.......p.
0030  22 38 c3 0c 00 00 02 04 05 b4 01 01 04 02         "8............

READING AND DISPLAYING PACKET DETAILS

displaying full packet details makes it difficult to investigate long and complex terminal output for each packet; however, this is helpful for in-depth packet analysis and scripting. only use the verbosity level after filtering the packets

# Default view
root@dco:~$ tshark -r demo.pcapng -c 1
    1   0.000000 145.254.160.237 ? 65.208.228.223 TCP 3372 ? 80 [SYN] Seq=0 Win=8760 Len=0 MSS=1460 SACK_PERM=1 

# Verbosity
root@dco:~$ tshark -r demo.pcapng -c 1 -V
Frame 1: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
...
Ethernet II, Src: 00:00:01:00:00:00, Dst: fe:ff:20:00:01:00
...
Internet Protocol Version 4, Src: 145.254.160.237, Dst: 65.208.228.223
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Total Length: 48
    Identification: 0x0f41 (3905)
    Flags: 0x4000, Don't fragment
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Source: 145.254.160.237
    Destination: 65.208.228.223
Transmission Control Protocol, Src Port: 3372, Dst Port: 80, Seq: 0, Len: 0
 ...
PreviousCAPTURE FILTERSNextDISPLAY FILTERS

Last updated