Analyse .PCAP files with TShark

I was recently looking at analysing packet data captured as a .pcap file and to filter information to standard output in the form of a .csv file.  I was able to do this using the TShark executable within the Wireshark installation directory (http://www.wireshark.org/download.html).

My requirements were to filter the following information from the capture file:

Arrival Time, Source IPv4 address, Destination IPv4 address, Source Port, Destination Port, Header Length, Sequence number, Acknowledgment number, Acknowledgment flag, Push flag, Reset flag, Syn flag, Fin flag, Stream Index.

In order to filter this information I will need to specify the relevant field names that correspond to the above information, a full list of filters can be found at http://www.wireshark.org/docs/dfref/, but the below is what I will be using to filter from the capture file:

Field Name Description Type
frame.number Frame Number Unsigned integer, 4 bytes
frame.time Arrival Time Date and Time
ip.src Source IPv4 address
ip.dst Destination IPv4 address
tcp.srcport Source Port Unsigned integer, 2 bytes
tcp.dstport Destination Port Unsigned integer, 2 bytes
tcp.len Header Length Unsigned integer, 1 byte
tcp.seq Sequence number Unsigned integer, 4 bytes
tcp.ack Acknowledgment number Unsigned integer, 4 bytes
tcp.flags.ack Acknowledgment Boolean
tcp.flags.push Push Boolean
tcp.flags.reset Reset Boolean
tcp.flags.syn Syn Boolean
tcp.flags.fin Fin Boolean
tcp.stream Stream Index Unsigned integer, 4 bytes

As we are specifying filters we will need to state fields as the format of the text output (-T).  Also, our preferred output is to a .csv file, we will specify the output options (-E) to be as follows:

Output Option Description
separator “,” Select , as a separator.
header=y Switch headers on
quote=d Select double quotes for values.

So how do I put this into a command line? Well as I am reading a capture file I will need to specify the -r argument to the filename and then pipe this output to a .csv file as below:

tshark.exe –r <.pcap> -e frame.number –e frame.time –e ip.src –e ip.dst –e tcp.srcport –e tcp.dstport –e tcp.len –e tcp.seq –e tcp.ack –e tcp.flags.acks –e tcp.flags.push –e tcp.flags.reset –e tcp.flags.syn –e tcp.flags.fin –e tcp.stream –Tfields  -E separator=”,” –E header=y –E quote=d > <.csv>

From the output I will be able to analyse the information filtered, where header will match the field name.

As the capture was performed in Wireshark, the internal Stream Index (tcp.stream) reference becomes extremely useful as this allows for the TCP conversation to be followed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s