You can do pretty nifty things with tshark. The absolute life saver is thsark's ability to dump to a csv/tsv file using a user specified display filter.
As an example, I'd like to point out some packet retransmission issues to my provider in a nice (manager friendly) spreadsheet. Here we go:
Manager friendly output:
| ip.src | tcp.srcport | ip.dst | tcp.dstport | tcp.flags.syn | tcp.flags.ack | tcp.flags.push | tcp.flags.reset | tcp.analysis.bytes_in_flight | tcp.len |
| a.b.c.d | 8645 | e.f.g.h7 | 9999 | 1 | 0 | 0 | 0 | 0 | |
| e.f.g.h7 | 9999 | a.b.c.d | 8645 | 1 | 1 | 0 | 0 | 0 | |
| a.b.c.d | 8645 | e.f.g.h7 | 9999 | 0 | 1 | 0 | 0 | 0 | |
| a.b.c.d | 8645 | e.f.g.h7 | 9999 | 0 | 1 | 1 | 0 | 168 | 168 |
| e.f.g.h7 | 9999 | a.b.c.d | 8645 | 0 | 1 | 0 | 0 | 0 | |
| e.f.g.h7 | 9999 | a.b.c.d | 8645 | 0 | 1 | 1 | 0 | 1154 | 1154 |
| a.b.c.d | 8645 | e.f.g.h7 | 9999 | 0 | 1 | 0 | 0 | 0 | |
| a.b.c.d | 8645 | e.f.g.h7 | 9999 | 0 | 1 | 0 | 0 | 1448 | 1448 |
| a.b.c.d | 8645 | e.f.g.h7 | 9999 | 0 | 1 | 1 | 0 | 1502 | 54 |
| e.f.g.h7 | 9999 | a.b.c.d | 8645 | 0 | 1 | 0 | 0 | 0 |
How do we get there?
1. Identify the fields that you want. A wireshark display filter cheat-sheet is a good place to start. You can home in on the fields that you want by firing up Wireshark and using the expression builder (button right next to the filter input box) then selecting the protocol that you want.
2. Choose your TCP stream.
3. Assemble your command. The one used to display the output above is:
No comments:
Post a Comment