TSHARK Field Extraction

posted in: Tutorial, Wireshark | 0

For those of you who don’t know what TSHARK is you are missing out on a very powerful program.  TSHARK is essentially a command line version of wireshark.  Now, why is this important?  Well when dealing with very large PCAP files, wireshark tends to choke on the file processing.  Well, enter TSHARK.  It has the ability to quickly go through a large PCAP file, apply a filter and spit out a smaller PCAP of just the packets that match your Wireshark filter.  Well, this is all great, but that only scratches the surface of what TSHARK can do.

Let’s take a look at the -T function of TSHARK.  According to the manual page for TSHARK the -T function changes the format of the text output from TSHARK.  if you use TSHARK with the -T fields function it will spit out individual fields from each packet.  Now what does that mean?  Well look at the screenshot below.  Each of those items in the inspection pane is a field that you can tell TSHARK to output.

Screenshot 1

Now where TSHARK becomes really powerful is when you combine it with Linux’s powerful command line text manipulation like grep, sort, uniq, sed or gawk.  Say for example you wanted to see a list of all the destination IP addresses and how many times they have talked in a particular PCAP file.  Run the below command:

tshark -r http.pcap -T fields -e ip.dst | sort | uniq -c

So what does each of those command switches do?  Well, the -r switch reads in an existing pcap file.  The -T switch we’ve already talked about, but I made sure to us the fields command to tell it I wanted specific fields to be output and finally the -e function tells TSHARK which fields you want outputted.  Now if I were to just run the TSHARK command I would get all the destination IP addresses for every packet in the http.pcap file.  That’s fine, but what I’ve done is piped that list in to sort and uniq -c and that counts the unique IP addresses and the number of times that IP address shows up in the PCAP list.

In the example above we only looked at one field, but what if you want to see more than one field within a packet?  Well that’s pretty easy as well, just add multiple -e flags with all the fields you want to see.  So for example if you wanted to see the source IP, source port, destination IP and destination port all together you would run something like this:

tshark -r http.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

Well, I hope you learned something with this little tutorial.  I was asked to create a video by one of my students on this very topic.  I thought it was such an important topic that I included the video tutorial on YouTube as well as in my Wireshark Crash Course.  See the video below.

Leave a Reply