Wednesday, October 22, 2014

The Power of tshark, Part 2

To expand on our example looking for ICMP type 3 packets, let's narrow that filter down to one specific type of Destination Unreachable message. If we look at the IANA ICMP parameters list, found at here, we see that there 15 codes that can be set with type 3. Some of the more common ones are code 4, Fragmentation Needed and Don't Fragment was Set, code 7, Destination Host Unknown and code 10, Communication with Destination Host is Administratively Prohibited. Let's add a code 4 to our tshark diplay filter.

tshark -r packets1.pcap -Y "icmp.type == 3 and icmp.code == 4"
501732 194.413516 -> ICMP 70 Destination unreachable (Fragmentation needed)
507176 196.247873 -> ICMP 70 Destination unreachable (Fragmentation needed)

Our output looks the same, with one difference. We're now seeing only ICMP messages that are type 3 and code 4, instead of all destination unreachables.

We've been using the default fields that tshark displays. But we can specify which fields to see, if we wish. In the case of ICMP there wasn't much reason to, as it is a concise output and shows us just what we need anyway. But when looking at other types of packets, we might want to limit the fields to specific data we need, or we may be looping through a large number of packets and pulling out just certain fields we wish to report on, like the IP addresses that generate a certain HTTP status code or just the IP's that generated traffic to a certain port or host.

tshark -n -r packets1.pcap -Y "tcp.port == 80"

16714   6.578480 -> HTTP 471 HTTP/1.1 200 OK  (text/html)
16715   6.579366 -> TCP 60 3786?80 [ACK] Seq=221 Ack=1846 Win=65071 Len=0
16716   6.579611 -> TCP 60 3786?80 [FIN, ACK] Seq=221 Ack=1846 Win=65071 Len=0
16717   6.580180 -> TCP 62 3787?80 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1
16720   6.582334 -> TCP 1434 [TCP segment of a reassembled PDU]
16721   6.582384 -> TCP 1434 [TCP segment of a reassembled PDU]
16722   6.582828 -> TCP 1434 [TCP segment of a reassembled PDU]
16724   6.583013 -> TCP 1434 [TCP segment of a reassembled PDU]
16725   6.583020 -> TCP 1434 [TCP segment of a reassembled PDU]
16729   6.583194 -> TCP 60 [TCP Window Update] 45932?80 [ACK] Seq=882 Ack=113388 Win=17817 Len=0

To filter this down to only see source IP and port and destination IP and port, we need to tell tshark we want to display only certain fields, using the "-T" parameter. We can specify fields, as well as output types of pdml, ps, psml or text.
After the -T fields param, we'll use the "-e" parameter to specify which fields to display. The Source IP field is "ip.src", the Source Port field is "tcp.srcport" and the destination IP and port are, as expected, "ip.dst" and "tcp.dstport".

So after adding these filters, our output is narrowed down to the four fields of interest for this run.

tshark -n -r packets1.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -Y "tcp.port == 80"   19248     80   19248     80   80   3743 80   45870    80   36719    80   36719    80   36719   5925 80   5925 80   45870 80

Next post we'll use more display filters to build our custom output and look at tsharks ability to do stats from the command line.

No comments:

Blog Archive