If you want to perform any form of packet analysis/reporting there is, really, only one program to use. Yep you guessed it, Wireshark.
However as Wireshark is a GUI based program, it raised the question,
How do you build a packet analysis report via the commandline ?
Within this article we will show you 2 programs (TShark/CapInfo) that can be used to obtain packet and traffic statistics via the commandline. The examples will center around obtaining the following,
- TCP conversations (TShark)
- Packet lengths statistics (TShark)
- Data rates (Capinfo)
NOTE Both of these programs are bundled with the Wireshark Installation.
Table of Contents
TShark
TShark can be thought of the CLI version of Wireshark. Because of this there is a vast amount of options available for analyzing your packets. Within this article we will show 2 examples, in order to display a TCP conversations and packet length report.
TCP Conversations
C:\Users\felix001>"C:\Program Files\Wireshark\tshark.exe" -nr capture1004.pcap -q -z conv,tcp ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 172.16.200.63:49364 <-> 172.16.216.100:3306 15218 1784287 15135 1857941 30353 3642228 0.000000000 4.3523 88.88.88.10:3577 <-> 172.16.200.129:443 4163 5957134 2245 137272 6408 6094406 0.049319000 4.2591 82.155.33.19:2551 <-> 172.16.200.129:443 1013 1446922 545 33332 1558 1480254 0.744374000 2.7746 94.11.22.33:50865 <-> 172.16.201.3:443 942 1341664 337 20355 1279 1362019 0.685091000 3.2282 91.12.12.250:49216 <-> 172.16.201.2:33394 380 144836 217 13070 597 157906 0.000619000 4.3430 94.11.22.33:51138 <-> 172.16.201.4:443 427 607561 156 9414 583 616975 0.790139000 3.1749
Packet Lengths
C:\Users\felix001>"C:\Program Files\Wireshark\tshark" -nr capture1004.pcap -q -z plen,tree =================================================================== Packet Lengths value rate percent ------------------------------------------------------------------- Packet Lengths 205240 47.153763 0-19 0 0.000000 0.00% 20-39 0 0.000000 0.00% 40-79 148616 34.144436 72.41% 80-159 32100 7.374955 15.64% 160-319 14189 3.259914 6.91% 320-639 1429 0.328312 0.70% 640-1279 219 0.050315 0.11% 1280-2559 8687 1.995833 4.23% 2560-5119 0 0.000000 0.00% 5120-4294967295 0 0.000000 0.00% ===================================================================
TIP To see all options run -q –z, in essence this is an incomplete command but will result in TShark showing you all the available options.
Capinfo
Capinfo is a program that allows you to input one or more capture files and return a range of statistics such as data and packet rates.
C:\Users\felix001>"C:\Program Files\Wireshark\capinfos.exe" capture1004.pcap File name: C:\Users\felix001\capture1004.pcap File type: Wireshark/tcpdump/... - pcap File encapsulation: Ethernet Packet size limit: file hdr: 65535 bytes Number of packets: 205 k File size: 31 MB Data size: 28 MB Capture duration: 4 seconds Start time: Tue Nov 18 14:09:00 2014 End time: Tue Nov 18 14:09:05 2014 Data byte rate: 6526 kBps Data bit rate: 52 Mbps Average packet size: 138.41 bytes Average packet rate: 47 kpackets/sec SHA1: 30243e634ee726d437018adbf8f4a2e345563dc5 RIPEMD160: ff59ae28b493a6d8b1309b86b8b594bc3ec3d966 MD5: e60856756875b96981e811f230271b39 Strict time order: True
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial