fir3net
PPS-Firenetbanner-780.5x190-30-03-17

How to Build Packet Analysis Reports via the CommandLine

If you want to perform any form of packet analysis/reporting there is, really, only one program to use. Yep you guessed it, Wireshark.

However as Wireshark is a GUI based program, it raised the question,

How do you build a packet analysis report via the commandline ?

Within this article we will show you 2 programs (TShark/CapInfo) that can be used to obtain packet and traffic statistics via the commandline. The examples will center around obtaining the following,

  • TCP conversations (TShark)
  • Packet lengths statistics (TShark)
  • Data rates (Capinfo)

NOTE Both of these programs are bundled with the Wireshark Installation.

TShark

TShark can be thought of the CLI version of Wireshark.  Because of this there is a vast amount of options available for analyzing your packets. Within this article we will show 2 examples, in order to display a TCP conversations and packet length report.

TCP Conversations

C:\Users\felix001>"C:\Program Files\Wireshark\tshark.exe" -nr capture1004.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
|       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
172.16.200.63:49364  <-> 172.16.216.100:3306    15218   1784287   15135   1857941   30353   3642228     0.000000000         4.3523
88.88.88.10:3577     <-> 172.16.200.129:443      4163   5957134    2245    137272    6408   6094406     0.049319000         4.2591
82.155.33.19:2551    <-> 172.16.200.129:443      1013   1446922     545     33332    1558   1480254     0.744374000         2.7746
94.11.22.33:50865    <-> 172.16.201.3:443         942   1341664     337     20355    1279   1362019     0.685091000         3.2282
91.12.12.250:49216   <-> 172.16.201.2:33394       380    144836     217     13070     597    157906     0.000619000         4.3430
94.11.22.33:51138    <-> 172.16.201.4:443         427    607561     156      9414     583    616975     0.790139000         3.1749

Packet Lengths

C:\Users\felix001>"C:\Program Files\Wireshark\tshark" -nr capture1004.pcap -q -z plen,tree
===================================================================
Packet Lengths          value          rate         percent
-------------------------------------------------------------------
Packet Lengths        205240      47.153763
  0-19                       0       0.000000           0.00%
  20-39                      0       0.000000           0.00%
  40-79                 148616      34.144436          72.41%
  80-159                 32100       7.374955          15.64%
  160-319                14189       3.259914           6.91%
  320-639                 1429       0.328312           0.70%
  640-1279                 219       0.050315           0.11%
  1280-2559               8687       1.995833           4.23%
  2560-5119                  0       0.000000           0.00%
  5120-4294967295            0       0.000000           0.00%
===================================================================

TIP To see all options run -q –z, in essence this is an incomplete command but will result in TShark showing you all the available options.

Capinfo

Capinfo is a program that allows you to input one or more capture files and return a range of statistics such as data and packet rates.

C:\Users\felix001>"C:\Program Files\Wireshark\capinfos.exe" capture1004.pcap
File name: C:\Users\felix001\capture1004.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   205 k
File size:           31 MB
Data size:           28 MB
Capture duration:    4 seconds
Start time:          Tue Nov 18 14:09:00 2014
End time:            Tue Nov 18 14:09:05 2014
Data byte rate:      6526 kBps
Data bit rate:       52 Mbps
Average packet size: 138.41 bytes
Average packet rate: 47 kpackets/sec
SHA1:                30243e634ee726d437018adbf8f4a2e345563dc5
RIPEMD160:           ff59ae28b493a6d8b1309b86b8b594bc3ec3d966
MD5:                 e60856756875b96981e811f230271b39
Strict time order:   True

Tags: TCP, Wireshark, TShark

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001