If you want to perform any form of packet analysis/reporting there is, really, only one program to use. Yep you guessed it, Wireshark.
However as Wireshark is a GUI based program, it raised the question,
How do you build a packet analysis report via the commandline ?
Within this article we will show you 2 programs (TShark/CapInfo) that can be used to obtain packet and traffic statistics via the commandline. The examples will center around obtaining the following,
- TCP conversations (TShark)
- Packet lengths statistics (TShark)
- Data rates (Capinfo)
NOTE Both of these programs are bundled with the Wireshark Installation.
TShark
TShark can be thought of the CLI version of Wireshark. Because of this there is a vast amount of options available for analyzing your packets. Within this article we will show 2 examples, in order to display a TCP conversations and packet length report.
TCP Conversations
C:\Users\felix001>"C:\Program Files\Wireshark\tshark.exe" -nr capture1004.pcap -q -z conv,tcp ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 172.16.200.63:49364 <-> 172.16.216.100:3306 15218 1784287 15135 1857941 30353 3642228 0.000000000 4.3523 88.88.88.10:3577 <-> 172.16.200.129:443 4163 5957134 2245 137272 6408 6094406 0.049319000 4.2591 82.155.33.19:2551 <-> 172.16.200.129:443 1013 1446922 545 33332 1558 1480254 0.744374000 2.7746 94.11.22.33:50865 <-> 172.16.201.3:443 942 1341664 337 20355 1279 1362019 0.685091000 3.2282 91.12.12.250:49216 <-> 172.16.201.2:33394 380 144836 217 13070 597 157906 0.000619000 4.3430 94.11.22.33:51138 <-> 172.16.201.4:443 427 607561 156 9414 583 616975 0.790139000 3.1749
Packet Lengths
C:\Users\felix001>"C:\Program Files\Wireshark\tshark" -nr capture1004.pcap -q -z plen,tree =================================================================== Packet Lengths value rate percent ------------------------------------------------------------------- Packet Lengths 205240 47.153763 0-19 0 0.000000 0.00% 20-39 0 0.000000 0.00% 40-79 148616 34.144436 72.41% 80-159 32100 7.374955 15.64% 160-319 14189 3.259914 6.91% 320-639 1429 0.328312 0.70% 640-1279 219 0.050315 0.11% 1280-2559 8687 1.995833 4.23% 2560-5119 0 0.000000 0.00% 5120-4294967295 0 0.000000 0.00% ===================================================================
TIP To see all options run -q –z, in essence this is an incomplete command but will result in TShark showing you all the available options.
Capinfo
Capinfo is a program that allows you to input one or more capture files and return a range of statistics such as data and packet rates.
C:\Users\felix001>"C:\Program Files\Wireshark\capinfos.exe" capture1004.pcap File name: C:\Users\felix001\capture1004.pcap File type: Wireshark/tcpdump/... - pcap File encapsulation: Ethernet Packet size limit: file hdr: 65535 bytes Number of packets: 205 k File size: 31 MB Data size: 28 MB Capture duration: 4 seconds Start time: Tue Nov 18 14:09:00 2014 End time: Tue Nov 18 14:09:05 2014 Data byte rate: 6526 kBps Data bit rate: 52 Mbps Average packet size: 138.41 bytes Average packet rate: 47 kpackets/sec SHA1: 30243e634ee726d437018adbf8f4a2e345563dc5 RIPEMD160: ff59ae28b493a6d8b1309b86b8b594bc3ec3d966 MD5: e60856756875b96981e811f230271b39 Strict time order: True
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial