Book Image

Wireshark Revealed: Essential Skills for IT Professionals

By : James H Baxter, Yoram Orzach, Charit Mishra
Book Image

Wireshark Revealed: Essential Skills for IT Professionals

By: James H Baxter, Yoram Orzach, Charit Mishra

Overview of this book

This Learning Path starts off installing Wireshark, before gradually taking you through your first packet capture, identifying and filtering out just the packets of interest, and saving them to a new file for later analysis. You will then discover different ways to create and use capture and display filters. By halfway through the book, you'll be mastering Wireshark features, analyzing different layers of the network protocol, and looking for any anomalies.We then start Ethernet and LAN switching, through IP, and then move on to TCP/UDP with a focus on TCP performance problems. It also focuses on WLAN security. Then, we go through application behavior issues including HTTP, mail, DNS, and other common protocols. This book finishes with a look at network forensics and how to locate security problems that might harm the network.This course provides you with highly practical content explaining Metasploit from the following books: 1) Wireshark Essentials 2) Network Analysis Using Wireshark Cookbook 3) Mastering Wireshark
Table of Contents (5 chapters)

Chapter 8. Command-line and Other Utilities

Wireshark includes a number of command-line utilities to manipulate packet trace files and offer GUI-free packet captures, and there are a few other tools that can help round out your analysis toolset.

The topics that will be covered in this chapter include:

  • Capturing traffic with Dumpcap and Tshark
  • Editing trace files with Editcap
  • Merging trace files with Mergecap
  • Other helpful tools

Wireshark command-line utilities

When you install Wireshark, a range of command-line tools also gets installed, including:

  • capinfos.exe: This prints information about trace files
  • dumpcap.exe: This captures packets and saves to a libpcap format file
  • editcap.exe: This splits a trace file, alters timestamps, and removes duplicate packets
  • mergecap.exe: This merges two or more packet files into one file
  • rawshark.exe: This reads a stream of packets and prints field descriptions
  • text2pcap.exe: This reads an ASCII hex dump and writes a libpcap file
  • tshark.exe: This captures network packets or displays data from a saved trace file

The Wireshark.exe file launches the GUI version you're familiar with, but you can also launch Wireshark from the command line with a number of parameters; type Wireshark –h for a list of options and/or create shortcuts to launch Wireshark with any of those options.

Note

It is very helpful to add the Wireshark program directory to your system's PATH statement so that you can execute any of the command-line utilities from any working directory.

Capturing traffic with Dumpcap

The dumpcap.exe file is the executable that Wireshark actually runs under the covers to capture packets and save them to a trace file in libpcap format. You can run Dumpcap on the command line to circumvent using the Wireshark GUI and use fewer resources. A list of command-line options is available by typing dumpcap.exe -h.

Some of the most useful options are as follows:

  • -D: This prints a list of available interfaces and exits
  • -i <interface>: This specifies a name or index number of an interface to capture on
  • -f <capture filter>: This applies a capture filter in the Berkeley Packet Filter (BPF) syntax
  • -b filesize: This is the file size
  • -w <outfile>: This is the name of the file where the files will be saved

An example of viewing a list of interfaces and then running Dumpcap to capture a specific interface with an IP address capture filter (note the use of quotes around the filter syntax) configured to use a three-file ring buffer with file sizes of 100 MB and an output filename derived from capture.pcap is illustrated in the following screenshot:

Capturing traffic with Dumpcap

You can get more information on Dumpcap options at https://www.wireshark.org/docs/man-pages/dumpcap.html.

Capturing traffic with Tshark

Tshark can be used to capture network packets and/or display data from the capture or a previously saved packet trace file; packets can be displayed on the screen or saved to a new trace file.

The same syntax used to perform a basic capture using Dumpcap will work with Tshark as well, so we won't repeat that here. However, Tshark offers a very wide range of additional features, with a corresponding large number of command-line options that can, as in all Wireshark utilities, be viewed by typing tshark –h in the command prompt.

A number of Tshark options are to view statistics; an example of the command syntax and statistical results from a capture (after pressing Ctrl + C to end the capture) is illustrated in the following screenshot:

Capturing traffic with Tshark

You will find an extensive number of details and examples on using statistics and other Tshark options at https://www.wireshark.org/docs/man-pages/tshark.html.

Editing trace files with Editcap

You can use Editcap to split a trace file that is too large to work with in Wireshark into multiple smaller files, extract a subset of a trace file based on a start and stop time, alter timestamps, remove duplicate packets, and a number of other useful functions.

Type editcap –h in the command prompt for a list of options. The syntax to extract a single packet or a range of packets by packet numbers is as follows:

editcap  –r  <infile>  <outfile>  <packet#> [- <packet#>]

You must specify <infile> and <outfile>. The –r specifies to keep, not delete, the specified packet or packet range, for example:

editcap  –r  MergedTraces.pcapng   packetrange.pcapng   1-5000

You can split a source trace file into multiple sequential files, each containing the number of packets specified by the –c option:

editcap  –c 5000  MergedTraces.pcapng   SplitTrace.pcapng

You can eliminate duplicate packets in a file within a five-packet proximity:

editcap  –d  hasdupes.pcapng  nodupes.pcapng

If you have two trace files that have a significant span of time between them, and you want to merge them into one file but closer together, you can investigate all of the packets within one IO Graph or a similar analysis function; you can first use the –t option on one of the files to adjust the timestamps in that file by a constant amount (in seconds). For example, to subtract 5 hours from a trace file's timestamps, use the following command:

editcap  -t  -18000  packetrange.pcapng   adj_packetrange.pcapng

Comparing the two traces in Wireshark reveals the following details:

  • Packet #500 before adjustment: 2014-09-04 15:27:38.696897
  • Packet #500 after adjustment: 2014-09-04 10:27:38.696897

You can get more information on and examples of Editcap options at https://www.wireshark.org/docs/man-pages/editcap.html.

Merging trace files with Mergecap

You can use Mergecap to merge two or more trace files into one file. The basic syntax is as follows:

mergecap –w <outfile.pcapng>  infile1.pcapng   infile2.pcapng  …

For example:

mergecap –w merged.pacap   source1.pcapng   source2.pcapng    source3.pcapng

One useful option you sometimes may want to use in Mergecap (and several of the other command-line utilities) is –s <snaplen>. This will truncate the packets at the specified length past the start of each frame, resulting in a smaller file; a typical value for <snaplen> is 128 bytes:

mergecap –w merged_trimmed.pcapng  -s 128  source1.pcapng  source2.pcapng

Mergecap batch file

If the capture files you want to merge have a variety of naming formats, you can create a MergeTraces.bat file containing the following Windows batch commands:

@echo off
cls
echo MergeTraces.bat
echo.
echo Merges multiple packet trace files with a .pcapng extension into one .pcapng file
echo.
echo Usage: Copy MergeTraces.bat into the directory with the .pkt files and execute
echo The utility will generate a 'MergedTraces.pcap' file 
echo and a 'MergedFileList.txt' file which lists the .pcapng files processed.
echo.
echo.
echo IMPORTANT!! You must type 'CMD /V:ON' from this window which enables 
echo 'Delayed environment variable expansion' in order to properly execute
echo this batch utility.
echo.
echo You must also add the path to Wireshark's mergecap.exe to your path statement.
echo.
echo If you've not done this, Type Ctrl-C to exit; Otherwise
pause
echo.
echo Deleting old MergedFileList.txt...
if exist "MergedFileList.txt" del MergedFileList.txt
for %%f in (*.pcap-ng) do echo "%%f" >> MergedFileList.txt
echo Deleting old MergedTraces.pcapng...
if exist "MergedTraces.pcapng" del MergedTraces.pcapng
echo Preparing to merge:
echo.
type MergedFileList.txt
echo.
echo Merging..........
set FILELIST=
for %%f in (*.pcap-ng) do set FILELIST=!FILELIST! %%f
:: DEBUG
:: echo %FILELIST%
mergecap -w MergedTraces.pcapng %FILELIST%
echo.
if exist MergedTraces.pcapng @echo Done!
if NOT exist MergedTraces.pcapng @echo Error!! -- Check your settings.
echo.

Copy the batch file into a directory containing just the packet trace files you want to merge and execute it. The batch file will merge all the .pcapng files into one file called MergedTraces.pcapng. This is much easier than trying to specify a long list of unique source files in a command line, especially if the filenames contain date-time stamps. If you need to work with the .pcap files, change all instances of .pcapng to .pcap in the batch commands; you can also alter the output filename as desired.

Note

You can also merge trace files by clicking-and-dragging the files into the Wireshark desktop. The files will be merged in chronological order based on their timestamps after selecting Merge from the Wireshark File menu. This works reasonably well as long as the total file size doesn't exceed 1GB.

You can get more info and examples of Mergecap options at https://www.wireshark.org/docs/man-pages/mergecap.html.

Mergecap batch file

If the capture files you want to merge have a variety of naming formats, you can create a MergeTraces.bat file containing the following Windows batch commands:

@echo off
cls
echo MergeTraces.bat
echo.
echo Merges multiple packet trace files with a .pcapng extension into one .pcapng file
echo.
echo Usage: Copy MergeTraces.bat into the directory with the .pkt files and execute
echo The utility will generate a 'MergedTraces.pcap' file 
echo and a 'MergedFileList.txt' file which lists the .pcapng files processed.
echo.
echo.
echo IMPORTANT!! You must type 'CMD /V:ON' from this window which enables 
echo 'Delayed environment variable expansion' in order to properly execute
echo this batch utility.
echo.
echo You must also add the path to Wireshark's mergecap.exe to your path statement.
echo.
echo If you've not done this, Type Ctrl-C to exit; Otherwise
pause
echo.
echo Deleting old MergedFileList.txt...
if exist "MergedFileList.txt" del MergedFileList.txt
for %%f in (*.pcap-ng) do echo "%%f" >> MergedFileList.txt
echo Deleting old MergedTraces.pcapng...
if exist "MergedTraces.pcapng" del MergedTraces.pcapng
echo Preparing to merge:
echo.
type MergedFileList.txt
echo.
echo Merging..........
set FILELIST=
for %%f in (*.pcap-ng) do set FILELIST=!FILELIST! %%f
:: DEBUG
:: echo %FILELIST%
mergecap -w MergedTraces.pcapng %FILELIST%
echo.
if exist MergedTraces.pcapng @echo Done!
if NOT exist MergedTraces.pcapng @echo Error!! -- Check your settings.
echo.

Copy the batch file into a directory containing just the packet trace files you want to merge and execute it. The batch file will merge all the .pcapng files into one file called MergedTraces.pcapng. This is much easier than trying to specify a long list of unique source files in a command line, especially if the filenames contain date-time stamps. If you need to work with the .pcap files, change all instances of .pcapng to .pcap in the batch commands; you can also alter the output filename as desired.

Note

You can also merge trace files by clicking-and-dragging the files into the Wireshark desktop. The files will be merged in chronological order based on their timestamps after selecting Merge from the Wireshark File menu. This works reasonably well as long as the total file size doesn't exceed 1GB.

You can get more info and examples of Mergecap options at https://www.wireshark.org/docs/man-pages/mergecap.html.

Other helpful tools

Wireshark is an extremely versatile and useful tool. However, there are some things it doesn't do easily or at all, so we'll discuss a few other tools you may want to include in your analysis toolset.

HttpWatch

HttpWatch is a packet-based performance analysis utility that integrates with Internet Explorer and Firefox browsers to view a graphical depiction and statistical values from HTTP interactions between the browser and websites. This kind of utility makes it easy to discover and measure from the user's perspective when significant delays are occurring and the source of those delays.

The following screenshot shows the HttpWatch visual and numerical analysis by loading the www.wireshark.org home page:

HttpWatch

You can get more information about HttpWatch from http://www.httpwatch.com/. Also, a similar performance analysis utility is Fiddler, which can be found at http://www.telerik.com/fiddler.

SteelCentral Packet Analyzer Personal Edition

SteelCentral Packet Analyzer (previously known as Cascade Pilot) is available in Standard and Personal Edition versions. Unlike Wireshark, this utility is able to open and analyze multigigabyte trace files; you can quickly isolate a conversation of interest, right-click on it, and save that conversation in a separate packet trace file or launch Wireshark directly and pass that conversation to it from the same menu.

In addition, the utility offers a variety of network analysis screens called Views that provide graphical displays and reports on a wide range of performance perspectives. The following screenshot illustrates a set of MAC Overview Views:

SteelCentral Packet Analyzer Personal Edition

You can get more information on the SteelCentral Packet Analyzer products at http://www.riverbed.com/products/performance-management-control/network-performance-management/packet-analysis.html.

AirPcap adapters

If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.

The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:

AirPcap adapters

You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.

HttpWatch

HttpWatch is a packet-based performance analysis utility that integrates with Internet Explorer and Firefox browsers to view a graphical depiction and statistical values from HTTP interactions between the browser and websites. This kind of utility makes it easy to discover and measure from the user's perspective when significant delays are occurring and the source of those delays.

The following screenshot shows the HttpWatch visual and numerical analysis by loading the www.wireshark.org home page:

HttpWatch

You can get more information about HttpWatch from http://www.httpwatch.com/. Also, a similar performance analysis utility is Fiddler, which can be found at http://www.telerik.com/fiddler.

SteelCentral Packet Analyzer Personal Edition

SteelCentral Packet Analyzer (previously known as Cascade Pilot) is available in Standard and Personal Edition versions. Unlike Wireshark, this utility is able to open and analyze multigigabyte trace files; you can quickly isolate a conversation of interest, right-click on it, and save that conversation in a separate packet trace file or launch Wireshark directly and pass that conversation to it from the same menu.

In addition, the utility offers a variety of network analysis screens called Views that provide graphical displays and reports on a wide range of performance perspectives. The following screenshot illustrates a set of MAC Overview Views:

SteelCentral Packet Analyzer Personal Edition

You can get more information on the SteelCentral Packet Analyzer products at http://www.riverbed.com/products/performance-management-control/network-performance-management/packet-analysis.html.

AirPcap adapters

If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.

The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:

AirPcap adapters

You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.

SteelCentral Packet Analyzer Personal Edition

SteelCentral Packet Analyzer (previously known as Cascade Pilot) is available in Standard and Personal Edition versions. Unlike Wireshark, this utility is able to open and analyze multigigabyte trace files; you can quickly isolate a conversation of interest, right-click on it, and save that conversation in a separate packet trace file or launch Wireshark directly and pass that conversation to it from the same menu.

In addition, the utility offers a variety of network analysis screens called Views that provide graphical displays and reports on a wide range of performance perspectives. The following screenshot illustrates a set of MAC Overview Views:

SteelCentral Packet Analyzer Personal Edition

You can get more information on the SteelCentral Packet Analyzer products at http://www.riverbed.com/products/performance-management-control/network-performance-management/packet-analysis.html.

AirPcap adapters

If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.

The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:

AirPcap adapters

You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.

AirPcap adapters

If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.

The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:

AirPcap adapters

You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.

Summary

The topics covered in this chapter included several of Wireshark's command-line utilities to capture packets and edit and merge packet trace files, as well as several useful tools to compliment your analysis toolset.

This is the final chapter of this book on Wireshark. I hope you enjoyed reading it, and mostly, I hope you use it as a foundation to become a Wireshark expert!