Wireshark-users: Re: [Wireshark-users] Automating TCP stream extraction

From: "Nick Chorley" <nick.chorley@xxxxxxxxx>
Date: Wed, 1 Aug 2007 19:49:42 +0100


On 01/08/07, Sake Blok <sake@xxxxxxxxxx> wrote:
On Wed, Aug 01, 2007 at 08:37:07AM +0100, Nick Chorley wrote:
>
> Wireshark's "Follow TCP stream" feature is quite useful to me and I'm
> wondering if there is any way to "automate" this process and write stream
> data to files. I am easily able to create filtering rules like "(ip addr eq
> 192.168.2.1 and ip addr eq 192.168.2.5) and (tcp.port eq 80 and tcp.port eq
> 5022)" and what I would like to do is have a list of these and be able to go
> trough each rule in the list, apply it and dump the stream output to a file.
> Is this at all possible with Wireshark or is there any other tool I can use
> to do this?

Wireshark in itself is not capable of doing this. But scripting
around tshark should do the trick. On the different unix-platforms
this can be done quite easily and on my windows PC I have cygwin
installed to make life easier.

You could use something in bash like:

for f in `cat <file-with a filter per line> | tr " " "_"`
do
   echo "processing file with filter $filter"
   filter=`echo $f | tr "_" " "`
   tshark -r <input-file> -w $filter.cap -R "$filter"
done

To make it even fancier, you can create the filters dynamically as well.
The following will look for all SYN packets and makes a filter for
all sessions for which a SYN is seen, it then uses these filters to
split up the capture file to individual tcp-flows:

for f in `tshark -r <input file> -T fields -E separator=_ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -R "tcp.flags.syn==1 && tcp.flags.ack==0" | tr -d "\015"`
do
   filter=`echo $f | awk -F_ '{printf("ip.addr==%s and tcp.port==%s and ip.addr==%s and tcp.port==%s\n",$1,$2,$3,$4)}'`
   outfile=`echo "$f.cap"`
   echo "processing file with filter $filter"
   tshark -r <input file> -w $outfile -R "$filter"
done


I hope this helps, Cheers,


Sake

 Thanks for this, Sake. I haven't had a chance to try it out yet but will do so soon and let you know how I get on.

Regards,

Nicky Chorley