Wireshark tid-bit: Use the command line
Many of us are familiar with the GUI version of Wireshark, but believe it or not but there are also a slew of other command line based utilities that enhance Wireshark and also aid us in capturing and analyzing data. Let’s take a quick look at some of these tools.
- tshark – This is pretty much the CLI equivalent of Wireshark. Allowing you to capture packets like you are using tcpdump, specifing interfaces, filters, etc. It’s definitely worth taking the time to get familiar with tshark.
- dumpcap – This is another CLI equivalent of Wireshark, however this utility writes directly to a file and is less feature-rich then its ‘tshark‘ equivalent. Think of this as the cheap and dirty Wireshark, hop into a system and initiate a dumpcap then boom you have your capture.
- mergcap – As the name implies, this tool allows you to merge multiple captures files into a single capture. Since, Wireshark does have a limitation on processing large file sizes you also have the ability to truncate packets after so many bytes. Similar to what we will do with editcap shortly.
- editcap – This is very nifty, allowing you to do many different things:
- Pick out specific time frames of a packet capture.
- Remove duplicate packets. In case you accidentally captured at multiple locations or fubar-ed your SPAN or TAP locations.
- Truncate packets after so many bytes. This is very handy incase you only want to look at packet headers.
In the below example I am taking an existing PCAPNG file and limit every packet to 40 bytes into a new file filter.pcapng. So you can decrease the file size making it easier for Wireshark process while still keeping the header information. 40-bytes is a bit much but hey it gets the point across.
- capinfos – Provides detailed information about the packet capture in question.
- Average Packet Size
- Time stamp information
- Data rate or packet rate
In the GUI you can get most of this information from the ‘summary‘ -> ‘statistics‘ page which I covered in a previous post, but the CLI version can provide quick and easy access to this information without the need to even launch Wireshark.
Sample output from capinfo is below: