Last week I was working with one of my customers in troubleshooting a nagging intermittent performance problem. Of course, large capture files were needed to catch it in the act. That is well and good - until you start opening them up to work with them in the Wireshark interface.
Personally, I am fine with popping open traces that are up to around 500MB or so in Wireshark. But larger than that, I like to start filtering them on the command line (or using a read filter while I am opening them).
So I thought it might be nice to share a few commands that I like to use when I am working with the command-line tools (dumpcap, tshark, mergecap, etc). Maybe this will be useful for people that would like a quick-reference for a few common commands.
Keep in mind that some of these options may be different for you on your system - for example, my interface ID may be the number 1, yours could be the number 3 - so you may need to do some testing on your local system (hint: tshark -D)
1. Packet Capture Ring Buffer
dumpcap -i 1 -w christest.pcapng -b filesize:500000 -b files:20
This is a very common one! I am going to credit Mike Pennacchi for first showing this one to me years ago. The command above will create a ring buffer of 20 packet captures total then wrap back around. Each file will be 500MB with a time/date stamp. Great for capturing intermittent stuff. Keep in mind that you may need to test this first to find the correct interface ID (the one shown is 1, yours could be different depending on your system - just test).
2. Filter for an IP Address
tshark -r christest1.pcap -Y ip.addr==10.1.1.10 –w filtered1.pcapng
This command will use Tshark against a trace file that you specify, applying a display filter and then writing the output to a file. You can use other display filters such as tcp.port==443 or a conversation filter if you want.
3. Merge Traces Together
mergecap -w merged.pcapng filtered1.pcapng filtered2.pcapng filtered3.pcapng
This command will use the mergecap tool to merge together several traces. This is useful when you have extracted conversations or protocols from larger traces and need to merge the smaller captures together.
4. Quick look at Wireshark Conversation Statistics
tshark -r christest.pcapng -qz conv,tcp -qz conv,ip
This command will display the conversation statistics for both IP conversations and TCP conversations listed in order of total number of packets. This is nice to run on larger trace files when you want to see how long connections are staying alive.
5. Slicing packets in a large trace file to reduce the file size
editcap -s 128 christest.pcapng christest_128.pcapng
Take a larger trace and slice the packets after byte 128 and save to a new file. This means I won't get the complete payload, but that is ok with me in many cases. I can always go back to the original trace file if I need the payload. This will dramatically reduce the size of a trace.
So there are some common use cases for these command line tools, probably the ones that I use the most. Getting comfortable with these commands will open a whole world to you as an analyst! Just check out this video from my friend Sake Blok if you want to see how far this thing can go. :-)
Keep on capturing packet people.