CLI tool for analyzing pcap captures

command-line-interface analysis packet-capture pcap tshark
11,715

Solution 1

To expand on Niall's answer, you might try

tshark -r <capture file> -q -z conv,ip

The -q disables normal output and -z conv,ip dumps the IP conversation data. More information can be found in the man page and in Sake Blok's Sharkfest presentation.

Solution 2

There is a command line component to wireshark called tshark which would do what you need. There's better instruction available here.

Unfortunately, endpoints seem to be only available in the GUI.

Another alternative might be to use X Forwarding to run Wireshark at the far side and forward the GUI to your local desktop. Without knowing what OS you're using on your desktop, I don't know how possible this will be.

UPDATE: More detail added as per comment request.

Share:
11,715

Related videos on Youtube

Zoredache
Author by

Zoredache

Real Name: Chris Francy I work as a Senior Network Analyst at Northwest Educational Service District #189 in the Technology Services department. The Technology Service department, in addition to supporting the staff at NWESD, provides network support services to 35 K-12 school districts in Northwest Washington region. In my free time, when I am not at work or answering questions, I play a lot of video games on the PC (Steam Profile).

Updated on September 17, 2022

Comments

  • Zoredache
    Zoredache over 1 year

    I am looking for a command line tool that will look at a capture file, tcpdump -w output, and give output equivalent to the information you get in the Wireshark conversations, and endpoint statistics.

    To give you a little background, I have the output of a large capture (~3GB, in 40 files) that I can't easily transfer to a machine where I can run Wireshark, given the low bandwidth.

    • Michael Lowman
      Michael Lowman over 13 years
      could you perhaps run a tshark or tcpdump filter on the files to reduce them to a more transferable size?
    • Zoredache
      Zoredache over 13 years
      @Michael Lowman, I was already filtering, and they are still large. The link in question I am trying to monitor is a ~300kb/s link. Something was saturating the link, and I was trying to identify it.
  • Zoredache
    Zoredache over 13 years
    That is a good start, but would be useful if you could elaborate so the answer will be more complete?
  • Niall Donegan
    Niall Donegan over 13 years
    Sorry, threw that up when running out the door yesterday. More detail added.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I use tshark to print request-response pairs from a pcap file?
Export raw packet bytes in tshark, tcpdump, or similar?
How to use tshark or tcpdump to calculate bytes transmitted
How to make tshark to output valid pcap file used for other max GUI pcap viewer
using wireshark/tshark in command line to ignore ssh connections
Monitor number of bytes transferred to/from IP address on port
tool for splitting pcap files by TCP connection?
Find username and password in pcap file
Scapy and rdpcap function
tshark outputting all fields?