Photo courtesy of Michael_P
This article is written by Balakrishnan M
A while back we reviewed 11 examples on how to use editcap utility to capture network dumps. In this article, let us review mergecap utility and tshark commands.
Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Based on timestamp, the packets are written into the output file in an orderly manner. By default the output file is written in the libpcap format. However using mergecap options, we can generate output in various different format including those that are supported by wireshark tool.
mergecap is available in the wireshark package. Make sure wireshark/ethereal package is installed to use the mergecap.
Combine two dump files into a single output_dump file
Combines input_dump1 and input_dump2 capture files and writes into output_dump file.
# mergecap -v input_dump1 input_dump2 -w output_dump
In this example, input_dump2 contains the packets which are captured after input_dump1. The output_dump will contain intput_dump2 packets in the beginning followed by intput_dump1 packets.
# mergecap input_dump1 input_dump2 -w output_dump -a
Print output dump file to standard output
Combine two network dump files and print the output to the standard output instead of writing to a file.
# mergecap -v input1_dump input2_dump -w -
Print output file in a specific encapsulation format
Use option -T, to get the output file in the desired encapsulation format as shown below.
# mergecap -v -T ether -w merge_cap capture1 capture2 capture3
3. Merge packets of certain length
In this example, the output_dump contains the packets of maximum 100 bytes length.
# mergecap -v -s 100 dump1 dump2 dump3 -w output_dump
Tshark – Packet capture tool
Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with wireshark network analyzer distribution.
Capture network capture continuously
The following example will capture the network packets continuously for 60 seconds. After 60 seconds of capture, it would stop automatically. capture_out contains the packets, which are flown in the network during the last 60 seconds.
# tshark -q -w capture_out -a duration:60
In the following example packets will be printed on the screen and simultaneously it will be written into the output file.
# tshark -S -q -w capture_out -a duration:10
Capture network statistics using tshark
To see how many packets are flowing in the network for a specific interval use the following command.
# tshark -q -w capture_duration1 -a duration:1 -z io,stat,1
Capture network packets for a specific host
Use the following example, to capture the packet flow for a particular host(transmitted and received packets). In this example, we could see that for every second how many packets are flown in the network for the host 192.168.1.185
# tshark -S -q -w capture_duration6 -a duration:6 -z io,stat,1,ip.addr==192.168.1.150 After capturing all the packets for 6 seconds duration, it will print the statistics as like the following, 145 packets dropped 19749 packets captured IO Statistics Interval: 1.000 secs Column #0: ip.addr==192.168.1.185 | Column #0 Time |frames| bytes 000.000-001.000 2733 545242 001.000-002.000 2991 583374 002.000-003.000 3310 650716 003.000-004.000 3236 641896 004.000-005.000 3518 690860 005.000-006.000 3310 654988 006.000-007.000 638 122812
Capture network packets on a specific port
This example captures only the ssh packets.
# tshark -f “tcp port 22” -w capture_out
Capture network packets for specific duration
The following example will capture packets for specific duration (5 seconds), switch over to the next file when capture file size reaches certain size (1000KB).
# tshark -a filesize:1000 -a duration:5 -a files:5 -w ethcap1
Sample output capture filename with size:
ethcap1_00001_20090216174203 - 1000K ethcap1_00002_20090216174205 - 1000K ethcap1_00003_20090216174207 - 835K
Other tshark capture commands
Use option -c, to capture the packets upto certain packet count. The following example creates the ethcap1 file only with 10 packets.
# tshark -c 10 -w ethcap1
Use option -r to read network packets from as compressed file.
# tshark -r capture_dump.gz
Use option -r, to displays only specific packet types. The following example creates the file capture_dump only with the rtp packets in the network analyzer.
# tshark -R “rtp” -r capture_dump
Use the filter below to capture the tcp packets which are flowing in the port 1720.
# tshark -f “tcp port 1720”
The following example will capture packets that are coming either to the port 1720 or 1721.
# tshark -f “port 1720 or port 1721” -w capture_dump
By default, tshark will use eth0 device to do the packet capture. You can also specify a specific ethernet adapter using option -i as shown below.
# tshark -i eth1 -w -a duration:10 capture_dump