Example:
tshark -e frame.time_relative -e frame.number -e frame.len -e ip.src -e ip.dst -e dccp.ccval -e dccp.type -e dccp.seq -e ip.len -Tfields -r input.pcap
Showing posts with label tshark. Show all posts
Showing posts with label tshark. Show all posts
Tuesday, May 11, 2010
Producing greppable output with tshark
Tshark is the command-line cousin of open-source packet capturing software - Wireshark. The trick is to use the '-e' and '-Tfields' parameters to get the desired fields. The names of the fields can be found by opening the 'input.pcap' file with wireshark and clicking "+expression" button next to filter text box.
Example:
Example:
Thursday, May 8, 2008
calculate Jitter from a pcap file
#!/bin/bash if [ -z $1 ] then echo "[+] $0 capture.pcap" exit fi if [ ! -z $2 ] then limit=$2 else limit=0 fi #tshark -r $1 | grep "1.1.1.1 -> 1.1.1.2" | grep -v "ICMP"| grep -i "\[Data\] Seq\|UDP\|TCP" | awk '{if(NR==1){f=$2;s=$2};print ($2-f),($2-s)*1000;s=$2;}' > jitter.tmp tshark -r $1 | grep "1.1.1.1 -> 1.1.1.2" | grep -v "ICMP"| grep -i "\[Data\|UDP\|TCP" | awk '{if(NR==1){f=$2;s=$2};print ($2-f),($2-s)*1000;s=$2;}' > jitter.tmp #cat jitter.tmp | awk '{ k=$2-s ; if(($2-s)<0){k=($2-s)*(-1)} ; t=t+k ; print $1,$2-s,t/NR ; s=$2}' > jitter.txt ## mixed cat jitter.tmp | awk -v l=$limit '{ k=$2-s ; if(($2-s)<0){k=($2-s)*(-1)} ; t=t+k ; if(k>l){print $1,k,t/NR}; s=$2}' > jitter.txt ## all positive avg=`tail -n1 jitter.txt | awk '{print $3}'` echo 'set data style points' > jitter.gp echo 'set nogrid' >> jitter.gp echo 'set style line 1 lt 1 lw 2' >> jitter.gp echo 'set style line 2 lt 2 lw 2' >> jitter.gp echo 'set style line 3 lt 3 lw 5' >> jitter.gp echo 'set style line 4 lt 3 lw 1' >> jitter.gp echo 'set style line 5 lt 3 lw 2' >> jitter.gp echo 'set style line 6 lt 3 lw 1' >> jitter.gp echo 'set style line 7 lt 17 lw 2' >> jitter.gp echo 'set style line 8 lt 17 lw 4' >> jitter.gp echo '#set logscale y' >> jitter.gp echo '#set xrange[1:180]' >> jitter.gp echo '#set yrange[1:2]' >> jitter.gp echo '#set samples 2000' >> jitter.gp echo '#set xtics 50' >> jitter.gp echo '#set ytics 50' >> jitter.gp echo 'set xlabel "Time (sec)"' >> jitter.gp echo 'set ylabel "Kbit/s"' >> jitter.gp echo 'plot "jitter.txt" using 1:($2/1) title "jitter ('$avg'ms)" with impulses ls 6' >> jitter.gp echo '#plot "jitter.txt" using 1:($2/1) title "jitter ('$avg'ms)" with lines ls 6' >> jitter.gp echo '#replot "jitter.txt" using 1:($3/1) title "cumul jitter ('$avg'ms)" with lines ls 8' >> jitter.gp echo 'set encoding iso_8859_1' >> jitter.gp echo 'set term post color "Helvetica" 18' >> jitter.gp echo 'set output "jitter.eps"' >> jitter.gp echo 'replot' >> jitter.gp echo 'set term png' >> jitter.gp echo 'set output "jitter.png"' >> jitter.gp echo 'replot' >> jitter.gp gnuplot jitter.gp 2>&1 1>/dev/null qiv jitter.png &