Chapter 8. Command-line and Other Utilities
Wireshark includes a number of command-line utilities to manipulate packet trace files and offer GUI-free packet captures, and there are a few other tools that can help round out your analysis toolset.
The topics that will be covered in this chapter include:
- Capturing traffic with Dumpcap and Tshark
- Editing trace files with Editcap
- Merging trace files with Mergecap
- Other helpful tools
Wireshark command-line utilities
When you install Wireshark, a range of command-line tools also gets installed, including:
capinfos.exe
: This prints information about trace filesdumpcap.exe
: This captures packets and saves to a libpcap format fileeditcap.exe
: This splits a trace file, alters timestamps, and removes duplicate packetsmergecap.exe
: This merges two or more packet files into one filerawshark.exe
: This reads a stream of packets and prints field descriptionstext2pcap.exe
: This reads an ASCII hex dump and writes a libpcap filetshark.exe
: This captures network packets or displays data from a saved trace file
The Wireshark.exe
file launches the GUI version you're familiar with, but you can also launch Wireshark from the command line with a number of parameters; type Wireshark –h
for a list of options and/or create shortcuts to launch Wireshark with any of those options.
Note
It is very helpful to add the Wireshark program directory to your system's PATH
statement so that you can execute any of the command-line utilities from any working directory.
Capturing traffic with Dumpcap
The
dumpcap.exe
file is the executable that Wireshark actually runs under the covers to capture packets and save them to a trace file in libpcap format. You can run Dumpcap on the command line to circumvent using the Wireshark GUI and use fewer resources. A list of command-line options is available by typing dumpcap.exe -h
.
Some of the most useful options are as follows:
-D
: This prints a list of available interfaces and exits-i <interface>
: This specifies a name or index number of an interface to capture on-f <capture filter>
: This applies a capture filter in the Berkeley Packet Filter (BPF) syntax-b filesize
: This is the file size-w <outfile>
: This is the name of the file where the files will be saved
An example of viewing a list of interfaces and then running Dumpcap to capture a specific interface with an IP address capture filter (note the use of quotes around the filter syntax) configured to use a three-file ring buffer with file sizes of 100 MB and an output filename derived from capture.pcap
is illustrated in the following screenshot:
You can get more information on Dumpcap options at https://www.wireshark.org/docs/man-pages/dumpcap.html.
Capturing traffic with Tshark
Tshark can be used to capture network packets and/or display data from the capture or a previously saved packet trace file; packets can be displayed on the screen or saved to a new trace file.
The same syntax used to perform a basic capture using Dumpcap will work with Tshark as well, so we won't repeat that here. However, Tshark offers a very wide range of additional features, with a corresponding large number of command-line options that can, as in all Wireshark utilities, be viewed by typing tshark –h
in the command prompt.
A number of Tshark options are to view statistics; an example of the command syntax and statistical results from a capture (after pressing Ctrl + C to end the capture) is illustrated in the following screenshot:
You will find an extensive number of details and examples on using statistics and other Tshark options at https://www.wireshark.org/docs/man-pages/tshark.html.
Editing trace files with Editcap
You can use Editcap to split a trace file that is too large to work with in Wireshark into multiple smaller files, extract a subset of a trace file based on a start and stop time, alter timestamps, remove duplicate packets, and a number of other useful functions.
Type editcap –h
in the command prompt for a list of options. The syntax to extract a single packet or a range of packets by packet numbers is as follows:
editcap –r <infile> <outfile> <packet#> [- <packet#>]
You must specify <infile>
and <outfile>
. The –r
specifies to keep, not delete, the specified packet or packet range, for example:
editcap –r MergedTraces.pcapng packetrange.pcapng 1-5000
You can split a source trace file into multiple sequential files, each containing the number of packets specified by the –c
option:
editcap –c 5000 MergedTraces.pcapng SplitTrace.pcapng
You can eliminate duplicate packets in a file within a five-packet proximity:
editcap –d hasdupes.pcapng nodupes.pcapng
If you have two trace files that have a significant span of time between them, and you want to merge them into one file but closer together, you can investigate all of the packets within one IO Graph or a similar analysis function; you can first use the –t
option on one of the files to adjust the timestamps in that file by a constant amount (in seconds). For example, to subtract 5 hours from a trace file's timestamps, use the following command:
editcap -t -18000 packetrange.pcapng adj_packetrange.pcapng
Comparing the two traces in Wireshark reveals the following details:
- Packet #500 before adjustment:
2014-09-04 15:27:38.696897
- Packet #500 after adjustment:
2014-09-04 10:27:38.696897
You can get more information on and examples of Editcap options at https://www.wireshark.org/docs/man-pages/editcap.html.
Merging trace files with Mergecap
You can use Mergecap to merge two or more trace files into one file. The basic syntax is as follows:
mergecap –w <outfile.pcapng> infile1.pcapng infile2.pcapng …
For example:
mergecap –w merged.pacap source1.pcapng source2.pcapng source3.pcapng
One useful option you sometimes may want to use in Mergecap (and several of the other command-line utilities) is –s <snaplen>
. This will truncate the packets at the specified length past the start of each frame, resulting in a smaller file; a typical value for <snaplen>
is 128 bytes:
mergecap –w merged_trimmed.pcapng -s 128 source1.pcapng source2.pcapng
Mergecap batch file
If the capture files you want to merge have a variety of naming formats, you can create a MergeTraces.bat
file containing the following Windows batch commands:
@echo off cls echo MergeTraces.bat echo. echo Merges multiple packet trace files with a .pcapng extension into one .pcapng file echo. echo Usage: Copy MergeTraces.bat into the directory with the .pkt files and execute echo The utility will generate a 'MergedTraces.pcap' file echo and a 'MergedFileList.txt' file which lists the .pcapng files processed. echo. echo. echo IMPORTANT!! You must type 'CMD /V:ON' from this window which enables echo 'Delayed environment variable expansion' in order to properly execute echo this batch utility. echo. echo You must also add the path to Wireshark's mergecap.exe to your path statement. echo. echo If you've not done this, Type Ctrl-C to exit; Otherwise pause echo. echo Deleting old MergedFileList.txt... if exist "MergedFileList.txt" del MergedFileList.txt for %%f in (*.pcap-ng) do echo "%%f" >> MergedFileList.txt echo Deleting old MergedTraces.pcapng... if exist "MergedTraces.pcapng" del MergedTraces.pcapng echo Preparing to merge: echo. type MergedFileList.txt echo. echo Merging.......... set FILELIST= for %%f in (*.pcap-ng) do set FILELIST=!FILELIST! %%f :: DEBUG :: echo %FILELIST% mergecap -w MergedTraces.pcapng %FILELIST% echo. if exist MergedTraces.pcapng @echo Done! if NOT exist MergedTraces.pcapng @echo Error!! -- Check your settings. echo.
Copy the batch file into a directory containing just the packet trace files you want to merge and execute it. The batch file will merge all the .pcapng
files into one file called MergedTraces.pcapng
. This is much easier than trying to specify a long list of unique source files in a command line, especially if the filenames contain date-time stamps. If you need to work with the .pcap
files, change all instances of .pcapng
to .pcap
in the batch commands; you can also alter the output filename as desired.
Note
You can also merge trace files by clicking-and-dragging the files into the Wireshark desktop. The files will be merged in chronological order based on their timestamps after selecting Merge from the Wireshark File menu. This works reasonably well as long as the total file size doesn't exceed 1GB.
You can get more info and examples of Mergecap options at https://www.wireshark.org/docs/man-pages/mergecap.html.
Mergecap batch file
If the capture files you want to merge have a variety of naming formats, you can create a MergeTraces.bat
file containing the following Windows batch commands:
@echo off cls echo MergeTraces.bat echo. echo Merges multiple packet trace files with a .pcapng extension into one .pcapng file echo. echo Usage: Copy MergeTraces.bat into the directory with the .pkt files and execute echo The utility will generate a 'MergedTraces.pcap' file echo and a 'MergedFileList.txt' file which lists the .pcapng files processed. echo. echo. echo IMPORTANT!! You must type 'CMD /V:ON' from this window which enables echo 'Delayed environment variable expansion' in order to properly execute echo this batch utility. echo. echo You must also add the path to Wireshark's mergecap.exe to your path statement. echo. echo If you've not done this, Type Ctrl-C to exit; Otherwise pause echo. echo Deleting old MergedFileList.txt... if exist "MergedFileList.txt" del MergedFileList.txt for %%f in (*.pcap-ng) do echo "%%f" >> MergedFileList.txt echo Deleting old MergedTraces.pcapng... if exist "MergedTraces.pcapng" del MergedTraces.pcapng echo Preparing to merge: echo. type MergedFileList.txt echo. echo Merging.......... set FILELIST= for %%f in (*.pcap-ng) do set FILELIST=!FILELIST! %%f :: DEBUG :: echo %FILELIST% mergecap -w MergedTraces.pcapng %FILELIST% echo. if exist MergedTraces.pcapng @echo Done! if NOT exist MergedTraces.pcapng @echo Error!! -- Check your settings. echo.
Copy the batch file into a directory containing just the packet trace files you want to merge and execute it. The batch file will merge all the .pcapng
files into one file called MergedTraces.pcapng
. This is much easier than trying to specify a long list of unique source files in a command line, especially if the filenames contain date-time stamps. If you need to work with the .pcap
files, change all instances of .pcapng
to .pcap
in the batch commands; you can also alter the output filename as desired.
Note
You can also merge trace files by clicking-and-dragging the files into the Wireshark desktop. The files will be merged in chronological order based on their timestamps after selecting Merge from the Wireshark File menu. This works reasonably well as long as the total file size doesn't exceed 1GB.
You can get more info and examples of Mergecap options at https://www.wireshark.org/docs/man-pages/mergecap.html.
Other helpful tools
Wireshark is an extremely versatile and useful tool. However, there are some things it doesn't do easily or at all, so we'll discuss a few other tools you may want to include in your analysis toolset.
HttpWatch
HttpWatch is a packet-based performance analysis utility that integrates with Internet Explorer and Firefox browsers to view a graphical depiction and statistical values from HTTP interactions between the browser and websites. This kind of utility makes it easy to discover and measure from the user's perspective when significant delays are occurring and the source of those delays.
The following screenshot shows the HttpWatch visual and numerical analysis by loading the www.wireshark.org home page:
You can get more information about HttpWatch from http://www.httpwatch.com/. Also, a similar performance analysis utility is Fiddler, which can be found at http://www.telerik.com/fiddler.
SteelCentral Packet Analyzer Personal Edition
SteelCentral Packet Analyzer (previously known as Cascade Pilot) is available in Standard and Personal Edition versions. Unlike Wireshark, this utility is able to open and analyze multigigabyte trace files; you can quickly isolate a conversation of interest, right-click on it, and save that conversation in a separate packet trace file or launch Wireshark directly and pass that conversation to it from the same menu.
In addition, the utility offers a variety of network analysis screens called Views that provide graphical displays and reports on a wide range of performance perspectives. The following screenshot illustrates a set of MAC Overview Views:
You can get more information on the SteelCentral Packet Analyzer products at http://www.riverbed.com/products/performance-management-control/network-performance-management/packet-analysis.html.
AirPcap adapters
If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.
The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:
You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.
HttpWatch
HttpWatch is a packet-based performance analysis utility that integrates with Internet Explorer and Firefox browsers to view a graphical depiction and statistical values from HTTP interactions between the browser and websites. This kind of utility makes it easy to discover and measure from the user's perspective when significant delays are occurring and the source of those delays.
The following screenshot shows the HttpWatch visual and numerical analysis by loading the www.wireshark.org home page:
You can get more information about HttpWatch from http://www.httpwatch.com/. Also, a similar performance analysis utility is Fiddler, which can be found at http://www.telerik.com/fiddler.
SteelCentral Packet Analyzer Personal Edition
SteelCentral Packet Analyzer (previously known as Cascade Pilot) is available in Standard and Personal Edition versions. Unlike Wireshark, this utility is able to open and analyze multigigabyte trace files; you can quickly isolate a conversation of interest, right-click on it, and save that conversation in a separate packet trace file or launch Wireshark directly and pass that conversation to it from the same menu.
In addition, the utility offers a variety of network analysis screens called Views that provide graphical displays and reports on a wide range of performance perspectives. The following screenshot illustrates a set of MAC Overview Views:
You can get more information on the SteelCentral Packet Analyzer products at http://www.riverbed.com/products/performance-management-control/network-performance-management/packet-analysis.html.
AirPcap adapters
If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.
The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:
You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.
SteelCentral Packet Analyzer Personal Edition
SteelCentral Packet Analyzer (previously known as Cascade Pilot) is available in Standard and Personal Edition versions. Unlike Wireshark, this utility is able to open and analyze multigigabyte trace files; you can quickly isolate a conversation of interest, right-click on it, and save that conversation in a separate packet trace file or launch Wireshark directly and pass that conversation to it from the same menu.
In addition, the utility offers a variety of network analysis screens called Views that provide graphical displays and reports on a wide range of performance perspectives. The following screenshot illustrates a set of MAC Overview Views:
You can get more information on the SteelCentral Packet Analyzer products at http://www.riverbed.com/products/performance-management-control/network-performance-management/packet-analysis.html.
AirPcap adapters
If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.
The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:
You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.
AirPcap adapters
If you are using Wireshark to analyze wireless networks, you will need a wireless adapter that provides the ability to see all of the available channels and provides a Radiotap Header, which offers additional information for each frame such as radio channel and signal/noise strengths.
The prevalent wireless adaptor for use with Wireshark or SteelCentral Packet Analyzer on Windows platforms is the Riverbed AirPcap adapter, which is available from the Riverbed website. The AirPcap adapter plugs into a USB port and includes drivers to integrate with Wireshark and provide the Radiotap Header information. There are several product models that offer increasing coverage of the various WLAN bands; AirPcap Nx offers the widest coverage. The following image depicts two of the available adapters:
You can get more information on the Riverbed AirPcap adapters at http://www.riverbed.com/products/performance-management-control/network-performance-management/wireless-packet-capture.html.
Summary
The topics covered in this chapter included several of Wireshark's command-line utilities to capture packets and edit and merge packet trace files, as well as several useful tools to compliment your analysis toolset.
This is the final chapter of this book on Wireshark. I hope you enjoyed reading it, and mostly, I hope you use it as a foundation to become a Wireshark expert!