Thursday, January 19, 2012

Mergecap and Tshark: Merge Packet Dumps and Analyze Network Traffic


Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Based on timestamp, the packets are written into the output file in an orderly manner. By default the output file is written in the libpcap format. However using mergecap options, we can generate output in various different format including those that are supported by wireshark tool.

mergecap is available in the wireshark package. Make sure wireshark/ethereal package is installed to use the mergecap.

Combine two dump files into a single output_dump file

Combines input_dump1 and input_dump2 capture files and writes into output_dump file.
# mergecap -v input_dump1 input_dump2 -w output_dump

In this example, input_dump2 contains the packets which are captured after input_dump1. The output_dump will contain intput_dump2 packets in the beginning followed by intput_dump1 packets.
# mergecap input_dump1 input_dump2 -w output_dump -a

Print output dump file to standard output

Combine two network dump files and print the output to the standard output instead of writing to a file.
# mergecap -v input1_dump input2_dump -w -

Print output file in a specific encapsulation format

Use option -T, to get the output file in the desired encapsulation format as shown below.
# mergecap -v -T ether -w merge_cap capture1 capture2 capture3

3. Merge packets of certain length

In this example, the output_dump contains the packets of maximum 100 bytes length.
# mergecap -v -s 100 dump1 dump2 dump3 -w output_dump

Tshark – Packet capture tool

Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with wireshark network analyzer distribution.
 

Capture network capture continuously

The following example will capture the network packets continuously for 60 seconds. After 60 seconds of capture, it would stop automatically. capture_out contains the packets, which are flown in the network during the last 60 seconds.
# tshark -q -w capture_out -a duration:60
 
In the following example packets will be printed on the screen and simultaneously it will be written into the output file.
# tshark -S -q -w capture_out -a duration:10

Capture network statistics using tshark

To see how many packets are flowing in the network for a specific interval use the following command.
# tshark -q -w capture_duration1 -a duration:1 -z io,stat,1

Capture network packets for a specific host

Use the following example, to capture the packet flow for a particular host(transmitted and received packets). In this example, we could see that for every second how many packets are flown in the network for the host 192.168.1.185
#  tshark -S -q -w capture_duration6 -a duration:6 -z io,stat,1,ip.addr==192.168.1.150
After capturing all the packets for 6 seconds duration, it will print the statistics as like the following,
145 packets dropped
19749 packets captured
IO Statistics
Interval: 1.000 secs
Column #0: ip.addr==192.168.1.185
|   Column #0
Time              |frames|  bytes
000.000-001.000    2733    545242
001.000-002.000    2991    583374
002.000-003.000    3310    650716
003.000-004.000    3236    641896
004.000-005.000    3518    690860
005.000-006.000    3310    654988
006.000-007.000     638    122812

Capture network packets on a specific port

This example captures only the ssh packets.
# tshark -f “tcp port 22” -w capture_out

Capture network packets for specific duration

The following example will capture packets for specific duration (5 seconds), switch over to the next file when capture file size reaches certain size (1000KB).
# tshark -a filesize:1000 -a duration:5 -a files:5 -w ethcap1
Sample output capture filename with size:
ethcap1_00001_20090216174203 -   1000K
ethcap1_00002_20090216174205 -  1000K
ethcap1_00003_20090216174207 -  835K

Other tshark capture commands

Use option -c, to capture the packets upto certain packet count. The following example creates the ethcap1 file only with 10 packets.
# tshark -c 10  -w ethcap1

Use option -r to read network packets from as compressed file.
# tshark -r capture_dump.gz

Use option -r, to displays only specific packet types. The following example creates the file capture_dump only with the rtp packets in the network analyzer.
# tshark -R “rtp” -r capture_dump

Use the filter below to capture the tcp packets which are flowing in the port 1720.
# tshark -f “tcp port 1720”
 
The following example will capture packets that are coming either to the port 1720 or 1721.
# tshark -f  “port 1720 or port 1721”  -w capture_dump

By default, tshark will use eth0 device to do the packet capture. You can also specify a specific ethernet adapter using option -i as shown below.
# tshark -i eth1 -w -a duration:10 capture_dump