Fun with tshark (wireshark) command line
Submitted by daryl on Mon, 11/24/2008 - 23:33
* sniffer
* tshark
* visualization
* wireshark
Get csv output of source and destination IP addresses from a pcap (wireshark or tcpdump) capture file.
tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst
Creates a file similar to:
192.168.1.105,192.168.1.120
192.168.1.105,192.168.1.120
192.168.1.120,192.168.1.105
192.168.1.120,192.168.1.105
72.14.247.83,192.168.1.105
192.168.1.105,72.14.247.83
72.14.247.19,192.168.1.105
192.168.1.105,72.14.247.19
192.168.1.105,74.53.76.3
74.53.76.3,192.168.1.105
192.168.1.105,72.14.247.83
72.14.247.83,192.168.1.105
Then if you have afterglow installed you can create a visualization of the source and destination information by doing the following:
(from the $HOME/afterglow/src/perl/graph directory)
tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst | perl afterglow.pl -c color.properties > file.dot
This creates a filter of the data for drawing a direct graph using neato.
Now using neato create a gif file to display a visualization of the data.
neato -Tgif -o test.gif ./file.dot
0 comments:
Post a Comment