Tag: tshark

The pitfall of using tshark to analyse QUIC protocol

Check the wireshark’s QUIC related code, we will find it heavily depends on 2 macros:

#ifdef HAVE_LIBGCRYPT_AEAD
......
#endif

#ifdef HAVE_LIBGCRYPT_CHACHA20
......
#endif

And these 2 macros rely on the version of libgcrypt (refer here):

/*
 * Define HAVE_LIBGCRYPT_AEAD here, because it's used in several source
 * files.
 */
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
/* Whether to provide support for authentication in addition to decryption. */
#define HAVE_LIBGCRYPT_AEAD
#endif

/*
 * Define some other "do we have?" items as well.
 */
#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */
/* Whether ChaCh20 PNE can be supported. */
#define HAVE_LIBGCRYPT_CHACHA20
/* Whether AEAD_CHACHA20_POLY1305 can be supported. */
#define HAVE_LIBGCRYPT_CHACHA20_POLY1305
#endif

On CentOS 7, the libgcrypt version is 1.5.3, so the above 2 macros will not be defined, and some functions are not available. While on CentOS 8, the libgcrypt version is 1.8.5, so the functions are fully supported. I met an issue, i.e., for the same pcap file, tshark (I built myself) on CentOS 7 assumes there is an error in decrypting QUIC flow:

$ /home/nanxiao/wireshark/build/run/tshark -nr 435.pcap -Y '(quic.decryption_failed)'
    1   0.000000 172.27.232.168 → 216.183.220.159 GTP <QUIC> 1310 Initial, DCID=68a3ee8706f87817

while tshark on CentOS 8 works OK:

$ /home/nanxiao/wireshark/build/run/tshark -nr 435.pcap -Y '(quic.decryption_failed)'
$

Use tshark to filter HTTP streams

Below is a screen shot of HTTP flows: GET request spans packet 4 and 5, while response is packet 9:

To filter HTTP stream, if use -Y http only:

$ tshark -nr tcp.pcap -Y http -w http.pcap

Only the last segment of GET request will be saved to file:

So -2 option is needed:

$ tshark -nr tcp.pcap -Y http -2 -w http.pcap

This time, the full GET request is saved:

Build tshark on CentOS 7

I want to build & debug tshark on CentOS 7 (No need GUI), and the first step is installing cmake3:

$ sudo yum install cmake3

Create a build directory under Wireshark source code, and Run following commands:

$ cd build
$ cmake3 -DBUILD_wireshark=OFF -DCMAKE_BUILD_TYPE=Debug ..
$ make

That’s it!

References:
How to build and install tshark without Wireshark?;
Wireshark docs.

Add timestamp for pcap file’s name

I wrote a post about splitting large pcap file into small ones before. After that, you should add timestamp for pcap‘s file name, and it will be easy for you to find related pcap files to process.

Assume there is a folder which includes all pcap files generated by following tcpdump command:

tcpdump -r input.pcap -w ./pcap/frag -C 1000

It will generate ./pcap/frag./pcap/frag1, …, etc. You can use following script to add timestamp for every file:

#!/bin/sh

directory=./pcap
cd "$directory" || exit 1

for old_file_name in *
do
    timestamp=$(tshark -nr "${old_file_name}" -T fields -e frame.time_epoch -c 1)
    new_file_name="${old_file_name}.${timestamp}.pcap"
    mv "${old_file_name}" "${new_file_name}"
done

The file’s name will be fragxx.1542222065.974954000.pcap now.

P.S., the script can be downloaded here.

tshark can’t process macOS’s pcapng file well

Wireshark‘s tshark program can’t process macOS‘s pcapng file well. E.g.:

$ sudo tcpdump -w foo.pcapng
Password:
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
^C24 packets captured
27 packets received by filter
0 packets dropped by kernel

Use tshark to read and write the generated foo.pcapng:

$ tshark -r foo.pcapng -w bar.pcapng
tshark: An error occurred while writing to the file "bar.pcapng": Internal error.

I also met following error before:

$ tshark -r apsd-107.pcapng -w foo.pcapng
tshark: The capture file being read can't be written as a "pcapng" file.

macOS has its own bespoke libpcap and tcpdump, so if the pcapng file is generated by tcpdump, using tcpdump itself to process pcapng file seems the only choice.

A workaround is if you don’t care about losing information, you can use wireshark to convert the pcapng file to pcap first: