TShark Automation

I recently found myself going through the same motions in Wireshark while analyzing a pcap.

The second step being the most annoying step, which must be done for each and every TCP stream of (dis)interest. Granted, keyboard shortcuts can help, but only so much and not when you have 1500+ streams.

I had run in to a similar scenario when I needed to work with approximately 40 streams and was wanting to automate then. I knew that there was no realistic way to manually do this with 1500(+) streams. Thankfully I had found that it is possible to get TShark to do some of the heavy lifting for me, at least enough to get info out of Wireshark into a script. Then it was just a matter of using the data extracted out of the pcap and generating and executing additional TShark commands.

Originally I tried using the output of the first TShark command as data for a for loop, but I ran in to a problem with the tuples of data being misinterpreted as discrete unrelated pieces of data. So I punted and ran the output of the first TShark command in to awk and generated new TShark commands which I redirected in to a script. Then I simply executed that script to accomplish what I originally wanted. (Yes, I know I could have reworked the loop and read multiple variables, but this was easier / faster for me. After all, there are multiple ways to solve problems in unix, so use the one that works and is easiest / fastest for you.)

Ultimately, my generated script read the source pcap, outputting all packets that didn't match the criteria to filter (inverse match) and wrote the results to a temporary pcap. Presuming that the temporary pcap was created without error, it was moved in place of the source pcap. Then repeat the process 1499(+) more times.

I agree that this is not the most efficient process, but it does work and did produce a filtered pcap like I originally wanted. Thankfully, this process was able to run in the background while I worked on something else. All said and done, the process worked in the background for about 45 minutes while I fought other battles.

I did try one large filter but ran in to a command length restriction issue. (128 x 1500(+) characters is a LOT). Again, I punted and fell back to what was fastest / easiest and let the computer work for me rather than using brain cycles on the issue. In hindsight I'd like to retry multiple filters on one command line, probably some power / multiple of 10 that didn't exceed the command length. Hopefully increasing the efficiency of the process and spreading it up.

All in all I was able to do EXACTLY what I had set out to do, automate (script) Wireshark analysis. I have had need to do this before and would not have been realistically possible to do by hand. So this will go in my bag-o-tricks to be used / refined again in the future.

# Remove all packets associated with connections that received an ICMP Destination Unreachable (type 3) reply.
cp file.1.pcap file.2.pcap
tshark -r file.2.pcap -R "icmp.type eq 3" -T fields -e tcp.srcport -e tcp.dstport | awk '{print "tshark -r file.2.pcap -R \"not ((ip.addr eq IP1 and ip.addr eq IP2) and (tcp.port eq " $1 " and tcp.port eq " $2 "))\" -w file.2.tmp && mv file.2.tmp file.2.pcap"}' > file.2.sh
source file.2.sh

# Remove all packets associated with connections that received a TCP Reset reply.
cp file.2.pcap file.3.pcap
tshark -r file.3.pcap -R "tcp.flags.reset eq 1" -T fields -e tcp.srcport -e tcp.dstport | awk '{print "tshark -r file.3.pcap -R \"not ((ip.addr eq IP1 and ip.addr eq IP2) and (tcp.port eq " $1 " and tcp.port eq " $2 "))\" -w file.3.tmp && mv file.3.tmp file.3.pcap"}' > file.3.sh
source file.3.sh

P.S. Yes I am aware of the ability to use Lua with Wireshark, but my (minimal) research seems to indicate that it is more for creating filters or packet decoders, et. al., not like a macro to automate filtering processes inside of Wireshark.