tshark network whos talking to who

Question

I'm looking for a basic view of who is talking to who on the network. With TCPdump i was using tcpdump -q. It gave me IP to IP and what port. no more no less. Is that possible with tshark?

Answer 1

You can change the column format of tshark to get a similar output (ports are not 'attached' to the IP addresses with a dot), with the following option: -o gui.column.format

tshark -nr test.pcap -o "gui.column.format:\"No.\",\"%m\",\"Time\",\"%t\",\"Source\",\"%s\",\"Source Port\",\"%S\",\"Destination\",\"%d\",\"Destination Port\",\"%D\""

Result:

  1 0.000000000 192.168.158.128 49722 80.67.16.195 443
  2 0.000143000 80.67.16.195 443 192.168.158.128 49722
  3 2.000479000 192.168.158.128 49724 80.67.16.195 443
  4 2.000485000 80.67.16.195 443 192.168.158.128 49724
  5 2.293298000 192.168.158.139 4620 162.159.242.165 80

Another option would be the stats module of tshark

tshark -nr test.pcap -q -z conv,tcp

Result (will show some details about the conversations as well)

================================================================================
TCP Conversations
Filter:<no filter="">
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.158.139:4627 <-> 162.159.242.165:80       214    170550     111     24317     325    194867    85,416556000       260,7799
192.168.158.139:4645 <-> 173.230.134.104:80       226    246836      98     20368     324    267204   373,790640000       175,1330
192.168.158.139:4646 <-> 173.230.134.104:80       204    211482      91     19029     295    230511   374,597051000        98,9188

Regards
Kurt

Answer 2

You might try the -Tfields option along with the -e options to define the columns you want to see.