Extract packet direction from tshark cmd line

asked 2020-01-07 20:02:24 +0000

techy gravatar image

I want to extract the packet direction (tx,rx) of all inbound and outbound packets in the wireshark (pcap ng) file pro grammatically in Python, I read it is possible through pcapng format.

What are the tshark options to club all inbound and outbound traffic from a pcapng file and output to a csv file

Thanks ! -Farida

edit retag flag offensive close merge delete

Comments

For future reference do you have a link to the reference that said it is possible?

bubbasnmp gravatar imagebubbasnmp ( 2020-01-07 20:10:58 +0000 )edit

https://stackoverflow.com/questions/1... This is the link where they mention that the newer pcapng has packet direction as one of the fields :

From the link above : The PCAP file format does not contain a field that holds the interface used during the capture. With that said, the newer PCAP-NG file format, currently used by Wireshark & Tshark, supports it along with packet direction.

Existing pcap-ng features:

packet dropped count annotations (comments) local IP address interface & direction hostname <-> IP address database

techy gravatar imagetechy ( 2020-01-07 20:40:51 +0000 )edit

pcap-ng file format: https://github.com/pcapng/pcapng

Support for packet direction:

4.3.1.  Enhanced Packet Block Flags Word

<snip>

   +--------+----------------------------------------------------------+
   | Bit    | Description                                              |
   | Number |                                                          |
   +--------+----------------------------------------------------------+
   | 0-1    | Inbound / Outbound packet (00 = information not          |
   |        | available, 01 = inbound, 10 = outbound)                  |
   | 2-4    | Reception type (000 = not specified, 001 = unicast, 010  |
   |        | = multicast, 011 = broadcast, 100 = promiscuous).        |
   | 5-8    | FCS length, in octets (0000 if this information is not   |
   |        | available).  This value overrides the if_fcslen option   |
   |        | of the Interface Description Block, and is used with     |
   |        | those link layers (e.g. PPP) where the length of the FCS |
   |        | can change during time.                                  |
   | 9-15   | Reserved (MUST be set to zero).                          |
   | 16-31  | link-layer-dependent errors (Bit 31 = symbol error, Bit  |
   |        | 30 = preamble error, Bit 29 = Start Frame Delimiter      |
   |        | error, Bit 28 = unaligned frame error, Bit 27 = wrong    |
   |        | Inter Frame Gap error, Bit 26 = packet too short error,  |
   |        | Bit 25 = packet too long error, Bit 24 = CRC error,      |
   |        | other?? are 16 bit enough ...
(more)
bubbasnmp gravatar imagebubbasnmp ( 2020-01-07 21:52:29 +0000 )edit

https://osqa-ask.wireshark.org/questi...

You can see the EPB and bits in Wireshark GUI by reloading a capture with

View->Reload as File Format/Capture.

Doesn't help with getting the data programmatically but a start to make sure it's in your capture files.

bubbasnmp gravatar imagebubbasnmp ( 2020-01-07 21:57:06 +0000 )edit