Ask Your Question
0

tshark capture display out of chronological order?

asked 2022-06-18 16:56:26 +0000

brec gravatar image

updated 2022-06-18 17:22:41 +0000

grahamb gravatar image

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one; that's another question). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:

 502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP     277 CONNECT ifconfig.me ...  
 503 47.114636300 192.168.50.212 → 192.168.50.200 TCP       66 8888 → 57666 [ACK] ...  
 504 47.115387336 10.4.0.2       → 1.1.1.2        DNS       57 Standard query 0x7a6e A ifconfig.me  
 505 47.115428139 10.4.0.2       → 1.1.1.2        DNS       57 Standard query 0x8f64 AAAA ifconfig.me  
 506 47.319604790 192.168.50.212 → 192.168.50.200 TCP      170 HTTP/1.0 500 Unable to connect ...  
 507 47.319861769 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [ACK] ...  
 508 47.319917721 192.168.50.212 → 192.168.50.200 TCP      271 8888 → 57666 [PSH, ACK] ...  
 509 47.320158898 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [ACK] ...  
 510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect  
 511 47.320428367 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [FIN, ACK]  ...  
 512 47.320428585 192.168.50.200 → 192.168.50.212 TCP       60 57666 → 8888 [RST] ...  
 513 47.320469557 192.168.50.212 → 192.168.50.200 TCP       66 8888 → 57666 [ACK] ...  
 514 47.320642196 192.168.50.200 → 192.168.50.212 TCP       60 57666 → 8888 [RST] ...  
 515 47.319108832 1.1.1.2        → 10.4.0.2       DNS      128 Standard query response 0x8f64 AAAA ifconfig.me ...  
 516 47.319109241 1.1.1.2        → 10.4.0.2       DNS       73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

edit retag flag offensive close merge delete

Comments

Quickest would be to save the tshark capture to a file, run it through reordercap and read the sorted file with tshark.

Chuckc gravatar imageChuckc ( 2022-06-19 00:29:28 +0000 )edit

@Chuckc OK, thanks. I see that info reordercap suggests that multiple sources could result in some out-of-order output, and I was capturing from two interfaces.

brec gravatar imagebrec ( 2022-06-19 03:18:21 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-06-19 03:21:40 +0000

brec gravatar image

updated 2022-06-19 03:24:02 +0000

Based on @Chuckc's comment to my question, I think that, strictly speaking, there's not an answer to getting "tshark display output [always in strictly] chronological order" with multiple interfaces being captured. But the suggestion of using reordercap seems like the best answer.

P.S. I don't have enough karma as yet to accept my own answer, so if this answer is accepted it was by some other kind soul.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-06-18 16:56:26 +0000

Seen: 41 times

Last updated: Jun 19