tshark - extract conversations (ip,tcp,udp) / endpoints with GeoIP
I find Wiresharks Endpoint statistics very interesting and would like to extract them in a more automated fashion without needing to use the wireshark GUI.
TL;DR: can i get the Endpoint statistics with Maxmind GeoIP via commandline?
I can easily extract the endpoints using e.g.
tshark -r infile.pcap -z conv,ip -w outfile.pcap
and it will print me the statistics like this
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.168.101.35 <-> encrypted-tbn1.gstatic.com 47186 68 MB 11439 772 kB 58625 69 MB 72,370211000 266467,3920
192.168.101.141 <-> rr3.sn-4g5e6nz7.gvt1.com 49431 63 MB 4978 387 kB 54409 64 MB 100121,935270000 8,6585
192.168.101.141 <-> app-measurement.com 42865 62 MB 10943 770 kB 53808 63 MB 143553,721566000 130918,2853
...
However, the GUI allows the name resolution to be enabled and it will also show me the GeoIP and AS information I retrieved form MaxMind.
tshark -v does show with MaxMind and tshark -G folders shows the correct path.
Also i can use something like this (which i copied from some bug report)
tshark -r traffic.pcap -T fields -e frame.number -e ip.src -e ip.geoip.src_country -e ip.dst -e ip.geoip.dst_country -e ip.geoip.asnum
And it will show the GeoIP information as I'd expect.
However I haven't managed to get the GeoIP with the Endpoint statistics in a nice condensed way.
Info:
$ tshark -v
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua 5.2.4, with
GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.12, with libsmi 0.4.8.
Running on Linux 5.15.0-105-generic, with 12th Gen Intel(R) Core(TM) i7-12700H
(with SSE4.2), with 11655 MB of physical memory, with GLib 2.72.4, with zlib
1.2.11, with libpcap 1.10.1 (with TPACKET_V3), with c-ares 1.18.1, with GnuTLS
3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli 1.0.9, with LZ4
1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary
plugins supported (0 loaded).
You seem to be using "endpoints" and "conversations" interchangeably but they are two different reports in tshark :
Here is a previous related question:
How to display GeoIP in Conversations?
Thanks for your resposne!
You're right, I meant to say
endpointsI now tired using the
-N gflag, together with the-z endpoints,ipbut it gives me this:Not sure if I need to do it somehow else, or if my build maybe does not really support it.
I forgot to mention in my initial post, I was basic the commandline options on the "manpage" i found here https://www.wireshark.org/docs/man-pa...
As reflected in the NOTES section at the bottom of the
tsharkman page, the online man page is for version 4.2.4 of Wireshark, but you've got an older version of Wireshark, version 3.6.2, and-Ngwasn't supported until Wireshark version 4.2.0.I had missed this small but important aspect. Thanks for pointing it out. I'll see if i can get Wireshark 4.2.0 installed somehow.
I just tried after installing latest wireshark 4.2.4 form PPA and now
-N gis accepted, but the effect is weird. If i leave it out, names are resolved (default?), if i put-N g, IPs are not resovled and additionally GeoIP information is also not shown. I wonder if the comment from @Chuckc below is correct and this function is not completely implemented.