Ask Your Question
0

tshark packet data not displaying

asked 2018-07-06 18:52:06 +0000

nnaate gravatar image

updated 2018-07-06 19:36:35 +0000

Hi everyone,

I'm running into a weird problem with tshark. The scenario is I'm using ettercap on a Raspberry Pi to perform a man in the middle attack and look at all the traffic between two devices.

When I send messages with the Raspberry Pi to one of the devices, I can use the command

sudo tshark -Y "ip.src == 192.92.92.200" -T fields -e data

to print the hex contents of the packets I'm sending (where 192.92.92.200 is the address of the Pi). However, when I do the same with the address of one of the devices I'm ARP spoofing, no data is printed to the screen. However, whenever a packet is received, a blank line is printed to the screen. If I simply run

sudo tshark

all of the traffic in the network, including the packets being sent between the two devices I am ARP spoofing, are shown (though of course this command doesn't print the actual contents of the packets, which is what I'm looking for). So if tshark can see the packets being sent between the two devices, and if the contents of the packets can be printed in the case that it is sent from the Raspberry Pi, why can't I print the contents of the messages being sent from the devices I'm ARP spoofing?

Update with more details:

I tried adding more -e fields to see what would happen. When I ran the command

sudo tshark -o data.showastext:TRUE -Y "ip.dst == 192.92.92.108" -T fields -e frame.time -e data -e ip.src

Everything was printed in this format:

June 30, 2018 23:34:54.359272718 UTC 192.92.92.107

The part where the data is expected is completely blank, but tshark clearly can see and read those packets. Also, if I open up Wireshark instead of tshark, I can see the contents of the data packets.

edit retag flag offensive close merge delete

Comments

You never illustrated the network topology.

Jaap gravatar imageJaap ( 2018-07-06 21:14:02 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-07-07 00:20:53 +0000

Guy Harris gravatar image

I can use the command

sudo tshark -Y "ip.src == 192.92.92.200" -T fields -e data

to print the hex contents of the packets I'm sending

No, you can use that command to print the hex contents of any undissected data in those packets.

If Wireshark manages to dissect all the data in a packet as part of some protocol, rather than not knowing some protocol and having to treat that protocol's part of the packet as undissected (because undissectable) data, it will print nothing for the packet.

If you want all the hex data, you could try

sudo tshark -Y "ip.src == 192.92.92.200" -x

but you won't get one line per packet - you'll get a variable number of lines per packet, with each line having a hex offset in the packet data followed by 16 bytes of hex data and 16 characters worth of ASCII data (the last line may have fewer than 16 bytes of data).

Note, by the way, that:

1) to quote the doc/README.packaging file in the Wireshark source:

WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.

All of the lines of code that involve packet dissection, which is the majority of the lines of code in Wireshark, are also in TShark, so the same warning applies to it.

You probably want to make sure that the dumpcap program (which is what Wireshark and TShark run to capture traffic) was installed to run with elevated privileges (on Linux, either with capture privileges or set-UID privileges), and NOT run TShark as root.

2) You can also use the command

tshark -x src host 192.92.92.200

for the same purpose, and not have TShark even have to see packets not from 192.92.92.200.

Also, if I open up Wireshark instead of tshark, I can see the contents of the data packets.

If you open up Wireshark, you will probably see the entire hex contents of the packet in the "hex dump" pane of the display; that's what tshark -x prints.

You will probably not see very many places in the packet detail pane where it says just "Data"; those are what the data field corresponds to.

edit flag offensive delete link more

Comments

Is there anyway to make tshark not dissect that data? I don't understand why it would allow me to see that data when it can't identify the protocol and prevent me from seeing it when it does recognize the protocol.

Also, in Wireshark the data is printed in the data field, not just in the hex dump pane.

nnaate gravatar imagennaate ( 2018-07-16 14:10:12 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-07-06 18:52:06 +0000

Seen: 14,832 times

Last updated: Jul 07 '18

Related questions

Target Machine keeps losing connectivity when running a arpspoof/ettercat against it

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Monitoring UDP data on wireshark shows ARP packet

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

Gateway keeps flooding the network with arp requests

How do I change the interface on Tshark?