What is the purpose of rawshark?

asked 2019-03-21 22:59:03 +0000

Ross Jacobs gravatar image

updated 2019-03-21 23:09:52 +0000

The Utilities

rawshark

rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.

cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port

FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP - 
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -

There are multiple annoyances with the tool and the output:

  • It doesn't integrate well with other Wireshark tools. For example, cat dhcp.pcap | rawshark ... works, but not tshark -r dhcp.pcap | rawshark.
  • You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
  • You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)

vs tshark

Compare with tshark, which can read from both files and streams and provides useful output:

$ tshark -r dhcp.pcap

1   0.000000      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2   0.000295  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer    - Transaction ID 0x3d1d
3   0.070031      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request  - Transaction ID 0x3d1e
4   0.070345  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK      - Transaction ID 0x3d1e

The Question

Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is a use case for rawshark?

edit retag flag offensive close merge delete

Comments

From the original commit message back in 2008:

Add rawshark, a utility that, when given raw pcap-formatted packets and
a list of fields, prints the field values found in each packet.

Packet data can be specified as a libpcap DLT, e.g. "EN10MB" or an upper-layer protocol, e.g. "http".

which doesn't really say what the use cases are.

grahamb gravatar imagegrahamb ( 2019-03-22 11:15:47 +0000 )edit

@grahamb cheers. Given that we're delving into commits, I plan on bringing up this discussion in a bug thread.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-22 13:39:50 +0000 )edit

Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is a use case for rawshark?

I think rawshark is a lot more lightweight than tshark and my gut tells me it was a purpose-built tool written to support the requirements of 3rd party software, perhaps even SteelCentral PacketAnalyzer or rather its predecessor, Cascade Pilot. Probably only @gerald-combs could say for sure what the original use case was though.

cmaynard gravatar imagecmaynard ( 2019-03-25 18:03:35 +0000 )edit
add a comment