Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-05-13 09:59:50 +0000

lazysloth gravatar image

tshark - extract conversations (ip,tcp,udp) / endpoints with GeoIP

I find Wiresharks Endpoint statistics very interesting and would like to extract them in a more automated fashion without needing to use the wireshark GUI.

TL;DR: can i get the Endpoint statistics with Maxmind GeoIP via commandline?

I can easily extract the endpoints using e.g. 

tshark -r infile.pcap -z conv,ip -w outfile.pcap

and it will print me the statistics like this

IPv4 Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.101.35       <-> encrypted-tbn1.gstatic.com   47186 68 MB       11439 772 kB      58625 69 MB        72,370211000    266467,3920
192.168.101.141      <-> rr3.sn-4g5e6nz7.gvt1.com   49431 63 MB        4978 387 kB      54409 64 MB      100121,935270000         8,6585
192.168.101.141      <-> app-measurement.com    42865 62 MB       10943 770 kB      53808 63 MB      143553,721566000    130918,2853
...

However, the GUI allows the name resolution to be enabled and it will also show me the GeoIP and AS information I retrieved form MaxMind.

tshark -v does show with MaxMind and tshark -G folders shows the correct path.

Also i can use something like this (which i copied from some bug report)

tshark -r traffic.pcap -T fields -e frame.number -e ip.src -e ip.geoip.src_country -e ip.dst -e ip.geoip.dst_country -e ip.geoip.asnum

And it will show the GeoIP information as I'd expect.

However I haven't managed to get the GeoIP with the Endpoint statistics in a nice condensed way.

Info:

$ tshark -v
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua 5.2.4, with
GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.12, with libsmi 0.4.8.

Running on Linux 5.15.0-105-generic, with 12th Gen Intel(R) Core(TM) i7-12700H
(with SSE4.2), with 11655 MB of physical memory, with GLib 2.72.4, with zlib
1.2.11, with libpcap 1.10.1 (with TPACKET_V3), with c-ares 1.18.1, with GnuTLS
3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli 1.0.9, with LZ4
1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary
plugins supported (0 loaded).