Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

rawshark: Why?

The Utilities

rawshark

rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.

cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port

FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP - 
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -

There are multiple annoyances with the tool and the output:

  • It doesn't integrate well with other Wireshark tools. For example, cat dhcp.pcap | rawshark ... works, but not tshark -r dhcp.pcap | rawshark.
  • You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
  • You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)

vs tshark

Compare with tshark, which can read from both files and streams and provides useful output:

$ tshark -r dhcp.pcap

1   0.000000      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2   0.000295  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer    - Transaction ID 0x3d1d
3   0.070031      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request  - Transaction ID 0x3d1e
4   0.070345  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK      - Transaction ID 0x3d1e

The Question

Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is __a__ use case for rawshark?

rawshark: Why?

The Utilities

rawshark

rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.

cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port

FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP - 
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -

There are multiple annoyances with the tool and the output:

  • It doesn't integrate well with other Wireshark tools. For example, cat dhcp.pcap | rawshark ... works, but not tshark -r dhcp.pcap | rawshark.
  • You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
  • You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)

vs tshark

Compare with tshark, which can read from both files and streams and provides useful output:

$ tshark -r dhcp.pcap

1   0.000000      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2   0.000295  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer    - Transaction ID 0x3d1d
3   0.070031      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request  - Transaction ID 0x3d1e
4   0.070345  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK      - Transaction ID 0x3d1e

The Question

Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is __a__ a use case for rawshark?

rawshark: Why?

The Utilities

rawshark

rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.

cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port

FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP - 
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -

There are multiple annoyances with the tool and the output:

  • It doesn't integrate well with other Wireshark tools. For example, cat dhcp.pcap | rawshark ... works, but not tshark -r dhcp.pcap | rawshark.
  • You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
  • You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)

vs tshark

Compare with tshark, which can read from both files and streams and provides useful output:

$ tshark -r dhcp.pcap

1   0.000000      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2   0.000295  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer    - Transaction ID 0x3d1d
3   0.070031      0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request  - Transaction ID 0x3d1e
4   0.070345  192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK      - Transaction ID 0x3d1e

The Question

Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is a use case for rawshark?