Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

1. Scripting with Tshark (2) June 2009

6. 1: Select packets with searchdata $ tshark -r sharkfest-1.cap -R "http.request and http.cookie contains amp;quot;PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcafamp;quot;" 66 352.849802 192.168.1.30 -> 194.134.109.48 HTTP GET /styles/ ... 90 352.943964 192.168.1.30 -> 194.134.109.48 HTTP GET /styles/ ... 101 352.995346 192.168.1.30 -> 194.134.109.48 HTTP GET /javascr ... 115 353.051093 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 118 353.055001 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 139 353.131598 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 142 353.132616 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 161 353.191958 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 165 353.200628 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 182 353.493676 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 185 353.503053 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 205 353.553385 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 209 353.557910 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 225 353.607322 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 229 353.619819 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 245 353.669407 192.168.1.30 -> 194.134.109.48 HTTP GET /javascr ... 249 353.681990 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... [...] $

7. 2: Print only source ip and port $ tshark -r sharkfest-1.cap -R "http.request and http.cookie contains amp;quot;PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcafamp;quot;" -T fields -e ip.src -e tcp.srcport | sort | uniq 192.168.1.30 3981 192.168.1.30 3982 192.168.1.30 3983 192.168.1.30 3984 192.168.1.30 3985 192.168.1.30 3986 192.168.1.30 3987 192.168.1.30 3988 192.168.1.30 3989 192.168.1.30 3991 192.168.1.30 3992 192.168.1.30 3993 192.168.1.30 3994 192.168.1.30 3996 192.168.1.30 3997 192.168.1.30 3998 [...] $

9. 3: Create new display filter (2) $ tshark -r sharkfest-1.cap -R "http.request and http.cookie contains amp;quot;PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcafamp;quot;" -T fields -e ip.src -e tcp.srcport | sort | uniq | awk '{printf("%s(ip.addr==%s&&tcp.port==%s)",sep,$1,$2);sep="||"}' (ip.addr==192.168.1.30&&tcp.port==3981)||(ip.addr==192.168.1.30&& tcp.port==3982)||(ip.addr==192.168.1.30&&tcp.port==3983)||(ip.add r==192.168.1.30&&tcp.port==3984)||(ip.addr==192.168.1.30&&tcp.por t==3985)||(ip.addr==192.168.1.30&&tcp.port==3986)||(ip.addr==192. 168.1.30&&tcp.port==3987)||(ip.addr==192.168.1.30&&tcp.port==3988 )||(ip.addr==192.168.1.30&&tcp.port==3989)||(ip.addr==192.168.1.3 0&&tcp.port==3991)||(ip.addr==192.168.1.30&&tcp.port==3992)||(ip. addr==192.168.1.30&&tcp.port==3993)||(ip.addr==192.168.1.30&&tcp. port==3994)||(ip.addr==192.168.1.30&&tcp.port==3996)||(ip.addr==1 92.168.1.30&&tcp.port==3997)||(ip.addr==192.168.1.30&&tcp.port==3 998)||(ip.addr==192.168.1.30&&tcp.port==3999)||(ip.addr==192.168. 1.30&&tcp.port==4000)||(ip.addr==192.168.1.30&&tcp.port==4001)||( ip.addr==192.168.1.30&&tcp.port==4002)||(ip.addr==192.168.1.30&&t cp.port==4003)||(ip.addr==192.168.1.30&&tcp.port==4004)||(ip.addr ==192.168.1.30&&tcp.port==4006)||(ip.addr==192.168.1.30&&tcp.port ==4007)|| [...] ||(ip.addr==192.168.1.30&&tcp.port==4126) $

10. 4: extract the tcp sessions $ tshark -r sharkfest-1.cap -R $( tshark -r sharkfest-1.cap -R "http.request and http.cookie contains amp;quot;PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcafamp;quot;" -T fields -e ip.src -e tcp.srcport | sort | uniq | awk '{printf("%s(ip.addr==%s&&tcp.port==%s)",sep,$1,$2); sep="||"}' ) -w cookie.cap $ $ tshark -r cookie.cap 1 0.000000 192.168.1.30 -> 194.134.109.48 TCP starfish > http [SYN] Seq=0 Win=655… 2 0.010379 194.134.109.48 -> 192.168.1.30 TCP http > starfish [SYN, ACK] Seq=0 Ac… 3 0.010456 192.168.1.30 -> 194.134.109.48 TCP starfish > http [ACK] Seq=1 Ack=1 W… 4 0.010692 192.168.1.30 -> 194.134.109.48 HTTP GET /styles/scherm.css HTTP/1.1 5 0.026023 194.134.109.48 -> 192.168.1.30 TCP http > starfish [ACK] Seq=1 Ack=384… 6 0.034230 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 7 0.038617 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 8 0.038683 192.168.1.30 -> 194.134.109.48 TCP starfish > http [ACK] Seq=384 Ack=29… 9 0.043327 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 10 0.050840 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 11 0.050899 192.168.1.30 -> 194.134.109.48 TCP starfish > http [ACK] Seq=384 Ack=58… 12 0.055159 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 13 0.059893 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] [...] $