wireshark

Abstract	wireshark
Authors	Walter Fan
Status	v1
Updated	2024-08-21

Installation 

Linux $PkgManager install wireshark 2.6.8 and below
Macos brew install –cask wireshark 3.0.2
Windows choco install wireshark

Tools 

capinfos
captype
dftest
dumpcap
editcap
extcap
idl2wrs
mergecap
mmdbresolve
randpkt
rawshark
reordercap
sharkd
text2pcap
tshark

tshark 

tshark is a command line tool of wireshark , we can create a symbol link like below on MacOS

ln -s /Applications/Wireshark.app/Contents/MacOS/tshark /usr/local/bin/tshark

Basic Usage 

具体用法参见 tshark –help 或者 https://www.wireshark.org/docs/man-pages/tshark.html

例如将 pcapng 文件中的前 100 包按以下条件过滤出来，并导出为 json 文件

tshark -r 2022-03-30-cc.pcapng -2 -Y "ip.addr == 10.140.202.120 and rtp.p_type == 123" -V -c 100 -T json >
packet_sample.json

输出结果如下

//省略 1 ~ 4 层的信息： 1) frame, 2) eth, 3) ip, 4) udp
"rtp": {
  "rtp.setup": "",
  "rtp.setup_tree": {
    "rtp.setup-frame": "1",
    "rtp.setup-method": "HEUR RTP"
  },
  "rtp.version": "2",
  "rtp.padding": "0",
  "rtp.ext": "1",
  "rtp.cc": "0",
  "rtp.marker": "0",
  "rtp.p_type": "123",
  "rtp.seq": "8637",
  "rtp.extseq": "74173",
  "rtp.timestamp": "2709737133",
  "rtp.ssrc": "0xe19bcceb",
  "rtp.ext.profile": "0x0000bede",
  "rtp.ext.len": "2",
  "rtp.hdr_exts": {
    "RFC 5285 Header Extension (One-Byte Header)": {
      "rtp.ext.rfc5285.id": "2",
      "rtp.ext.rfc5285.len": "3",
      "rtp.ext.rfc5285.data": "e0:9c:ac"
    },
    "RFC 5285 Header Extension (One-Byte Header)": {
      "rtp.ext.rfc5285.id": "3",
      "rtp.ext.rfc5285.len": "2",
      "rtp.ext.rfc5285.data": "c4:70"
    }
  },
  "rtp.payload": "92:00:60:90:80:c6:67:51:61:00:e4:e0:af:bd:4a:7e:12:c0:7a:02:75:eb:ea:aa:91:81:d2:61:f1:07:d4:01:2c:18:b9:d3:4d:58:c5:ce:9a:6a:c6:43:91:03:d6:ea:aa:aa:28:f9:55:55:54:6d:55:55:54:be:48:57:d5:55:40:99:9e:aa:aa:a4:ba:e5:55:5b:ad:33:a0:be:aa:a9:86:bf:ff:ff:e2:02:d1:ba:55:55:34:92:15:f0:2f:aa:a9:7f:5e:e9:b9:84:95:55:5a:35:26:78:3b:cc:df:f2:03:4a:07:46:76:f9:fe:c6:27:a4:a3:38:fe:11:82:d5:54:24:f5:ec:aa:60:d3:52:d8:d1:8d:f9:29:0f:d0:fd:2a:46:41:d4:aa:a3:0d:83:02:47:da:31:9a:5a:4f:13:e4:a9:c2:e2:17:b4:46:be:e0:13:7c:b6:bb:63:20:94:31:8b:dc:ab:07:a2:3d:31:00:00:0e:9c:45:a5:fb:d0:32:cd:2b:f1:76:0f:fe:fa:5c:89:77:77:99:b5:a1:c3:82:77:eb:0b:05:fb:87:a3:e1:92:e2:70:19:da:dd:25:ec:ba:4b:d9:46:c2:22:7c:70:6c:f0:e4:c2:0f:c7:a2:bf:4f:22:2c:81:00:01:29:c3:c2:ac:1f:df:72:fb:3f:86:b9:79:8f:1c:ce:56:1a:db:d7:52:77:57:84:a7:3b:bd:8b:d9:74:97:b2:e9:2f:65:a5:7e:ae:88:0c:0d:80:5e:cb:a1:44:f0:af:87:7a:97:b2:f3:5c:e2:3e:b4:d9:f8:3f:64:9c:a3:bd:4c:59:dd:6e:c3:7d:f9:d3:12:c7:75:54:46:da:4d:e9:54:bd:e7:7f:8c:e5:ef:65:d2:5e:cb:a4:bd:97:49:d6:a2:2c:b2:ba:4b:a5:6b:c4:20:43:92:5e:cb:a4:b8:94:e8:81:55:9d:ec:5e:cb:a4:ef:fd:49:57:fc:a1:28:9b:54:13:21:20:68:83:06:6f:86:8e:7c:ec:3c:09:05:56:74:a5:c9:42:d4:5d:25:ec:ba:4b:c4:f5:ba:42:04:59:74:97:1e:4f:10:94:9c:c4:ad:fa:04:79:85:33:7e:81:1e:44:1e:c5:ec:ba:4b:8a:55:00:00:55:1c:c9:79:4e:bf:01:18:76:5f:ce:70:07:d5:1e:a8:b8:6b:b8:88:88:67:7a:5c:23:7d:60:a0:6b:f9:78:2e:b2:c2:45:72:c4:aa:7e:31:1f:db:1b:04:01:5a:ae:3b:ee:43:9a:88:a3:1b:59:e4:fb:70:87:64:4d:85:c6:ef:87:24:f5:86:a3:9e:70:f0:b5:6d:e7:99:48:53:94:7f:4a:6c:d0:62:6e:33:c3:bd:3c:c9:cc:3d:e6:26:6a:a1:40:75:c8:c5:8c:60:72:17:81:b6:fb:a9:3c:45:b7:bf:b7:a5:88:5c:14:20:47:c9:55:49:18:c4:62:5e:a5:af:a2:d0:62:aa:54:0d:be:9c:5f:5a:70:b6:49:05:d7:ec:78:5c:9c:74:d0:66:4d:b4:0e:50:11:12:2a:c2:c3:55:e2:99:95:db:b9:45:b0:dd:e2:1e:eb:c4:d9:ad:0b:1b:4d:a9:73:20:4a:fa:27:ec:09:7e:c1:57:f6:0e:7e:a7:79:7a:e6:f8:41:c1:43:e0:30:24:e7:92:0d:60:c8:a3:51:b0:c2:16:1f:3d:91:b9:d0:75:b1:2a:f4:2f:68:85:56:50:b5:24:b9:26:ef:fb:6d:c5:f4:e9:3e:11:f7:86:ef:d9:04:10:50:35:28:cc:69:f2:4b:b2:f2:6a:3c:d0:af:9d:85:cc:3b:e8:b8:53:e2:fc:02:64:88:58:82:ee:39:a1:f9:68:16:e4:75:77:7a:51:50:04:b0:e8:1c:8b:d1:22:6c:57:54:70:d7:dc:a5:a5:53:dd:55:37:d5:dd:d5:55:55:47:d5:55:0a:db:8f:aa:aa:21:e2:da:58:0f:2a:8d:aa:aa:aa:9a:4a:aa:aa:a1:12:aa:aa:a5:1b:ea:aa:a7:ba:aa:aa:a8:fa:aa:aa:a9:aa:aa:aa:aa:1a:aa:aa:a9:a8:e5:8e:d4:df:eb:28:28:1c:e8:32:f7:a2:e0:34:bf:81:cc:e6:7c:0c:1f:39:86:3f:d4:a4:80:8b:0e:84:56:83:3d:4d:50:01:bf:20:c6:28:80:9b:01:a7:bf:ee:2a:fc:be:47:01:bb:35:56:85:7a:a2:b6:81:fd:d9:a7:3d:9e:dc:09:d9:75:80:af:e1:73:85:3f:78:1e:01:25:a1:82:4f:96:f5:b4:50:cb:43:12:c5:c5:72:fd:1b:3d:96:7e:f1:e3:ad:9b:3b:b4:42:f7:6e:00:2d:6a:be:34:10:9a:20:22:22:05:98:c6:81:8c:57:33:a6:30:92:b9:33:2a:e7:de:dc:36:45:a5:65:37:b6:5e:c3:07:54:fb:7f:c7:cb:ce:69:a7:9f:33:23:05:81:3a:c2:4a:22:c2:66:ff:aa:48:bf:35:12:bb:e7:69:da:55:01:e2:d5:19:ba:4a:31:80:11:e0:aa:81:4c:33:bf:ce:07:4c:69:8b:91:e6:19:e4:1e:0c:3b:84:54:d5:6a:4e:17:8a:9a:cb:54:01:e5:21:d9:3b:6c:d6:84:1f:b3:a6:6a:59:58:86:60:f4:86:e9:bb:04:fc:c2:02:6d:72:66:38:b9:22:a7:8b:da:5b:d5:d0:19:b0:bf:d1:12:72:95:c3:61:59:1e:11:cc:4d:04:23:92:ee:54:20:b8:7f:0c:b7:fa:05:9e:fc:5c:8a:00:4c:20:22:2a:ae:9e:60:9c:d9:49:20:ec:1c:4e:90:f5"
}

capinfos 

capinfos 2022-03-30-cc.pcapng

File name:           2022-03-30-cc.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   7678
File size:           3759kB
Data size:           3499kB
Capture duration:    33.521948 seconds
First packet time:   2022-03-30 10:35:27.550761
Last packet time:    2022-03-30 10:36:01.072709
Data byte rate:      104kBps
Data bit rate:       835kbps
Average packet size: 455.83 bytes
Average packet rate: 229 packets/s
SHA256:              6f9cee42a2be4b704e150643671d679eca1f6c7438f3a98e45602325191a6de4
RIPEMD160:           c1daaf4f78d797c31e6491402a2b32875d44950b
SHA1:                d62393f0fc44e798b572e0f2cbb5ec6d470d647f
Strict time order:   False
Capture hardware:    Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz (with SSE4.2)
Capture oper-sys:    64-bit Windows 10 (2009), build 19042
Capture application: Dumpcap (Wireshark) 3.4.2 (v3.4.2-0-ga889cf1b1bf9)
Number of interfaces in file: 1
...

Capturing RTP streams 

Select the network interface currently used for RTP traffic and start a capture.
Right click on any package in the capture view and select Decode as.
Make sure Both (src/dst port <> src/dst port) is selected in the drop-down menu.
On the right scroll down to and select RTP then click OK.
RTP packets should now be visible with SSRC details in the info column.
- If Unknown RTP version 0 appears its most likely not a RTP packet.
- If Unknown RTP version 1 appears it’s most likely RTP encapsulated in a TURN packet, see the Capturing TURN RTP streams section on how to capture them properly.
Go to the Telephony menu and select RTP then Show All Streams.
A popup window should appear with lots of RTP streams.
The RTP payload types indicate which codec is in use. For payload types between 96 and 128, they are assigned in the SDP negotiation setting up the RTP streams, but browsers typically have preferred values.

The ones we are interested in typically have a payload type 96 (VP8 in Chrome), 111 (Opus in Chrome) and 127 (VP8 with RED in Chrome). Firefox and Opera may have different payload types for VP8 etc.

Sorting by number of packets is usually a good approach to filter out the relevant streams.

If an rtcdump file is desired select a stream and click Save As.

Capturing TURN RTP streams 

First we need to enable the Try to decode RTP outside of conversations option.

In Wireshark press Shift+Ctrl+p to bring up the preferences window.

In the menu to the left, expand protocols.

Scroll down to RTP.

Check the Try to decode RTP outside of conversations checkbox.

Click OK.

Now perform the steps in Capturing RTP streams section but skip the Decode As steps (2-4)

Text2pcap understands a hexdump of the form generated by od -Ax -tx1 -v. In other words, each byte is individually displayed, with spaces separating the bytes from each other. Each line begins with an offset describing the position in the packet, each new packet starts with an offset of 0 and there is a space separating the offset from the following bytes. The offset is a hex number (can also be octal or decimal - see -o), of more than two hex digits.

Here is a sample dump that text2pcap can recognize:

000000 00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00 000010 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00 000020 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20 000030 57 6f 72 6c 64 21 000036

FAQ 

how to convert pcap to text 

tcpdump -r input.pcap > output.txt
# it works for text2pcap of wireshare
tshark -V -r input.pcap > output.txt

how to convert text to pcap 

tshark -i - < "c:\filename.cap" > "c:\output.txt

How to list interfaces 

tshark -D