Discussion:
newbie question, tshark input from stdin
Lancashire, Pete
2014-02-03 21:16:42 UTC
Permalink
A bit confused with tshark -i -

I have a pcap file with 1,177,880 records

$ capinfos pcapfile
File name: pcapfile
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Packet size limit: file hdr: 65535 bytes
Number of packets: 1177880
File size: 772514406 bytes
Data size: 753668302 bytes
Capture duration: 4800 seconds
Start time: Fri Jan 31 13:50:00 2014
End time: Fri Jan 31 15:10:00 2014
Data byte rate: 156999.79 bytes/sec
Data bit rate: 1255998.34 bits/sec
Average packet size: 639.85 bytes
Average packet rate: 245.37 packets/sec
SHA1: 1ad68104a5ea50c2392340a9e5b6f2767e6dd34f
RIPEMD160: 519962c5e8cf8f742ebceb4d06380741fcca537b
MD5: 9594d754ae507f5cbe7cb6ac43cd361a
Strict time order: False

tshark is

$ tshark -v
TShark 1.4.10

Copyright 1998-2011 Gerald Combs <gerald-IZ8446WsY0/***@public.gmane.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz, without
POSIX capabilities, without libpcre, with SMI 0.4.8, without c-ares, without
ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with
MIT Kerberos, with GeoIP.

Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1.

Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).

doing
$ tshark -r pcapfile 2>/dev/null | wc -l
1177880

Is what I expected

but
cat pcapfile | tshark -i -

6.027531 192.168.240.107 -> 192.168.2....
499 packets captured

and confirming

cat pcapfile | tshark -i - 2>/dev/null | wc -l
499

What am I doing wrong ?

Thanks

-pete




stops after 499 packets

tshark -r pcapfile | wc -l



___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Evan Huus
2014-02-03 21:44:24 UTC
Permalink
Hi Pete,

The -i flag is for specifying a network interface for live capture (eg
eth0) and so doesn't accept "-" to signify stdin. I'm actually a bit
surprised you're getting any data at all with that command. I would
expect the following to give more useful results:
$ cat pcapfile | tshark -r -
though tshark's ability to read from a pipe has been rather
inconsistent up until recently due to the way filetypes are detected.

(Tangential note: tshark 1.4.x is quite old and no longer officially
supported. Upgrading is a good idea, if you are able.)

Evan

On Mon, Feb 3, 2014 at 4:16 PM, Lancashire, Pete
<Pete.Lancashire-hTe+RANN9c9Yx4ufuVR0v+1ftBKYq+***@public.gmane.org> wrote:
> A bit confused with tshark -i -
>
> I have a pcap file with 1,177,880 records
>
> $ capinfos pcapfile
> File name: pcapfile
> File type: Wireshark/tcpdump/... - libpcap
> File encapsulation: Ethernet
> Packet size limit: file hdr: 65535 bytes
> Number of packets: 1177880
> File size: 772514406 bytes
> Data size: 753668302 bytes
> Capture duration: 4800 seconds
> Start time: Fri Jan 31 13:50:00 2014
> End time: Fri Jan 31 15:10:00 2014
> Data byte rate: 156999.79 bytes/sec
> Data bit rate: 1255998.34 bits/sec
> Average packet size: 639.85 bytes
> Average packet rate: 245.37 packets/sec
> SHA1: 1ad68104a5ea50c2392340a9e5b6f2767e6dd34f
> RIPEMD160: 519962c5e8cf8f742ebceb4d06380741fcca537b
> MD5: 9594d754ae507f5cbe7cb6ac43cd361a
> Strict time order: False
>
> tshark is
>
> $ tshark -v
> TShark 1.4.10
>
> Copyright 1998-2011 Gerald Combs <gerald-IZ8446WsY0/***@public.gmane.org> and contributors.
> This is free software; see the source for copying conditions. There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz, without
> POSIX capabilities, without libpcre, with SMI 0.4.8, without c-ares, without
> ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with
> MIT Kerberos, with GeoIP.
>
> Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1.
>
> Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).
>
> doing
> $ tshark -r pcapfile 2>/dev/null | wc -l
> 1177880
>
> Is what I expected
>
> but
> cat pcapfile | tshark -i -
>
> 6.027531 192.168.240.107 -> 192.168.2....
> 499 packets captured
>
> and confirming
>
> cat pcapfile | tshark -i - 2>/dev/null | wc -l
> 499
>
> What am I doing wrong ?
>
> Thanks
>
> -pete
>
>
>
>
> stops after 499 packets
>
> tshark -r pcapfile | wc -l
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Lancashire, Pete
2014-02-03 22:04:08 UTC
Permalink
Ended up being /tmp was filling up from temporary wireshark files ...

I will do a new build vs using the one from the distribution

-pete


-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of Evan Huus
Sent: Monday, February 03, 2014 1:44 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie question, tshark input from stdin

Hi Pete,

The -i flag is for specifying a network interface for live capture (eg
eth0) and so doesn't accept "-" to signify stdin. I'm actually a bit surprised you're getting any data at all with that command. I would expect the following to give more useful results:
$ cat pcapfile | tshark -r -
though tshark's ability to read from a pipe has been rather inconsistent up until recently due to the way filetypes are detected.

(Tangential note: tshark 1.4.x is quite old and no longer officially supported. Upgrading is a good idea, if you are able.)

Evan

On Mon, Feb 3, 2014 at 4:16 PM, Lancashire, Pete <Pete.Lancashire-hTe+RANN9c9Yx4ufuVR0v+1ftBKYq+***@public.gmane.org> wrote:
> A bit confused with tshark -i -
>
> I have a pcap file with 1,177,880 records
>
> $ capinfos pcapfile
> File name: pcapfile
> File type: Wireshark/tcpdump/... - libpcap
> File encapsulation: Ethernet
> Packet size limit: file hdr: 65535 bytes
> Number of packets: 1177880
> File size: 772514406 bytes
> Data size: 753668302 bytes
> Capture duration: 4800 seconds
> Start time: Fri Jan 31 13:50:00 2014
> End time: Fri Jan 31 15:10:00 2014
> Data byte rate: 156999.79 bytes/sec
> Data bit rate: 1255998.34 bits/sec
> Average packet size: 639.85 bytes
> Average packet rate: 245.37 packets/sec
> SHA1: 1ad68104a5ea50c2392340a9e5b6f2767e6dd34f
> RIPEMD160: 519962c5e8cf8f742ebceb4d06380741fcca537b
> MD5: 9594d754ae507f5cbe7cb6ac43cd361a
> Strict time order: False
>
> tshark is
>
> $ tshark -v
> TShark 1.4.10
>
> Copyright 1998-2011 Gerald Combs <gerald-IZ8446WsY0/***@public.gmane.org> and contributors.
> This is free software; see the source for copying conditions. There is
> NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> Compiled (64-bit) with GLib 2.26.0, with libpcap 1.1.1, without libz,
> without POSIX capabilities, without libpcre, with SMI 0.4.8, without
> c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6,
> with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP.
>
> Running on Linux 2.6.35.14-106.fc14.x86_64, with libpcap version 1.1.1.
>
> Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).
>
> doing
> $ tshark -r pcapfile 2>/dev/null | wc -l
> 1177880
>
> Is what I expected
>
> but
> cat pcapfile | tshark -i -
>
> 6.027531 192.168.240.107 -> 192.168.2....
> 499 packets captured
>
> and confirming
>
> cat pcapfile | tshark -i - 2>/dev/null | wc -l
> 499
>
> What am I doing wrong ?
>
> Thanks
>
> -pete
>
>
>
>
> stops after 499 packets
>
> tshark -r pcapfile | wc -l
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Christopher Maynard
2014-02-03 22:43:53 UTC
Permalink
Evan Huus <***@...> writes:

> The -i flag is for specifying a network interface for live capture (eg
> eth0) and so doesn't accept "-" to signify stdin.

The tshark man page[1] would disagree. I just tested this with 1.10.5 and
it worked as documented:

[***@host wireshark]$ capinfos -c file.pcap
File name: file.pcap
Number of packets: 300

[***@host wireshark]$ tshark -r file.pcap 2> /dev/null | wc -l
300

[***@host wireshark]$ cat file.pcap | tshark -i - 2> /dev/null | wc -l
300


[1]: http://www.wireshark.org/docs/man-pages/tshark.html


___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Evan Huus
2014-02-03 23:02:07 UTC
Permalink
On Mon, Feb 3, 2014 at 5:43 PM, Christopher Maynard
<Christopher.Maynard-***@public.gmane.org> wrote:
> Evan Huus <***@...> writes:
>
>> The -i flag is for specifying a network interface for live capture (eg
>> eth0) and so doesn't accept "-" to signify stdin.
>
> The tshark man page[1] would disagree. I just tested this with 1.10.5 and
> it worked as documented:

Whoops, yes, you're right, I made a false assumption.

> [***@host wireshark]$ capinfos -c file.pcap
> File name: file.pcap
> Number of packets: 300
>
> [***@host wireshark]$ tshark -r file.pcap 2> /dev/null | wc -l
> 300
>
> [***@host wireshark]$ cat file.pcap | tshark -i - 2> /dev/null | wc -l
> 300
>
>
> [1]: http://www.wireshark.org/docs/man-pages/tshark.html
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Christopher Maynard
2014-02-04 15:22:30 UTC
Permalink
Evan Huus <***@...> writes:

> On Mon, Feb 3, 2014 at 5:43 PM, Christopher Maynard
> <***@...> wrote:
> > Evan Huus <eapache <at> ...> writes:
> >
> >> The -i flag is for specifying a network interface for live capture (eg
> >> eth0) and so doesn't accept "-" to signify stdin.
> >
> > The tshark man page[1] would disagree. I just tested this with 1.10.5 and
> > it worked as documented:
>
> Whoops, yes, you're right, I made a false assumption.

Does anyone know why dumpcap, tshark and Wireshark read from a pipe using
"-i -" and not "-r -"? It seems more intuitive to me to use "-r" than "-i"
and it would match tcpdump's syntax[1]. I suppose either "-r -" or "-i -"
could be allowed?

- Chris

[1]: http://www.tcpdump.org/tcpdump_man.html


___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Jaap Keuter
2014-02-06 07:33:05 UTC
Permalink
Hi,

That's probably because -r refers to a file (which you can seek through), while
-i refers to a 'stream' (which you cannot seek). Now, tcpdump is single pass
while *shark has multi pass capability *for files*. Categorizing pipes in *shark
as files would open up that multi pass option, which it cannot handle, while
tcpdump would never do that so it can access a pipe as a file.

Thanks,
Jaap


On 02/04/2014 04:22 PM, Christopher Maynard wrote:
> Evan Huus <***@...> writes:
>
>> On Mon, Feb 3, 2014 at 5:43 PM, Christopher Maynard
>> <***@...> wrote:
>>> Evan Huus <eapache <at> ...> writes:
>>>
>>>> The -i flag is for specifying a network interface for live capture (eg
>>>> eth0) and so doesn't accept "-" to signify stdin.
>>>
>>> The tshark man page[1] would disagree. I just tested this with 1.10.5 and
>>> it worked as documented:
>>
>> Whoops, yes, you're right, I made a false assumption.
>
> Does anyone know why dumpcap, tshark and Wireshark read from a pipe using
> "-i -" and not "-r -"? It seems more intuitive to me to use "-r" than "-i"
> and it would match tcpdump's syntax[1]. I suppose either "-r -" or "-i -"
> could be allowed?
>
> - Chris
>
> [1]: http://www.tcpdump.org/tcpdump_man.html
>

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Christopher Maynard
2014-02-07 22:37:51 UTC
Permalink
Jaap Keuter <***@...> writes:

> That's probably because -r refers to a file (which you can seek through),
while
> -i refers to a 'stream' (which you cannot seek). Now, tcpdump is single pass
> while *shark has multi pass capability *for files*. Categorizing pipes in
*shark
> as files would open up that multi pass option, which it cannot handle, while
> tcpdump would never do that so it can access a pipe as a file.

What about allowing "-r -", but just treating it exactly the same as if "-i
-" had been specified?



___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
damker
2014-02-15 14:13:16 UTC
Permalink
for nas-eps cihper message£¬why sometimes do not decode the ¡°Ciphered message¡±



and sometimes do decode £¿








damker
Pascal Quantin
2014-02-15 15:12:17 UTC
Permalink
Hi,

There is a small heuristic trying to differentiate a ciphered and integrity
protected message from an integrity protected only message. Like any
heuristic, it can fail sometimes.

Best regards,
Pascal.
Le 15 févr. 2014 15:33, "damker" <damker-k+***@public.gmane.org> a écrit :

> for nas-eps cihper messagewhy sometimes do not decode the “Ciphered
> message”
>
>
> and sometimes do decode 
>
>
>
>
> ------------------------------
> damker
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org
> ?subject=unsubscribe
>
Loading...