Tshark Tutorial

This tshark tutorial shows the basic usage of thark filters and how tshark can be integrated with Python.

This content is a preview from Book – Python Network Programming – Part 1

Capture on a specific interface

Tshark has to be started on a specific adapter for capturing packets which is received and sent on that specific adapter. This command shows how to start packet capture with tshark on the eth0 interface

sudo tshark –i eth0

Capture on a specific interface and only TCP traffic

Read filters are used for capturing specific type of packet and conditions. This example shows how to capture TCP packets on the eth0 interface.

sudo tshark –i eth0 – R “tcp”

Capture for a specific duration (10 secs)

This example shows how to run a capture for a specific duration. In this case, the capture runs for 10 seconds on the eth0 interface

sudo tshark –i eth0 – a duration:10

Write capture output to file

This example shows how to write a capture to an output file. All IP packets are filtered appropriately and the generated output is sent to the output.txt file.

sudo tshark –i eth0 –R “ip” >output.txt

Write capture output to file with required parameter

This example shows to write specific fields in the captured packet to an output file. This is very important when developing custom tools, as specific information in the packets needs to be retrieved for analysis. In this example, the source IP address of all IP packets with TCP protocol are written to the output.txt file.

sudo tshark –i eth0 –R “tcp” – T fields –e ip.src>output.

Python Essentials for Tshark

The following concepts are important when developing tools with Python and shark. To make a command execute from the command line using Python, the os.popen function is used. The tshark command, which is normally provided on the command line, is assigned as a variable and called with the os.popen function in Python. The OS module is imported into the Python file for the purpose. The below code snippet shows how to call the tshark command ‘tshark –i eth0 from inside a Python program.

import os.
b= ‘tshark –i eth0’
os.popen(b)

To open a specific file in Python, the command shown is used. For ex, to open the file output.txt, in read mode, the command f=open is used. File opening concept is used when the capture output files has to be looked into for specific information. The syntax below shows how to open the file output.txt in read mode in a python file.

f=open(‘output.txt’,’r’)

Counting lines are used in scenarios where, the numbers of captured packets are to be known or displayed. For ex, to know the number of TCP packet captured within a specific duration. The below code snipped shows how to count the number of lines in file output.txt, opened above. The variable count is initialized as 0. For every line stripped in the file, the count the incremented by 1.

count =0
for lines in f:
If lines.strip():
count +=1

This content is a preview from Book – Python Network Programming – Part 1