Tools for tracing a pcap file in linux bash

2012-11-03
#pcap #tcpdump #tpick #tshark #tcptrace #bash #linux

Pcap files are pocket capture files. They usually contain raw log of network connections and packets. It is the most popular format and it available in almost all network analysis tool.

To play around *.pcap, you have to get such file somehow. There are two opposite ways: to generate it by yourself or to pick a ready one. To generate it by yourself, you can use wireshark or tcpdump in terminal:

tcpdump -w capture.pcap -i eth1

replace capture.pcap with desired output filename, -i eth1 indicates the interface for the logging to be done.

As soon as your *.pcap is created, it must be parsed for valuable data. Wireshark fits this task but let’s focuse on terminal utilities. I’ve found four ones, but I’m sure there is much more of them.

§ tpick

tcpick is able to capture network traffic, store data in different files for each connection and trace stored files. Colorful output in terminal is really neat.

Reading *.pcap file:

tcpick -C -r capture.pcap

§ tshark

Wireshark has a terminal twin names tshark. Latter is useful on old computers, for scripting and more convenient for console-boys. Can capture traffic and analyze captured files as well.

Reading *.pcap file with specified fields to display:

tshark -n -r capture.pcap -T fields -e ip.dst_host -e frame.time_delta

§ tcptrace

tcptrace is created for analysis of captured files. Has many options.

Reading *.pcap file:

tcptrace --tsv -xHTTP -f''port=80'' -btn capture.pcap

§ tcpdump

tcpdump was already mentioned as a tool for capturing traffic to pcap-file. It also can be used as analyser.

Reading *.pcap file:

tcpdump -ttttnr capture.pcap