Analyzing network traffic with Tshark

Terminal Analyzer

© Lead Image © bowie15, 123RF.com

© Lead Image © bowie15, 123RF.com

Article from Issue 174/2015
Author(s):

The simple and practical Tshark packet analyzer gives precise information about the data streams on the network.

When the system logs fail to provide information on problems, or if you simply want to know what is happening on the network, it is worth taking a look at the data stream. Tools such as Tcpdump [1] or Wireshark [2] let you listen on the network to study and troubleshoot network problems. Tcpdump is the tool of choice for gurus and professionals, but Wireshark appeals to many users because of its powerful GUI. If you prefer to work at the command line, or if you don't have time to grapple with Wireshark's elaborate user interface, you can use Wireshark's little brother Tshark [3] to sniff packets in a terminal window.

Like other packet sniffers, Tshark switches the interface into promiscuous mode to listen for network packets. In promiscuous mode, the network adapter hands over all the packets to the operating system, instead of just the ones addressed directly to the local system with the MAC address. Tshark can therefore listen to all the traffic on the local network, and you can use filtering commands to narrow down the output to specific hosts or protocols that you want to study.

Many Packages, Many Privileges

You can install Tshark via the command line or using a graphical tool of your choice. I used the 64-bit version of Tshark 1.10.6 on Ubuntu 14.04 for this article. Tshark is included with most other major distributions and accepts the same parameters, so you can use a different flavor of Linux and complete the installation with the package manager of your choice. On Ubuntu, you first need to update your system (Listing 1, first two lines). Then, install the program using the package manager (last line).

Listing 1

Update and Install

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install tshark

Wireshark and Tshark draw on the same resources, so the two tools are bundled together. You can expect the freshly downloaded packages to occupy about 70MB of disk space in an unzipped state.

Tshark should be run as root or preceded by sudo, because it does not otherwise have sufficient rights to read packages. The tool draws on the accompanying dumpcap program, which, with the aid of Pcap [4], records the current data traffic but refuses to provide any service without fairly extensive privileges.

During lab tests with Ubuntu, the program complained loudly about needing root privileges – you can usually safely ignore such messages. If these messages get on your nerves, and you want to correct the rights setup on your system, you have several options. Running the

sudo dpkg-reconfigure wireshark-common

command and confirming with Yes is all it takes in Ubuntu. By doing so, you are allowing users without administrative rights to sniff data traffic. To make sure your user account benefits from this ability, add it to the wireshark local group as follows:

$ sudo adduser $USER wireshark

After logging out and logging back in again, Tshark will now run on your user account without a sudo prefix.

In the Beginning

As indicated by the options and switches, Tshark provides many functions (Figure 1). The program might target advanced users and professionals, but don't worry: You don't need to rummage through loads of documentation or have profound knowledge to analyze data traffic.

Figure 1: The output of important Tshark options is overwhelming at first sight.

A terse tshark -D is fine if you first want to see which interfaces the software has found on the local or remote system. You might be surprised by the number of network adapters listed when you see the output (Listing 2).

Listing 2

Network Adapters List

$ sudo tshark -D
1. eth0
2. nflog
3. nfqueue
4. any
5. lo

Tshark displays virtual adapters provided by the operating system. In Listing 2, eth0 represents the first interface on the test system; the nflog and nfqueue adapters are part of the Linux kernel's Netfilter packet filtering framework [5]. The fourth adapter on the list, any, lets the user listen on all interfaces, and the last result, lo, is the loopback interface.

To get started, type:

sudo tshark-i any

This tells Tshark to listen on all interfaces and open a second terminal in which you can ping your choice of website (Figure 2). While one window shows the result of the ping, the other reveals what happens in the background during the process. In this particular example, specifying any means you will see all the processes, because the software is listening on all the interfaces.

If the sniffing were limited only to eth0, you would have missed the fact that the test system first issues a DNS query to localhost (as can be seen in the first line in Figure 2. Current Ubuntu installations add the name server 127.0.0.1 to /etc/resolv.conf.)

Figure 2: The Tshark output shows what happens in the background during a ping.

The DNS query was necessary because the ping command in Figure 2 used a DNS name, rather than an IP address. As you can see in Figure 2, once the system receives the IP address, it issues an ICMP request (which is the basis for the ping command) to the correct destination. Tshark initially reports the DNS request and displays the correct response from the responsible name server.

All About Fields

To understand the Tshark output, you need to understand the meaning of each column or field. You can define which fields the tool displays by setting the parameters -T and -e; Table 1 provides information about field names and their meanings.

Table 1

Tshark Fields

Field Name

Description

frame.number

Package number in the data stream

frame.time_relative

Relative package time stamp

ip.src

Sender's IP address

ip.src

Receiver's IP address

col.Info

Received package contents

If you enter all the fields manually (Listing 3), you should receive output that is almost identical to Figure 2 with a ping to linuxuser.de. Only the arrows -> between the source and destination IP are missing. You can also process the output as a CSV file. With the additional switches -E separator=, -E quote=d -E header=y, Tshark quotes the fields, comma-separates them, and outputs a line with the column name (Listing 4).

Listing 3

Entering the Fields

$ sudo tshark -i any -T fields -e frame.number -e frame.time_relative \
  -e -e ip.src -e ip.dst -e col.Info

Listing 4

Processing the Output

$ sudo tshark -i any -T fields -e frame.number -e frame.time_relative \
  -e ip.src -e ip.dst -e col.Info -E separator=, -E quote=d -E header=y
frame.number,frame.time_relative,ip.src,ip.dst,col.Info
"1","0.000000000","127.0.0.1","127.0.1.1",\
  "Standard query 0x79e1  A linux-user.de"

Software messages that warn about running with root privileges were removed for space reasons in the example. You can redirect the results of the command to a file using standard methods as required.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News