Sorting tshark’s Conversation (conv) Output


Tshark’s “conversation” (conv) option is a great way to produce summary information of the conversations included within a pcap file. Unfortunately, the sort options are coded directly into the application. This means that you have little control over how the information gets displayed. In this blog post I’ll talk about how to manipulate the output of tshark’s conversation statistics so that you can sort the data any way that you please.


Tshark’s Conversation Statistics

Sometimes when reviewing a pcap it’s helpful to see summaries of the data flows. This can quickly help you hone in on problem areas. Tshark’s “conversation” switch can be used to produce multiple types of summaries based on OSI layer 2-4 information.

Let’s look at an example. Let’s say you want to see statistics summarized based on source and destination IP address. Running the following tshark command will produce summary output based on source and destination IP address:

Note that there are two additional columns to the right, relative start time and duration that are not shown in the above output.

As you can see in the above output, the data is sorted based on the total number of frames sent in both directions. While this can be helpful information, what if I want to identify which internal systems are sending the most data to the Internet? With no sort option built into tshark, I have to find another way of manipulating the data.


Selecting Fields With cut

The first thing I will want to do is remove any data I’m not focusing on at the moment. We said we want to identify the internal systems sending the most data to the Internet, but do we mean cumulatively or by target IP address? In this example I’ll do it based on target IP as that is the most helpful for threat hunting. If I want cumulative results I would simply ignore the target IP address as well. So the fields we will want to see are:

  • Source IP address
  • Destination IP address
  • Outbound bytes

I can use the “cut” utility to remove all of the other columns except for these three. With cut, I define the columns I wish to keep. In the above case that would be columns 1, 3 and 7. However, cut expects fields to be separated by tabs. The above tshark output uses spaces. Further, there are a variable number of spaces between each column. Yuck.

Before we can use cut, we need to remove all of the repeating spaces. This can be done with the translate or “tr” command. With tr, we use “-s” to specify the repeating character we wish to reduce to one instance. In this case it will be the space characters, so we would identify that with a set of empty quotes. The syntax we will use is:

tr -s ' '

So we will run our tshark command, use ts to remove the extra space characters, and then use cut to extract only the fields we are interested in. Here’s the command we will use along with the resulting output:

$ tshark -r thunt.pcap -q -z conv,ip | tr -s ' ' | cut -d ' ' -f 1,3,7 | head -15

<- |
Frames Frames 13473343 5762493 1323630 543444 952574 708139 322413 663699 797312 653760

Wahoo! If you compare this output to the original output, you will see that we’ve extracted the source IP, the destination IP and the number of bytes the source sent to the destination. This is exactly the data we were looking for.


Sorting Our Data

While we have the data we wanted, you may have noticed that it’s not in order. We are still working with the default sorting used by tshark. So we will want to resort the data based on the total number of bytes sent by the source to the destination, highest to lowest.

By default, the “sort” command starts sorting by the first character on a line using alphanumeric format. Further, it sorts from lowest to highest. So we will need to set some options to change these defaults. First, we need to specify that the sorting should be done based on the data in the third column. We will also want to identify this data as numeric and that the data should be printed highest to lowest.

The “-k” switch can be used with sort to tell it which column to sort on. The “-n” switch will identify the data as numeric, and the “-r” switch will sort from highest to lowest. Combining all of this together, our command now look something like this:

$ tshark -r thunt.pcap -q -z conv,ip | tr -s ' ' | cut -d ' ' -f 1,3,7 | sort -k 3 -rn | head 13473343 5762493 1323630 1213559 1004220 952574 882200 857424 847258 845112

We originally said that we wanted to investigate which internal systems are moving the most data out of our environment. With this in mind, we would look at the top entries where the source IP is a private address and the destination IP is a legal IP address outside of whatever legal IPs we may be using internally.


Additional Variations

Now that we understand the command format to use, we can leverage variations to produce other useful reports. For example, Column 11 in the “conv,ip” statistics identifies connection duration. If we wanted a list of the longest connections that took place, we would simply modify the fields we “cut” from the tshark output:

$ tshark -r thunt.pcap -q -z conv,ip | tr -s ' ' | cut -d ' ' -f 1,3,11 |
sort -k 3 -rn | head 86398.0701 86380.3536 86331.2004 86289.2045 86275.3073 86222.3654 86220.1262 86217.0870 86210.4297 86210.1624

If we wanted to see which individual TCP sessions were responsible for moving the most data out of our environment, we would use the “conv,tcp” statistics. We would still cut the same columns:

$ tshark -r thunt.pcap -q -z conv,tcp | tr -s ' ' | cut -d ' ' -f 1,3,7 |
sort -k 3 -rn | head 447676 429780 418731 233675 230812 229340 212513 211224 208863 206717

There are quite a few variations that can produce useful reports. The tshark documentation has a full description of all of the conversation statistics that can be reported.



Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To