TShark Display Filter Examples

When reviewing packet captures, TShark prints out a pretty useful summary. However, sometimes there are specific fields you want to review that TShark does not print out by default. While you can use the “-V” option for verbose output, this is usually way more information than you want to see. Sometimes you only want to see specific field values. In this blog post, I’ll talk about TShark’s display filters and how they can be used to extract only the info you want to see.

 

A Simple Display Filter Example

The syntax for using display filters is pretty straight forward. The “-T fields” switch is used to tell TShark that you only want to print specified fields. You then use the “-e” switch to specify each of the fields you wish to print. As an example, imagine I wanted to print out:

• Source IP address
• Destination IP address
• Transport protocol

for each packet in a PCAP file. The command I would use would be:

tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e ip.proto | head -5
10.0.0.204      34.194.201.2    6
34.194.201.2    10.0.0.204      6
10.0.0.204      34.194.201.2    6
10.0.0.204      34.194.201.2    6
34.194.201.2    10.0.0.204      6

The “head -5” command at the end is simply limiting the output to just five lines.

 

Printing Column Titles

Let’s imagine I’m going to share the above output with a colleague and I want to add column titles to the output. I can use the “-E” switch to tell TShark to print out the display filter name at the top of each column.

tshark -r sample.pcap -E header=y -T fields -e ip.src -e ip.dst -e ip.proto | head -5
ip.src  ip.dst  ip.proto
10.0.0.204      34.194.201.2    6
34.194.201.2    10.0.0.204      6
10.0.0.204      34.194.201.2    6
10.0.0.204      34.194.201.2    6

Note that the column titles do not align perfectly with the data. This is because the spacing does not match. I can clean this up by piping my output through the “less” command instead of “head.” I would then use the “-x” switch to allocate a specific number of characters to each column. If the amount of data line wraps, I can add in the “-S” switch to print past the right side of the screen and use the arrow keys to navigate the data. Our command would now look something like this:

tshark -r sample -E header=y -T fields -e ip.src -e ip.dst -e ip.proto | less -S -x20
ip.src              ip.dst              ip.proto
10.0.0.204          34.194.201.2        6
34.194.201.2        10.0.0.204          6
10.0.0.204          34.194.201.2        6
10.0.0.204          34.194.201.2        6
34.194.201.2        10.0.0.204          6

As mentioned, you can use the arrow keys to navigate up, down, or even left and right if the data goes off the side of the screen. The page up and down keys can be used as well. You can press the letter “q” to exit this display and return to the command line.

 

Finding the Right Display Filter

There are over 22,000 display filters supported by TShark at the time of this writing. This can make finding the right display filter a bit challenging. Luckily, TShark includes a list of display filters that can be printed out with the “-G” switch:

tshark -G | less -S -x40
P    Short Frame                      _ws.short
P    Malformed Packet                 _ws.malformed
P    Unreassembled Fragmented Packet  _ws.unreassembled
F    Dissector bug                    ws.malformed.disector_bug
F    Reassembly error                 _ws.malformed.reassembly

(Please note that I’ve adjusted the spacing in this blog so that it fits within the allowable space)

The first column will be a “P” for protocol or an “F” to identify the entry as a field. The second column is a brief description, and the third column is the actual display filter. You can search the “less” command output for specific strings by hitting the “/” key. This will change the prompt in the lower left from “:” to “/”. You can then type in the string you wish to search for followed by the enter key. Subsequently pressing “/” will continue to search though the output pausing at each match found in the output.

 

Using grep to Search for Display Filters

Searching through the less output can still be pretty cumbersome. A better technique is to use grep to search for the pattern you are interested in. For example, let’s say I wanted to print out:

• Source IP address
• Destination IP address
• IP Identification

The source and destination IP are pretty easy to remember as we’ll use those frequently. Let’s say we need to figure out what the display filter will be for the IP identification field. We know it’s in the IP header, so let’s start there. We only want to see fields associated with the IP header, so we would pipe the output through the following grep command:

grep '\sip\.'

The string “ip” is short and would probably match on things we don’t care to see. So, we want to be as specific as possible to avoid a lot of noise. The “\s” at the beginning of the string tells grep that “ip” should have some sort of white space in front of it (tab or a space character). The “\.” at the end tells grep “ip” should be followed by a period. If we didn’t use the backslash prior to the period, grep would interpret the period as a wild card value. So our command would look something like this:

tshark -G | grep '\sip\.' | less -S -x40

About 15 lines into the output, we would see:

F Identification ip.id

So the TShark command I would use would be:

tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e ip.id | head -5
10.0.0.204      34.194.201.2    0x1b7b
34.194.201.2    10.0.0.204      0x0000
10.0.0.204      34.194.201.2    0x1b7c
10.0.0.204      34.194.201.2    0x1b7d
34.194.201.2    10.0.0.204      0x48e3

 

More on Finding Display Filters

We can build on that previous grep command to be even more specific when searching for display fields. For example, imagine I wanted to work with TCP flag values. I know those would be under the TCP header, and probably under the flags subcategory. In this case, I would use something like:

tshark -G | grep '\stcp\.flag' | less -S -x40
F    Flags                            tcp.flags
F    Reserved                         tcp.flags.res
F    Nonce                            tcp.flags.ns
F    Congestion Window Reduced (CWR)  tcp.flags.cwr
F    ECN-Echo                         tcp.flags.ecn
F    Urgent                          tcp.flags.urg
F    Acknowledgment                   tcp.flags.ack

 

Filtering TShark Output With Display Filters

This may seem a bit meta, but along with using display filters to identify the fields we wish to see, we can also use display filters to filter the packets that get displayed. Let’s look at an example. Imagine I want to print out:

• Source IP address
• Destination IP address
• Destination TCP port

Let’s further assume we only want to see the first packet in the session, where the SYN flag is turned on but all other flags are turned off. The SYN flag has a decimal equivalent of two with the TCP flags field, so our command would look something like this:

tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport tcp.flags==2 | head -6
10.55.182.100   10.233.233.5    80
10.55.182.100   10.233.233.5    80
10.55.182.100   10.233.233.5    80
10.55.100.111   165.227.216.194 443
10.55.100.111   165.227.216.194 443
10.55.100.111   165.227.216.194 443

 

Manipulating the Data Output

One of the benefits of using display filters is that it permits us to easily manipulate the data. For example, imagine we wanted to count up the number of TCP connections that were initiated within a pcap file, as well as the IP addresses involved in the connection. We would simply build on our last example and use sort and uniq to tally the data.

tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport tcp.flags==2 | sort | uniq -c | sort -rn | head
  20055 10.55.100.111   165.227.216.194 443
   6285 10.55.182.100   10.233.233.5    80
    540 10.55.100.111   172.217.8.198   443
    296 10.55.100.108   172.217.8.206   443
    290 10.55.100.111   157.240.2.35    443

The TShark command is the same as what we used in the previous section. The first “sort” command then reorganizes the data so that when the source IP, destination IP, and port number are the same, those lines are all collected together. The “uniq -c” counts the number of lines that match, and then reduces the output to a single line. It also adds a new column to the front of the line and prints the number of occurrences. Finally, the “sort -rn” command sorts the final output such that the most frequent connection pairs get printed first. The final output shows us which source IP address is connecting to which destination IP address the most frequently.

 

Summary

TShark display filters are a powerful tool that can help you run down strange network patterns. Feel free to take the examples above and build on them to best fit your environment.