This is the command rawshark that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
rawshark - Dump and analyze raw pcap data
SYNOPSIS
rawshark [ -d <encap:linktype>|<proto:protoname> ] [ -F <field to display> ] [ -h ] [ -l ]
[ -n ] [ -N <name resolving flags> ] [ -o <preference setting> ] ... [ -p ]
[ -r <pipe>|- ] [ -R <read (display) filter> ] [ -s ] [ -S <field format> ]
[ -t a|ad|adoy|d|dd|e|r|u|ud|udoy ] [ -v ]
DESCRIPTION
Rawshark reads a stream of packets from a file or pipe, and prints a line describing its
output, followed by a set of matching fields for each packet on stdout.
INPUT
Unlike TShark, Rawshark makes no assumptions about encapsulation or input. The -d and -r
flags must be specified in order for it to run. One or more -F flags should be specified
in order for the output to be useful. The other flags listed above follow the same
conventions as Wireshark and TShark.
Rawshark expects input records with the following format by default. This matches the
format of the packet header and packet data in a pcap-formatted file on disk.
struct rawshark_rec_s {
uint32_t ts_sec; /* Time stamp (seconds) */
uint32_t ts_usec; /* Time stamp (microseconds) */
uint32_t caplen; /* Length of the packet buffer */
uint32_t len; /* "On the wire" length of the packet */
uint8_t data[caplen]; /* Packet data */
};
If -p is supplied rawshark expects the following format. This matches the struct
pcap_pkthdr structure and packet data used in libpcap/WinPcap. This structure's format is
platform-dependent; the size of the tv_sec field in the struct timeval structure could be
32 bits or 64 bits. For rawshark to work, the layout of the structure in the input must
match the layout of the structure in rawshark. Note that this format will probably be the
same as the previous format if rawshark is a 32-bit program, but will not necessarily be
the same if rawshark is a 64-bit program.
struct rawshark_rec_s {
struct timeval ts; /* Time stamp */
uint32_t caplen; /* Length of the packet buffer */
uint32_t len; /* "On the wire" length of the packet */
uint8_t data[caplen]; /* Packet data */
};
In either case, the endianness (byte ordering) of each integer must match the system on
which rawshark is running.
OUTPUT
If one or more fields are specified via the -F flag, Rawshark prints the number, field
type, and display format for each field on the first line as "packet number" 0. For each
record, the packet number, matching fields, and a "1" or "0" are printed to indicate if
the field matched any supplied display filter. A "-" is used to signal the end of a field
description and at the end of each packet line. For example, the flags -F ip.src -F
dns.qry.type might generate the following output:
0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
1 1="1" 0="192.168.77.10" 1 -
2 1="1" 0="192.168.77.250" 1 -
3 0="192.168.77.10" 1 -
4 0="74.125.19.104" 1 -
Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding -R "not dns" still
prints each line, but there's an indication that packets 1 and 2 didn't pass the filter:
0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
1 1="1" 0="192.168.77.10" 0 -
2 1="1" 0="192.168.77.250" 0 -
3 0="192.168.77.10" 1 -
4 0="74.125.19.104" 1 -
Also note that the output may be in any order, and that multiple matching fields might be
displayed.
OPTIONS
-d <encapsulation>
Specify how the packet data should be dissected. The encapsulation is of the form
type:value, where type is one of:
encap:name Packet data should be dissected using the libpcap/WinPcap data link type
(DLT) name, e.g. encap:EN10MB for Ethernet. Names are converted using
pcap_datalink_name_to_val(). A complete list of DLTs can be found at
<http://www.tcpdump.org/linktypes.html>.
encap:number Packet data should be dissected using the libpcap/WinPcap LINKTYPE_
number, e.g. encap:105 for raw IEEE 802.11 or encap:101 for raw IP.
proto:protocol Packet data should be passed to the specified Wireshark protocol
dissector, e.g. proto:http for HTTP data.
-F <field to display>
Add the matching field to the output. Fields are any valid display filter field. More
than one -F flag may be specified, and each field can match multiple times in a given
packet. A single field may be specified per -F flag. If you want to apply a display
filter, use the -R flag.
-h Print the version and options and exits.
-l Flush the standard output after the information for each packet is printed. (This is
not, strictly speaking, line-buffered if -V was specified; however, it is the same as
line-buffered if -V wasn't specified, as only one line is printed for each packet,
and, as -l is normally used when piping a live capture to a program or script, so that
output for a packet shows up as soon as the packet is seen and dissected, it should
work just as well as true line-buffering. We do this as a workaround for a deficiency
in the Microsoft Visual C++ C library.)
This may be useful when piping the output of TShark to another program, as it means
that the program to which the output is piped will see the dissected data for a packet
as soon as TShark sees the packet and generates that output, rather than seeing it
only when the standard output buffer containing that data fills up.
-n Disable network object name resolution (such as hostname, TCP and UDP port names), the
-N flag might override this one.
-N <name resolving flags>
Turn on name resolving only for particular types of addresses and port numbers, with
name resolving for other types of addresses and port numbers turned off. This flag
overrides -n if both -N and -n are present. If both -N and -n flags are not present,
all name resolutions are turned on.
The argument is a string that may contain the letters:
m to enable MAC address resolution
n to enable network address resolution
N to enable using external resolvers (e.g., DNS) for network address resolution
t to enable transport-layer port number resolution
C to enable concurrent (asynchronous) DNS lookups
d to enable resolution from captured DNS packets
-o <preference>:<value>
Set a preference value, overriding the default value and any value read from a
preference file. The argument to the option is a string of the form prefname:value,
where prefname is the name of the preference (which is the same name that would appear
in the preference file), and value is the value to which it should be set.
-p Assume that packet data is preceded by a pcap_pkthdr struct as defined in pcap.h. On
some systems the size of the timestamp data will be different from the data written to
disk. On other systems they are identical and this flag has no effect.
-r <pipe>|-
Read packet data from input source. It can be either the name of a FIFO (named pipe)
or ``-'' to read data from the standard input, and must have the record format
specified above.
-R <read (display) filter>
Cause the specified filter (which uses the syntax of read/display filters, rather than
that of capture filters) to be applied before printing the output.
-s Allows standard pcap files to be used as input, by skipping over the 24 byte pcap file
header.
-S Use the specified format string to print each field. The following formats are
supported:
%D Field name or description, e.g. "Type" for dns.qry.type
%N Base 10 numeric value of the field.
%S String value of the field.
For something similar to Wireshark's standard display ("Type: A (1)") you could use
%D: %S (%N).
-t a|ad|adoy|d|dd|e|r|u|ud|udoy
Set the format of the packet timestamp printed in summary lines. The format can be
one of:
a absolute: The absolute time, as local time in your time zone, is the actual time the
packet was captured, with no date displayed
ad absolute with date: The absolute date, displayed as YYYY-MM-DD, and time, as local
time in your time zone, is the actual time and date the packet was captured
adoy absolute with date using day of year: The absolute date, displayed as YYYY/DOY,
and time, as local time in your time zone, is the actual time and date the packet was
captured
d delta: The delta time is the time since the previous packet was captured
dd delta_displayed: The delta_displayed time is the time since the previous displayed
packet was captured
e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
r relative: The relative time is the time elapsed between the first packet and the
current packet
u UTC: The absolute time, as UTC, is the actual time the packet was captured, with no
date displayed
ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and time, as UTC, is the
actual time and date the packet was captured
udoy UTC with date using day of year: The absolute date, displayed as YYYY/DOY, and
time, as UTC, is the actual time and date the packet was captured
The default format is relative.
-v Print the version and exit.
READ FILTER SYNTAX
For a complete table of protocol and protocol fields that are filterable in TShark see the
wireshark-filter(4) manual page.
Use rawshark online using onworks.net services