Wrote a quick BATCH file (because Windows was all that was available) to use TSHARK to parse through some capture files. The script below will parse out DNS info, HTTP information, IP Stat Information, TCP/UDP Information, and Protocol Type Information. The batch when run will create a Directory (using the filename) and create the output files in the created directory...
:: usage: tshark_ALL.bat <FILENAMEOFCAPTURE>.pcap
@ECHO OFF
echo "###########READY TO PARSE#########"
echo "#######CREATING OUTPUT DIRECTORY######"
mkdir %1_DIR
echo "########Running DNS Extractions######"
"c:\Program Files\Wireshark\tshark.exe" -r %1 -R "udp.port == 53" -T fields -E separator=# -e frame.time -e ip.src_host -e ip.dst_host -e ip.proto -e dns.qry.name > %1_DIR\dnstraffic.%1.txt
echo "#######Running WEB Extractions######"
"c:\Program Files\Wireshark\tshark.exe" -r %1 -T fields -E separator=# -e frame.time -e ip.src_host -e ip.dst_host -e ip.proto -e tcp.srcport -e tcp.dstport -e http.user_agent -e http.request.method -e http.host -e http.request.uri > %
1_DIR\httptraffic.%1.txt
echo "#######Running HTTP REQUEST Extractions######"
"c:\Program Files\Wireshark\tshark.exe" -r %1 -T fields -E separator=# -e http.host -e http.request.uri > %1_DIR\http_requests.%1.txt
echo "#######IP STAT FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z ip_hosts,tree > %1_DIR\ipstats.%1.txt
echo "#####TCP CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z conv,tcp > %1_DIR\tcpconvo.%1.txt
echo "#####UDP CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z conv,udp > %1_DIR\udpconvo.%1.txt
echo "#####ETH CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z conv,eth > %1_DIR\ethconvo.%1.txt
echo "#####Protocol Types CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z ptype,tree > %1_DIR\ptypes.%1.txt
echo "#####HTTP INFO FILE CREATION####
echo "#####HTTP TREE SECTION####" > %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http,tree >> %1_DIR\httpstats.%1.txt
echo "#####HTTP REQUEST TREE SECTION####" >> %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http_req,tree >> %1_DIR\httpstats.%1.txt
echo "#####HTTP REQUEST TREE SECTION####" >> %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http_req,tree >> %1_DIR\httpstats.%1.txt
echo "#####HTTP SERVER TREE SECTION####" >> %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http_srv,tree >> %1_DIR\httpstats.%1.txt
echo "##FINISHED PARSING###"
Tshark Reference Links:
http://www.packetlevel.ch/html/tshark/tsharkfilt.html
:: usage: tshark_ALL.bat <FILENAMEOFCAPTURE>.pcap
@ECHO OFF
echo "###########READY TO PARSE#########"
echo "#######CREATING OUTPUT DIRECTORY######"
mkdir %1_DIR
echo "########Running DNS Extractions######"
"c:\Program Files\Wireshark\tshark.exe" -r %1 -R "udp.port == 53" -T fields -E separator=# -e frame.time -e ip.src_host -e ip.dst_host -e ip.proto -e dns.qry.name > %1_DIR\dnstraffic.%1.txt
echo "#######Running WEB Extractions######"
"c:\Program Files\Wireshark\tshark.exe" -r %1 -T fields -E separator=# -e frame.time -e ip.src_host -e ip.dst_host -e ip.proto -e tcp.srcport -e tcp.dstport -e http.user_agent -e http.request.method -e http.host -e http.request.uri > %
1_DIR\httptraffic.%1.txt
echo "#######Running HTTP REQUEST Extractions######"
"c:\Program Files\Wireshark\tshark.exe" -r %1 -T fields -E separator=# -e http.host -e http.request.uri > %1_DIR\http_requests.%1.txt
echo "#######IP STAT FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z ip_hosts,tree > %1_DIR\ipstats.%1.txt
echo "#####TCP CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z conv,tcp > %1_DIR\tcpconvo.%1.txt
echo "#####UDP CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z conv,udp > %1_DIR\udpconvo.%1.txt
echo "#####ETH CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z conv,eth > %1_DIR\ethconvo.%1.txt
echo "#####Protocol Types CONVERSATION FILE CREATION####
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z ptype,tree > %1_DIR\ptypes.%1.txt
echo "#####HTTP INFO FILE CREATION####
echo "#####HTTP TREE SECTION####" > %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http,tree >> %1_DIR\httpstats.%1.txt
echo "#####HTTP REQUEST TREE SECTION####" >> %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http_req,tree >> %1_DIR\httpstats.%1.txt
echo "#####HTTP REQUEST TREE SECTION####" >> %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http_req,tree >> %1_DIR\httpstats.%1.txt
echo "#####HTTP SERVER TREE SECTION####" >> %1_DIR\httpstats.%1.txt
"c:\Program Files\Wireshark\tshark.exe" -r %1 -q -z http_srv,tree >> %1_DIR\httpstats.%1.txt
echo "##FINISHED PARSING###"
Tshark Reference Links:
http://www.packetlevel.ch/html/tshark/tsharkfilt.html
RSS Feed
