0

How do I get tshark to do the more complete and informative parsing of BitTorrent traffic that appears in Wireshark. Here's an example of what I mean.

https://byzantinemysteries.wordpress.com/2017/10/12/bittorrent-protocol-a-k-a-peer-protocol-examples/

In case that webpage changes, I'll state explicitly what I mean. In the Wireshark screen, it will parse the BitTorrent messages and label the message type as "Interested (2)" but in tshark, it will state more opaquely "2". I'm using flags such as -Tjson or -Tek or -Tfields and referencing this page for fields (-e flag): https://www.wireshark.org/docs/dfref/b/bittorrent.html. But the output isn't as informative and not as completely parsed and using strings as it is in the Wireshark gui.

How can I get tshark to output the more descriptive strings that Wireshark outputs?

Alternatively, is there an automated/programatic way of outputting the Wireshark output? I have too many files to analyze to load them into Wireshark one by one.

Thank you for your help. Please let me know if I can clarify my question.

Steve
  • 3
  • 1

2 Answers2

0

There are two methods I'm aware of that should help you accomplish your goal, both of which involve specifying the columns you want to use.

Method 1: Use Wireshark to configure a profile with the columns you want and then use -T fields along with -e field to specify the columns to display.

  • Add a new Wireshark profile (Edit -> Configuration Profiles) and configure the columns you want in the output. (NOTE: Strictly speaking you don't need to create a new profile; however, it allows you to display bittorrent-related columns only when using this profile when analyzing bittorrent traffic, and it avoids polluting the Default or other profiles with bittorrent columns when you're not analyzing bittorrent traffic.)
  • If you want all those columns, then just run tshark selecting that profile, e.g., tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap.
  • If you want a subset of those columns, then use -T fields and any combination of -e field and "-e _ws.col.Name Of Column" to display the columns you want., e.g. if you added the bittorrent.msg.type field as a column and kept the column name as the default "Message Type", then you'd use something like this: tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap -T fields -e frame.number -e "_ws.col.Message Type"

You could even add -e bittorrent.msg.type too if you also want the values instead of just the strings.

Method 2: Directly specify the columns you want without necessarily having to add them as columns in Wireshark first.

First, to get an idea of the built-in columns that tshark supports, you can run tshark -G column-formats, and an example is provided in the output.

So, to accomplish the same thing as before but using this method, on Windows you'd use: tshark -2 -Y "bittorrent" -r bittorrent.pcap -o "gui.column.format:\"No.\",\"%m\",\"Message Type\",\"%Cus:bittorrent.msg.type\"", and on *nix you'd use: tshark -2 -Y "bittorrent" -r bittorrent.pcap -o 'gui.column.format:"No.","%m","Message Type","%Cus:bittorrent.msg.type"'

(The only difference between Windows and *nix is the quoting.)

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
0

In the Wireshark screen, it will parse the BitTorrent messages and label the message type as "Interested (2)" but in tshark, it will state more opaquely "2". I'm using flags such as -Tjson or -Tek or -Tfields

That's the problem - unfortunately, when dumping individual field values, for "enumerated" fields, meaning fields where given numerical values have particular strings giving the value's meaning, the numerical value is given, and there's currently no way to request the string rather than the numerical value.

If you use -T text, you'll get Wireshark-style output, but that's Wireshark-style output, not something at all designed for a program or script to parse.

I tried looking for an enhancement request to fix that, but didn't find anything in the Wireshark issues list. You might want to file such a request in that issues list.

For now, Chris Maynard's mechanism is your best workaround.

user16139739
  • 862
  • 3
  • 5