Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Thursday, October 28, 2010

Extract Fields with Tshark

An interesting question appeared at this week – “How can I run Wireshark from the command line to open a file, and output a file containing only the UDP length of every DNS packet?”

It’s an interesting question because folks often overlook (a) capturing traffic with Tshark and (b) using the -T parameter to pull field information.

The answer was provided by skypemesm:

tshark -R 'dns' -r abc.pcap -T fields -e udp.length

-R “dns” - applies a DNS display filter to the trace file

-r abc.pcap - opens the abc.pcap file using Tshark

-T fields - indicates we are pulling a field contents (default format: text)

-e udp.length - tells Tshark to pull the value of the udp.length field

The results of this type of operation print on the screen.

What if you want to pull this information from a live capture?

Ok - you have to watch out here since Bug 2234 restricts us from using a display filter during a live capture in Tshark. Sigh. We'll use a capture filter instead.

tshark -T fields -e udp.length -f "port 53" > udplength.txt

In this case we are still pulling out the UDP length field values, but we've defined a capture filter for traffic to/from port 53 and piped the results to a text file.

What else can you do? Well - you can use the -a parameter to define an autostop condition or the -c parameter to define the numbe of packets to capture.

All Access Pass Members: The Tshark Command-Line Capture course is released on the new portal. I just added a section on the use of -T/-e parameters after writing this blog. You should have received an email with your login instructions. If you didn't - send an email to

Not an All Access Pass member? Jeepers - the price was just lowered so now is the time to sign up for one-year of online training at

Tuesday, October 12, 2010

Kindle Version Released!

Kindle! Kindle! Kindle!

I've received lots of emails/queries lately asking if the Wireshark Study Guide and Exam Prep Guide will be available in Kindle formats.

Well, the answer is no and yes and maybe.

Yes - the Wireshark Certification Official Exam Prep Guide is now available on the Kindle (click to view Amazon page) - don't forget to download the Answer Sheets (PDF) over at as well. We had to get this book into eBook format as the enclosed CD was really limiting international distribution capabilities. All the practice exam questions on the CD are in the Kindle version of the book so you're not losing anything except the quiz engine to practice with.

No - the Study Guide (800-pager) is not available in Kindle format... yet. After reviewing a slew of technical books in Kindle format it has become abundantly clear that some books just look like garbage on the Kindle. The formatting is limited enough to make some images unreadable and tables a complete nightmare. Ok, ok... some limitations are mostly evident on the itty bitty Kindle (can we call it a Kindlette?). We purchased the big Kindle for the office to play around a bit more with the formatting and I ordered an iPad (just for research purposes, of course) - so this leads me to...

Maybe - If we can survive the Kindle conversion nightmare that we've been living in for the past two weeks and tackle the hundreds of pages of reformatting required, then perhaps the Study Guide will make it to an eBook format. A simple look at the Mastering Windows Server 2008 Kindle edition by Mark Minasi really turned me off the idea of putting the Study Guide on the Kindle. It should be sold with a magnifying glass! Even if you enlarge the font, the graphic image is unreadable - granted, this was viewed on my Kindlette.

Thanks to all of you who have offered ideas and assistance on getting the Exam Prep Guide through Amazon's formatting and the MobiCreator product. If you have additional ideas or feedback, send them into us at

Remember to check out the Wireshark Certified Network Analyst program at!



Tuesday, October 5, 2010


Unless you've been living under a rock (or playing the new Halo non-stop), you likely have heard of the FBI nabbing 100+ in a global cybercrime ring.

You'll notice mention of Zeus. Zeus is financial malware - in essence, it listens to your online banking sessions and sends them to scumbag server (SS). Now if you do a little research, you'll find that Zeus is currently listed as the #1 botnet by some folks (
Trusteer). Many virus detection tools miss Zeus altogether. (I'm not surprised by that at all - I have a kitchen strainer that does a better job than some of the VDS options out there.).

You could watch the conversation information and do some GeoIP mapping in Wireshark, but that might not be the best option (Gasp! Did I really say that? Yes.) Check out BotHunter (from my old employer, SRI International - yup - I was a waitress in the Executive Dining Room at the time when my peers were taking Latin and World History in their senior year of high school - another story for
another time).

BotHunter basically monitors conversations with an awareness of your trusted network (you define that during the setup) while using Snort's event generation engine to report suspect behavior. It's an interesting tool to play with - in addition, check out to view the BotHunter Internet Monitor page. BotHunter automatically grabs the latest C&C server list, malware DNS list, Russian Business Network address space and malicious backdoor/control ports from the SRI repository. The BotHunter repository service enables your "fielded BotHunter" to report infection profiles anonymously.

It's an interesting and FREE product to help you battle bot-infected hosts. If you haven't had a chance to analyze the traffic to/from a bot-infected host - check out the sec-sickclient.pcap file over in the trace files available at

Interesting Links:

Remember to check out the Wireshark Certified Network Analyst program



p.s. Thanks to everyone who suggested "back fixes" - it's healing nicely so far.