How to analyze packets from tshark in realtime via bash?

Maf

1/22/23, 8:49 PM

I need to analyze the IPSec packages from this command in real time:

sudo tshark -i <My_Interface> -Y '(ip.addr == <My_IP>)'

I need to check whether an isakmp package is sent to set a variable as true. I can't wait until the whole sniffing process is finished to be able to read it from a pcap file!

151

0 + 0

wireshark

packet-analyzer

Score:1

Ubuntu

Nate T

1/23/23, 9:51 AM

You might also want to look into the netsniff-ng package in apt. It is a packet sniffing toolkit specifically built for Linux networks.

It works great for things like analyzing signals of pci / usb devices that do not follow their respective data protocols, in order to write custom drivers.

The following is a list of included tools, including descriptions, obtained from the output of apt info netsniff-ng:

netsniff-ng: a zero-copy packet analyzer, pcap capturing/replaying tool
trafgen: a multithreaded low-level zero-copy network packet generator
mausezahn: high-level packet generator for appliances with Cisco-CLI
ifpps: a top-like kernel networking and system statistics tool
curvetun: a lightweight curve25519-based multiuser IP tunnel
astraceroute: an autonomous system trace route and DPI testing utility
flowtop: a top-like netfilter connection tracking tool
bpfc: a [seccomp-]BPF (Berkeley packet filter) compiler, JIT disassembler

To find out more, you can visit the netsniff-ng website:

http://netsniff-ng.org/

0 + 0

Maf

1/23/23, 9:54 AM

I'll take a look on that. Thanks. So far I've been working with `tshark/wireshark` and `tcpdump`

Score:1

Ubuntu

Maf

1/23/23, 9:07 AM

After some workarounds, we have a solution:

while IFS= read -r line; do if [[ $line =~ 'ISAKMP' ]]; then echo $line; fi; done < <(sudo tshark -i <My_Interface>)

Instead of this simple string 'ISAKMP' we can check anything else. The echo command may be any other command (setting an environment variable, etc.)

0 + 0

Nate T

1/23/23, 9:33 AM

should there be two space characters between `IFS=` and `read`? As is, you are testing that IFS is set to an empty string, and not a space character. Does the command work like this?

Maf

1/23/23, 10:02 AM

A single space. IFS=' ' IFS stands for internal field separator, I just knew it that yesterday.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to analyze packets from tshark in realtime via bash?

TH: จะวิเคราะห์แพ็กเก็ตจาก tshark แบบเรียลไทม์ผ่าน bash ได้อย่างไร

RO: Cum se analizează pachetele de la tshark în timp real prin bash?

RU: Как анализировать пакеты от tshark в реальном времени через bash?

VI: Làm cách nào để phân tích các gói từ tshark trong thời gian thực thông qua bash?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.