Generate Protocol Statistics in Tshark

Introduction

In this lab, you will learn to analyze network traffic using Wireshark's command-line tool tshark by generating protocol statistics from a packet capture file. You'll explore key options like -r for reading files, -q for quiet mode, and -z io,phs for protocol hierarchy statistics.

The exercise will guide you through verifying capture files, viewing packet summaries, and interpreting protocol distributions. This practical experience will enhance your network analysis skills with tshark's statistical features.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/packet_capture -.-> lab-548930{{"Generate Protocol Statistics in Tshark"}} wireshark/packet_analysis -.-> lab-548930{{"Generate Protocol Statistics in Tshark"}} wireshark/commandline_usage -.-> lab-548930{{"Generate Protocol Statistics in Tshark"}} end

Read File with -r capture.pcap

In this step, you will learn how to open and analyze a packet capture file using Wireshark's command-line tool tshark. The -r option is fundamental as it specifies which packet capture file to read. Think of it like opening a document with a text editor - you need to tell the program which file to work with.

First, ensure you're in the correct directory. Open the terminal and run:
```
cd ~/project
```
This command navigates to the project directory where our sample capture file is stored. It's like opening the right folder before accessing a file.
The lab environment provides a sample capture file named capture.pcap. Verify its existence:
```
ls -l capture.pcap
```
Expected output should show the file details like:
```
-rw-r--r-- 1 labex labex 12345 Jan 1 00:00 capture.pcap
```
The ls -l command shows the file's permissions, size, and modification time. This confirms the file is present and accessible before we try to analyze it.
To read the capture file with tshark, execute:
```
tshark -r capture.pcap
```
This command reads the capture.pcap file and displays each network packet's summary information. You'll see columns showing:
- Packet number (sequence in the capture)
- Timestamp (when it was captured)
- Source and destination IP addresses
- Protocol used (TCP, UDP, etc.)
- Basic information about the packet
For a cleaner output with just packet numbers and protocols, add the -q (quiet) option:
```
tshark -r capture.pcap -q
```
The -q flag simplifies the output by suppressing some details. This is useful when you just want to quickly scan the types of traffic in the capture without seeing all the packet details.
To exit the packet listing, press Ctrl+C when you've seen enough output. This keyboard combination stops the command's execution and returns you to the terminal prompt.

Remember, these commands are just displaying the captured packets - we're not modifying the file in any way. The next steps will show you how to analyze this traffic in more detail.

Compute Hierarchy Stats with -z io,phs

In this step, we'll explore how to analyze network traffic by generating protocol hierarchy statistics using Wireshark's command-line tool tshark. The -z io,phs option creates a structured overview showing how different network protocols relate to each other in your captured traffic.

First, let's make sure we're in the right working directory where our capture file is stored:
```
cd ~/project
```
This command navigates to the project directory where we'll be working with our packet capture file.
Now we'll analyze the capture.pcap file to see the protocol distribution. Run this command:
```
tshark -r capture.pcap -z io,phs
```
Here's what each part does:
- -r capture.pcap reads our packet capture file
- -z io,phs generates the protocol hierarchy statistics

The command produces output showing how protocols are layered in your network traffic. Here's a sample structure:

======================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:100 bytes:10000
  ip                                     frames:90 bytes:9000
    tcp                                  frames:80 bytes:8000
      http                               frames:70 bytes:7000
    udp                                  frames:10 bytes:1000
  arp                                    frames:10 bytes:1000
======================================================

This tree structure reveals:

Ethernet (eth) as the base layer carrying all traffic
IP packets making up 90% of Ethernet frames
TCP being the dominant transport protocol within IP
HTTP traffic accounting for most TCP packets

The statistics provide three key pieces of information for each protocol:
- Percentage of total traffic (implied by frame counts)
- Absolute numbers of frames and bytes transmitted
- The encapsulation relationship between protocols
For a cleaner view without additional capture information, add the -q (quiet) option:
```
tshark -r capture.pcap -z io,phs -q
```
The -q flag suppresses extra details, giving you just the protocol hierarchy statistics. This is particularly useful when you only need the protocol breakdown.

Suppress Packet Details with -q

In this step, you'll learn about the -q option in tshark, which helps simplify your output when analyzing network traffic. This is especially useful when you only need statistical information rather than detailed packet contents.

First, let's navigate to our working directory where the packet capture file is stored:
```
cd ~/project
```
This ensures we're in the right location to access our sample capture file.
Let's first examine what normal tshark output looks like without the -q option:
```
tshark -r capture.pcap
```
This command displays complete packet information including protocol headers and payload data. For beginners, this output might appear overwhelming with too many details when you're only interested in overall statistics.
Now let's try the same command with the -q (quiet) option:
```
tshark -r capture.pcap -q
```
Notice how this suppresses the detailed packet information, giving you a cleaner output. The -q option tells tshark to only show summary information, which is easier to read when you don't need packet-level details.
Let's combine -q with the protocol hierarchy statistics we learned earlier:
```
tshark -r capture.pcap -z io,phs -q
```
This powerful combination gives you just the protocol statistics without any distracting packet details. The -z io,phs generates the statistics while -q ensures we only see the statistical summary.
Key differences to observe:
- Without -q: Shows complete packet dissection including all protocol layers
- With -q: Provides a cleaner view showing only summary/statistical information
- Particularly useful when combined with statistics options (-z) for focused analysis

Remember, the -q option is your friend when you want to focus on the big picture rather than individual packet details. It helps reduce visual clutter while still providing the essential information you need for network analysis.

View Stats on Console

In this step, you'll learn how to use tshark's powerful statistical features to analyze network traffic patterns directly in your terminal. These commands help you understand traffic distribution, identify top communicators, and spot unusual patterns in captured network data.

First, ensure you're in the correct working directory where your capture file is stored. This is important because tshark needs to access the file:
```
cd ~/project
```
View basic capture file statistics with time intervals. The -q flag suppresses packet details, while -z io,stat,60 creates 60-second summary blocks:
```
tshark -r capture.pcap -q -z io,stat,60
```
This shows how traffic volume changes over time in one-minute segments.
To see which IP addresses are most active (endpoint statistics), this command counts traffic per address:
```
tshark -r capture.pcap -q -z endpoints,ip
```
It lists all communicating IPs with their sent/received packet and byte counts.
For conversation statistics showing which IP pairs communicate and how much:
```
tshark -r capture.pcap -q -z conv,ip
```
This reveals communication patterns between specific source-destination pairs.
Combine multiple statistics in one command for comprehensive analysis:
```
tshark -r capture.pcap -q -z io,stat,60 -z endpoints,ip -z conv,ip
```
When reviewing statistics, focus on these key indicators:
- Total packets and bytes: Overall traffic volume
- Traffic distribution over time: Spot peaks or unusual patterns
- Top communicating endpoints: Identify heavy users
- Conversation pairs: Understand who talks to whom and how much

Summary

In this lab, you have learned to utilize Wireshark's command-line tool tshark for network traffic analysis. You practiced reading packet capture files using the -r option and simplified output with the -q flag for better readability.

Additionally, you explored generating protocol hierarchy statistics through the -z io,phs option, which provides valuable insights into protocol distribution within network traffic. This technique enables quick assessment of traffic composition without inspecting individual packets.