Revision history [back]
rawshark: Why?
The Utilities
rawshark
rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.
cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port
FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP -
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -
There are multiple annoyances with the tool and the output:
- It doesn't integrate well with other Wireshark tools. For example,
cat dhcp.pcap | rawshark ...
works, but nottshark -r dhcp.pcap | rawshark
. - You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
- You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)
vs tshark
Compare with tshark, which can read from both files and streams and provides useful output:
$ tshark -r dhcp.pcap
1 0.000000 0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2 0.000295 192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer - Transaction ID 0x3d1d
3 0.070031 0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request - Transaction ID 0x3d1e
4 0.070345 192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK - Transaction ID 0x3d1e
The Question
Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is a use case for rawshark?
rawshark: Why?
The Utilities
rawshark
rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.
cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port
FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP -
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -
There are multiple annoyances with the tool and the output:
- It doesn't integrate well with other Wireshark tools. For example,
cat dhcp.pcap | rawshark ...
works, but nottshark -r dhcp.pcap | rawshark
. - You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
- You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)
vs tshark
Compare with tshark, which can read from both files and streams and provides useful output:
$ tshark -r dhcp.pcap
1 0.000000 0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2 0.000295 192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer - Transaction ID 0x3d1d
3 0.070031 0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request - Transaction ID 0x3d1e
4 0.070345 192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK - Transaction ID 0x3d1e
The Question
Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is a use case for rawshark?
rawshark: Why?
The Utilities
rawshark
rawshark is an "extras" utility bundled with Wireshark that can read streams. For example, given the 4-packet dhcp.pcap from the Wireshark samples page, we can get UDP port information.
cat dhcp.pcap | rawshark -s -r - -d encap:1 -F udp.port
FT_UINT16 BASE_PT_UDP - 1 FT_UINT16 BASE_PT_UDP -
1 1="68" 0="67" -
2 1="67" 0="68" -
3 1="68" 0="67" -
4 1="67" 0="68" -
There are multiple annoyances with the tool and the output:
- It doesn't integrate well with other Wireshark tools. For example,
cat dhcp.pcap | rawshark ...
works, but nottshark -r dhcp.pcap | rawshark
. - You MUST send in raw packets without the header and only the pcap format is understood (i.e. no pcapng IDBs)
- You MUST specify the tcpdump link-layer header type or protocol name before any others (and sometimes it isn’t clear which one you should use)
vs tshark
Compare with tshark, which can read from both files and streams and provides useful output:
$ tshark -r dhcp.pcap
1 0.000000 0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
2 0.000295 192.168.0.1 → 192.168.0.10 DHCP 342 DHCP Offer - Transaction ID 0x3d1d
3 0.070031 0.0.0.0 → 255.255.255.255 DHCP 314 DHCP Request - Transaction ID 0x3d1e
4 0.070345 192.168.0.1 → 192.168.0.10 DHCP 342 DHCP ACK - Transaction ID 0x3d1e
The Question
Why is rawshark bundled with the Wireshark program when it doesn't appear to do anything that can't already be achieved with tshark? What is a __a__ use case for rawshark?