How to Read a Packet Capture .cap File from Command Line

By | 2012/02/17

There are a couple of ways to read a packet capture .cap file from the command line. I’ll show you how!


tcpdump

The tack r filename option for tcpdump will display a capture file onto the screen. Pipe it to less to get something to scroll.

$ tcpdump -r mycapturefile.cap | less

$ tcpdump -r mycapturefile.cap | less
10:24:23.046221 IP 172.16.1.39.15256 > 172.16.1.41.http: Flags [S], seq 1183851371, win 8192, options [mss 1460], length 0
10:24:23.046720 IP 172.16.1.41.http > 172.16.1.39.15256: Flags [S.], seq 3014147598, ack 1183851372, win 5840, options [mss 1460], length 0
10:24:23.046758 IP 172.16.1.39.15256 > 172.16.1.41.http: Flags [R], seq 1183851372, win 0, length 0
10:24:23.062584 IP 172.16.1.39 > 172.16.1.41: ICMP echo request, id 45243, seq 45243, length 16
10:24:23.063028 IP 172.16.1.41 > 172.16.1.39: ICMP echo reply, id 45243, seq 45243, length 16
10:24:23.077375 IP 10.9.122.232.43482 > 192.168.1.16.domain: 58196+ PTR? 41.111.10.10.in-addr.arpa. (43)
10:24:23.078203 IP 192.168.1.16.domain > 10.9.122.232.43482: 58196* 1/9/9 PTR example.com. (491)
10:24:23.341400 IP 172.16.1.39.43482 > 172.16.1.41.solid-mux: UDP, length 1
10:24:23.341977 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port solid-mux unreachable, length 37
10:24:23.363537 IP 172.16.1.39.43482 > 172.16.1.41.1024: UDP, length 1
10:24:23.533573 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port 1024 unreachable, length 37
10:24:23.533591 IP 172.16.1.39.43482 > 172.16.1.41.12346: UDP, length 1
10:24:23.533600 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port 12346 unreachable, length 37
10:24:23.533610 IP 172.16.1.39.43482 > 172.16.1.41.sapv1: UDP, length 1
10:24:23.533619 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port sapv1 unreachable, length 37
10:24:23.533628 IP 172.16.1.39.43482 > 172.16.1.41.sitaradir: UDP, length 1
10:24:23.533637 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port sitaradir unreachable, length 37
10:24:23.534566 IP 172.16.1.39.43482 > 172.16.1.41.tcp-id-port: UDP, length 1
10:24:23.535087 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port tcp-id-port unreachable, length 37
10:24:23.560403 IP 172.16.1.39.43482 > 172.16.1.41.net-assistant: UDP, length 2
10:24:23.689303 IP 172.16.1.39.35243 > 172.16.1.41.https: Flags [.], ack 469674834, win 4096, length 0
10:24:23.689940 IP 172.16.1.41.https > 172.16.1.39.35243: Flags [R], seq 469674834, win 0, length 0
10:24:23.698834 IP 172.16.1.39.7710 > 172.16.1.41.tcpmux: UDP, length 0
10:24:23.698911 IP 172.16.1.39.7710 > 172.16.1.41.20096: UDP, length 0
10:24:23.698958 IP 172.16.1.39.7710 > 172.16.1.41.http: Flags [S], seq 505290270, win 1400, length 0
10:24:23.699016 IP 172.16.1.39 > 172.16.1.41: ICMP echo request, id 7710, seq 7710, length 20
10:24:23.699451 IP 172.16.1.41.http > 172.16.1.39.7710: Flags [S.], seq 3029656434, ack 505290271, win 5840, options [mss 1460], length 0
10:24:23.699484 IP 172.16.1.39.7710 > 172.16.1.41.http: Flags [R], seq 505290271, win 0, length 0
:


TShark

tshark, the command line utility that comes with Wireshark also uses tack r filename to open a .cap file.

$ tshark -r mycapturefile.cap | less

$ tshark -r mycapturefile.cap | less
  1   0.000000 172.16.1.39 -> 172.16.1.41 TCP 58 15256 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
  2   0.000499 172.16.1.41 -> 172.16.1.39 TCP 60 http > 15256 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
  3   0.000537 172.16.1.39 -> 172.16.1.41 TCP 54 15256 > http [RST] Seq=1 Win=0 Len=0
  4   0.016363 172.16.1.39 -> 172.16.1.41 ICMP 50 Echo (ping) request  id=0xb0bb, seq=45243/48048, ttl=64
  5   0.016807 172.16.1.41 -> 172.16.1.39 ICMP 60 Echo (ping) reply    id=0xb0bb, seq=45243/48048, ttl=61
  6   0.031154 10.9.122.232 -> 192.168.1.16 DNS 85 Standard query PTR 41.111.10.10.in-addr.arpa
  7   0.031982 192.168.1.16 -> 10.9.122.232 DNS 533 Standard query response PTR example.com
  8   0.295179 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: solid-mux
  9   0.295756 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 10   0.317316 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: 1024
 11   0.487352 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 12   0.487370 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: 12346
 13   0.487379 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 14   0.487389 172.16.1.39 -> 172.16.1.41 SAP/SDP 43 Announcement (v0), with session description
 15   0.487398 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 16   0.487407 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: sitaradir
 17   0.487416 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 18   0.488345 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: tcp-id-port
 19   0.488866 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 20   0.514182 172.16.1.39 -> 172.16.1.41 UDP 44 Source port: 43482  Destination port: net-assistant
 21   0.643082 172.16.1.39 -> 172.16.1.41 TCP 54 35243 > https [ACK] Seq=1 Ack=1 Win=4096 Len=0
 22   0.643719 172.16.1.41 -> 172.16.1.39 TCP 60 https > 35243 [RST] Seq=1 Win=0 Len=0
 23   0.652613 172.16.1.39 -> 172.16.1.41 UDP 42 Source port: 7710  Destination port: tcpmux
 24   0.652690 172.16.1.39 -> 172.16.1.41 UDP 42 Source port: 7710  Destination port: 20096
 25   0.652737 172.16.1.39 -> 172.16.1.41 TCP 54 7710 > http [SYN] Seq=0 Win=1400 Len=0
 26   0.652795 172.16.1.39 -> 172.16.1.41 ICMP 54 Echo (ping) request  id=0x1e1e, seq=7710/7710, ttl=30
 27   0.653230 172.16.1.41 -> 172.16.1.39 TCP 60 http > 7710 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
 28   0.653263 172.16.1.39 -> 172.16.1.41 TCP 54 7710 > http [RST] Seq=1 Win=0 Len=0
 29   0.653272 172.16.1.41 -> 172.16.1.39 ICMP 60 Echo (ping) reply    id=0x1e1e, seq=7710/7710, ttl=61
 30   0.654492 172.16.1.39 -> 172.16.1.41 TCP 58 4564 > ftp-data [SYN] Seq=0 Win=4096 Len=0 MSS=1460
:

Cool!