Display delta timestamp and UDP data payload with tcpdump/tshark

tcpdumptshark

I have a 1.5Gb capture of small UDP packets that I would like to turn into a CSV with just timestamp and UDP payload data in hex format.

An example of the desired output would be as follows:

% head Data3.txt 
0.000000,0000000041000000005ec812ac00047dce00000000
0.000194,0000000042000000005ec812ac00047db500000000
0.000227,0000000041000000005ec812ac00047dce00000000
0.000619,0000000042000000005ec812ac00047db500000000
0.000663,0000000041000000005ec812ac00047dce00000000
0.000854,0000000042000000005ec812ac00047db500000000
0.000883,0000000041000000005ec812ac00047dce00000000

I do not need this exact format, just a format that can later be transformed into this data (in this case they are 21 bytes length UDP packets).

I am struggling to achieve this with tcpdump without success, so I have found that tshark can do the job:

  tshark -r May31Jun5.pcap -t r -T fields -e frame.time -e data

That command gives the delta time and payload as required (see below excerpt).

Jun  1, 2020 00:02:27.567001000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567014000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567028000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567042000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567056000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567066000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567106000 CEST    0000000054000000005ed4297300049fb100000001
Jun  1, 2020 00:02:27.567124000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:27.567137000 CEST    0000000042000000005ed4297300049fb100000000
Jun  1, 2020 00:02:27.567152000 CEST    0000000041000000005ed4297300049fe300000000
Jun  1, 2020 00:02:28.095487000 CEST    0000000041000000005ed4297300049fe300000000

However I would like to have just seconds with decimals, so instead of:

Jun  1, 2020 00:02:28.095487000

It would be:

148.095487000

How can I achieve that? I guess it is possible because the GUI version of Wireshark display that value.

Best Answer

To get a CSV-style output for simple fields, you can use the -T fields option with tshark, combined with the -E separator=, option to use commas as separator as opposed to tabs.

Next, to figure out what kind of field names to use, check the status bar in the GUI for a selected field, or use tshark -T pdml -r some.pcap for example, or tshark -G fields for a full list of supported fields.

For columns, you can use the special _ws.col.<name> field. For example, _ws.col.Time.

Combining this information, you can use something like:

tshark -r your.pcap -Tfields -Eseparator=, -eframe.time_relative -edata > your.csv

Bonus information:

If a UDP (e.g. DNS) consumes the UDP payload, the data field will be empty. Add the --disable-protocol dns to avoid that.
In the current development version, a new udp.payload option has been added which should avoid the previous option. (commit v3.3.0rc0-250-gf04475167a)
If for some reason a field occurs multiple times, it will be output, separated by commas. You can use the -E occurence=1 option to limit the results to the first value only.
For more details about these options, see the tshark manual page.

Related Solutions

Packet loss rate with iperf and tcpdump

I've experienced significant dataloss with iPerf in UDP mode as a result of the CPU not being able to keep up. For some reason, iPerf with UDP seems to be much more CPU intensive than iPerf with TCP. Do you experience the same loss percentages when you set iPerf to half the rate?

To answer your second question about how much packet loss is acceptable, it really depends on what application you are running, how much traffic you've got. Really, there shouldn't be any loss if you are under your bandwidth limit. For most things, I probably wouldn't complain too much about .25%, but that is still a lot of loss if you are running at really high rates.

[EDIT 1] Some other thoughts that I've had on the topic:

Try incrementing the rates of iPerf. If there is a systemic problem somewhere, it is likely that you'll experience the same percentage of loss no matter what the rate. If you are at the limits of your hardware, or your provider does some sort of RED, then there will likely be no loss up to a certain rate, and then incrementally worse loss the higher above that you go.
Do your tcpdump measurement of the iPerf session, just to verify that your tests are accurate.
Try iPerf with TCP. This won't report loss, but if you are getting loss then the connection won't be able to scale up very high. Since latency will also affect this, make sure to test to an endpoint with as little latency as possible.
Depending on what gear you have on the inside of your connection, make sure you are as close it it as possible. E.g. if you have multiple switches between your test system and the edge router, move to a directly connected switch.
If you have a managed switch, check the stats on it to make sure the loss isn't occurring there. I've encountered some cheaper switches that start dropping when you get close to 100Mbps of UDP traffic on them (mostly old and cheap unmanaged switches though).
Try simultaneous iPerfs from two different clients to two different hosts, so that you can be sure the limit isn't a result of CPU or a cheap local NIC card.

Tcpdump udp data capture latency

I would suggest you try to renice the tcpdump process , and dump the trace to a file on a tmpfs filesystem Also you can add the -p option to tcpdump in order to not put the interface in promiscuous mode, which might reduce the parasitic traffic.

  mkdir /tmpfs
  mount -t tmpfs -o size=128m none /tmpfs
  nice -n -10 tcpdump ... -w /tmpfs/yourfile

Best Answer

Related Solutions

Packet loss rate with iperf and tcpdump

Tcpdump udp data capture latency

Related Topic