Tools

This is a place for scripts and tools related to Wireshark / TShark that users may like to share, and for links to related NetworkTroubleshooting tools.

You will find additional development related tools in the Development page.

Internal

Some command line tools are shipped together with Wireshark. These tools are useful to work with capture files.

• dumpcap a small program which only purpose is to capture network traffic, while keeping advanced features like capturing to multiple files (since version 0.99.0)

• capinfos is a program that reads a saved capture file and returns any or all of several statistics about that file

• editcap edit and/or translate the format of capture files

• mergecap merges multiple capture files into one

• text2pcap generates a capture file from an ASCII hexdump of packets

Scripts

• osXextraction, a Mac OS X bash script to extract particular packet types from a capture file (NOTE: it's not very OS X-specific - some small changes should allow it to work on other UN*Xes, and would probably allow it to work on Windows with Cygwin as well.)

• RtpDumpScript, a perl script to dump RTP audio data

• RtpH263DumpScript, a perl script to dump H.263 video data

• tektronix2pcap, a script to convert Tektronix rf5 files to pcap format that can be loaded into Wireshark. Note that current versions of Wireshark can directly read rf5 binary captures.

• menushark, a Bourne shell menu script to allow users to employ the use of tshark by answering a few menu questions. The script also gives you the command that the menu system has made to try to teach you how to use tshark at the command line.

• mpeg_dump, a Lua script that adds a Wireshark extension to dump MPEG-2 transport stream packets (ISO/IEC 13818-1) from a network capture to a file, for example, to extract one or more mpeg PIDs that were transported via UDP unicast or multicast.

Wrappers

• Packet Hexdump Decoder (phd) is a web-based utility that uses Wireshark tools to decode packet hexdumps online.

• Packet Dump Decode (pdd) is a simple and convenient GUI wrapper around the Wireshark tools to convert packet hexdumps into well formatted xml (viz. text2pcap and tshark). Using pdd, you just need to copy-paste the hexdump into pdd and hit the "Decode" button (GPL, Linux/Win32)

• Sharktools - Use Wireshark's packet dissection engine from Matlab and Python (announcement).

• Net::Sharktools - Use Wireshark's packet dissection engine from Perl (blog entries: 1 2).

External Links

Tools related to NetworkTroubleshooting and alike.

Dedicated capture tools

• dumpcap shipped with Wireshark, already mentioned at the "Internal" section above

• TcpDump / WinDump the classical capture tool(s)

• snoop SunOS/Solaris capture tool

• UML Sniffing a patch to enable sniffing in User Mode Linux (like used in netkit)

• RawCap (a raw socket sniffer for Windows)

• netsniff-ng (a packet capture tool for Linux)

• multicap (a packet capture tool for Linux)

• SPAN Port Configurator (a Cisco SPAN port configuration tool for Windows)

Monitoring/tracing tools

The following tools can process the libpcap-format files that Wireshark and TShark produce or can perform network traffic capture and analysis functions complementary to those performed by Wireshark and TShark. In brackets you will find the program license and the supported operating systems.

• PacketShark™ A handheld hardware tap for 100% on-field capturing of Ethernet packets at wire speed; store captured data using an external storage device (SD memory card) and analyze using wireshark

• Xplico A network forensic analysis tool (GPL, Linux only)

• Driftnet It is a program which listens to network traffic and picks out images from TCP streams it observes (GPL, Linux)

• tcpxtract It is a tool for extracting files from network traffic based on file signatures (GPL, various UN*Xes)

• Tstat A passive sniffer able to provide several insights on the traffic patterns at both the the network and transport levels (GPL, various UN*Xes)

• Tranalyzer It is a lightweight flow generator and packet analyzer application (GPL, Linux)

• junkie A real-time packet sniffer and analyzer (AGPLv3, Linux)

• Impacket It is a collection of Python classes focused on providing access to network packets (Apache, Linux).

• Chaosreader Extracts data streams from TCP connections and writes each stream to a file (GPL, Windows, various UN*Xes)

• CloudShark Ability to view and analyze captures in a browser, annotate and tag them, and share them with a URL.

• EtherApe A graphical network monitor (GPL, Linux only)

• NetworkMiner A network forensic analysis tool (GPL, Windows)

• Ntop Network top - tool that lets you analyze network traffic statistics (GPL, FreeBSD/Linux/Unix)

• Snort Network intrusion detection system (GPL, BSD/Linux/Unix/Win32)

• Prelude Another network intrusion detection system (GPL, BSD/Linux/Unix)

• tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, UN*X/Windows)

• tcpick tcpick is a textmode sniffer libpcap-based that can track, reassemble and reorder tcp streams (GPL, BSD/Linux/Unix)

• tcptrace Tool for analysis of TCP connections (GPL, BSD/Linux/Unix)

• online message parser Online single hex message parser, supports Wireless/PSTN/VoIP protocols (Freeware, Web)

• tcpstat Tool for reporting statistics for TCP connections (BSD style, BSD/Linux/Unix)

• Tele Traffic Tapper Graphical traffic-monitoring tool; can also read saved capture files (BSD style?, BSD/Linux)

• Ettercap Allows for sniffing of machines in a switched network LAN (GPL, BSD/Linux/Solaris)

• HUNT Allows for sniffing of machines in a switched network LAN as well as providing a very easy to use API to modify the intercepted frames before they are forwarded. Intercept and Modify. (GPL, Linux)

• RRDtool is "a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average)". (GPL, various UN*Xes) Many RRDtool-based applications are listed on the RRD World page.

• Show Traffic shows continuous summary list of TCP/UDP traffic (BSD, Win32)

• TcpView maps TCP/UDP endpoints to running programs (Freeware, Win32)

• p0f versatile passive OS fingerprinting and many other tricks (Freeware, BSD/Linux/Win32/...). Take a lookhere to see some stats generated with p0f and some scripts.

• VisualEther Protocol Analyzer generates sequence diagrams from Wireshark PDML output (Win32)

• Cap'r Mak'r generates new pcaps for various protocols

• Mu DoS converts any packet into a DoS generator

• xtractr collaborative cloud app for indexing, searching, reporting and extracting on large pcaps using tshark

• pcapdiff compares two capture files (taken simultaneously on both ends of a connection) to identify potentially forged, dropped, or mangled packets (GPL v2 or v3, any OS with Python and pcapy)

• ipsumdump summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs (uses the Click modular router).

• netsniff-ng is a free, performant Linux network analyzer and networking toolkit.

• justsniffer is a tcp packet sniffer. (GPL, BSD/Linux/Win32)

• packet-o-matic is a packet sniffer, supporting fairly general packet processing, used mainly for network forensics. (GPL, BSD/Linux/Mac OS X/Solaris)

• NetSleuth is a free network forensics and pcap file analyser. It provides offline analysis for incident response, and live "silent portscanning" functionality. (GPL, Windows)

• ExtShark is web-interface to tshark. It will bring dumping to cloud.

• Online PCAP to MSC chart Generator generates MSC arrow diagram charts from PCAP files.

Traffic generators

These tools will either generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.

• tcpreplay the opposite of tcpdump, send pcap files out of an interface (BSD, BSD/Linux/Unix)

• packETH GUI/CLI Ethernet packet generator (GPL, Linux/OSX/Windows)

• Network Traffic Generator Client/Server based TCP/UDP traffic generator (GPL, BSD/Linux/Win32)

• Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/OSX/Windows)

• Scapy Scapy is a powerful interactive packet manipulation program (in Python). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. (GPL, BSD/Linux/OSX)

• Nemesis is a command-line network packet crafting and injection utility. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. (GPL, BSD/Linux/Solaris/Mac OSX/Win32)

• Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libwireshark for all packet dissection tasks. (GPL, BSD/Linux/OSX)

• D-ITG - (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, ...).

• Mausezahn Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.

• PlayCap is a GUI tool for playing back pcap/Wireshark captures (GPL, Linux/Windows).

• Ostinato is a network packet and traffic generator and analyzer with a friendly GUI. It aims to be "Wireshark in Reverse" and thus become complementary to Wireshark. It features custom packet crafting with editing of any field for several protocols: Ethernet, 802.3, LLC SNAP, VLAN (with Q-in-Q), ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunneling, TCP, UDP, ICMP, IGMP, MLD, HTTP, SIP, RTSP, NNTP, etc. It is useful for both functional and performance testing. (GPL, Linux/BSD/OSX/Win32)

• epb - ethernet package bombardier Simple CLI tool for generating/converting ethernet packets from plain text/pcap/netmon/snoop files. (BSD like, Linux/Unix)

This is another collection of traffic generators: http://www.grid.unina.it/software/ITG/link.php

Capture file anonymization

These tools can be used to "anonymize" capture files, replacing fields such as IP addresses with randomized values.

• The bittwiste tool from Bit-Twist.

• The tcprewrite tool from tcpreplay.

• The tcpdpriv tool from the Internet Traffic Archive.

• AnonTool from the CRAWDAD archive of wireless traffic.

• The pktanon tool from the Karlsruhe Institute of Technology Institute of Telematics.

• The SCRUB-tcpdump tool.

• The Crypto-PAn tool.

• The Network Expect tool, which can be used to anonymize packets.

There's a categorized list of anonymization tools at the CAIDA site.

Capture file repair

These tools attempt to repair damaged capture files as much as can be done.

• pcapfix can repair corrupted or truncated capture files.

Capture file conversion

These tools convert between different capture file formats.

• PcapNG.com Free online service that converts Pcap-NG files to plain libpcap (PCAP) format.

• ProConvert convert capture files between different formats - some that Wireshark currently doesn't support (closed source freeware, unsupported and noted as buggy by vendor, registration and WildPackets maintenance contract required, Win32 only)

Collections

• Top 75 Security Tools from nmap users votes

• Packetfactory projects Various networking-related tools and libraries

• A list of tools Web page of links to various networking tools

• Network Security Toolkit (NST 18-4509) Fedora-based (F18) bootable Linux CD/DVD with best-of-breed open source network security tools. Provides a Web-Based frontend to the dumpcap network packet capture engine with dump file format: pcapng support. Simultaneous network packet capture on up to 4 network interfaces per Multi-Tap session is supported. Also provides IPv4 Address conversation geolocations and extensive HTML report generation from PDML and PSML packet decoding. See the article: Multi-Tap Network Packet Capturing for a tutorial and example usage. Capture starting can be delayed by a duration or an absolute date. Captures can be uploaded from NST to "CloudShark.org" or a "CloudShark Appliance" for viewing, sharing and analysis in a web browser (See: HowTo Use The NST CloudShark Upload Manager for additional information).

• dsniff is a collection of tools for network auditing and penetration testing (BSD style?, BSD/Linux/Solaris/...)

USB capture

Raw USB traffic can be captured with Wireshark currently only under Linux, see CaptureSetup/USB. If it's an Ethernet (or any other network related) USB adapter, Wireshark can capture e.g. Ethernet traffic from that USB device if the platform supports it (which it usually will do). On Win32 you can however try:

• usbsnoopy last updated (v0.13) in 2001 (no license, source incl., Win32)

• SnoopyPro based on usbsnoopy, last updated (v0.22) in 2002 (GPL, Win32)

  • Also usbsnoop seems to be by the same developer, but updated through 2001-2003 (latest v1.8)

• SniffUSB "minor" updates and port of usbsnoop 1.8 (v2.0.0006 Feb 2007)

Intrusion Analysis / SQL Database Support

• C5 SIGMA from Command Five Pty Ltd automates TShark (Wireshark) to load large quantities of packet capture data into a SQL database using an automatically generated schema. C5 SIGMA flattens the Wireshark protocol tree into a relational table structure useful for intrusion analysis and data correlation with other systems. It also enables SQL queries against otherwise unnamed text fields visible in the Wireshark protocol tree by intelligently generating human readable names. C5 SIGMA is free software, released under GPL.