The available sharkd request types are:
- analyse
- bye
- check
- complete
- download
- dumpconf
- follow
- frame
- frames
- info
- intervals
- iograph
- load
- setcomment
- setconf
- status
- tap
See the sharkd wiki page for an overview.
analyse
Lists the protocols found in a packet file and its start and end times.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "analyse" | string | M |
M/O: M = Mandatory, O = Optional
NB: The request values is analyse spelt in the UK English way - analyze will not work.
Response
Name | Value | Type |
---|---|---|
frames | Number of frames in the loaded file | integer |
protocols | List of the protocol found in the loaded file | array of strings |
first | Time of first entry in the capture | float representing epoch time and fractions of seconds |
last | Time of last entry in the capture | float representing epoch time and fractions of seconds |
Parameters
This request type has no other parameters.
Examples
{"req":"analyse"}
{"frames":53882,"protocols":["frame","eth","ethertype","ip","tcp","http","tds","data-text-lines","data","arp","udp","dns","dcerpc","cldap","spnego","spnego-krb5","ldap","gss-api","ipv6","dhcpv6","kerberos","nbdgm","smb","browser","nbss","smb2","urlencoded-form"],"first":1476281874.317326069,"last":1476283715.849661112}
bye
Ends the startd session.
If the request is sent in a Daemon Mode session connecting to sharkd, the connection terminates and the process for that session exits. The daemon process continues to run and accept new connections. Other existing sessions continues as normal.
If the request is sent in a Console Mode session, the sharkd process exits.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "bye" | string | M |
M/O: M = Mandatory, O = Optional
Response
There is no response to this request.
Examples
{"req":"bye"}
C:\Development\wsbuild64\run\Debug\sharkd.exe (process 10396) exited with code 0.
To automatically close the console when debugging stops, enable Tools->Options->Debugging->Automatically close the console when debugging stops.
Press any key to close this window . . .
check
Check the validity of a field name or filter expression.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "check" | string | M |
field | A fully qualified field reference | string | O |
filter | A display filter expression | string | O |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
err | Error code - always 0 | integer |
field | Return message | string |
filter | Return message | string |
Return Message:
Return Message | Description |
---|---|
"ok" | The field or filter is valid |
Other values | As described in the return message |
Examples
{"req":"check", "field":"tcp.srcport"}
{"err":0,"field":"ok"}
{"req":"check", "field":"transum.art"}
{"err":0,"field":"notfound"}
{"req":"check", "filter":"tcp.dstport==80"}
{"err":0,"filter":"ok"}
{"req":"check", "filter":"tcp.bad_field==80"}
{"err":0,"filter":"Neither \"tcp.bad_field\" nor \"80\" are field or protocol names."}
{"req":"check", "filter":"tcp.dstport==abc"}
{"err":0,"filter":"\"abc\" is not a valid number."}
{"req":"check", "filter":"tcp.dstport==80 &| tcp.srcport==45678"}
{"err":0,"filter":"Syntax error near \"tcp.srcport\"."}
{"req":"check", "filter":"tcp.dstport==80 && tcp.srcport==89000"}
{"err":0,"filter":"\"89000\" too big for this field, maximum 65535."}
complete
Fetches the properties of a field(s) or preference(s).
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "complete" | string | M |
field | A fully qualified field reference | string | O |
pref | A fully qualified preference reference | string | O |
M/O: M = Mandatory, O = Optional
The complete request assumes that the value specified for field or pref is the first part of its reference (i.e. prefix) and returns a list of every field that matches. This is not a match based on the dotted hierarchy but a straightforward string match, e.g:
"field":"http.request" will return details for http.request_number as well as http.request.line, http.request.method, etc.
Response
Name | Value | Type |
---|---|---|
err | Error code - always 0 | integer |
field | "f":"field_reference" "t":field_type "n":"field_name" |
array of objects |
pref | "f":"preference_name" "d":preference_description |
array of objects |
The field_type is a numeric value determined by an enumerated list - see ftypes.h
If the input field or pref values is incorrect, an empty array is returned.
Examples
{"req":"complete", "field":"http.request.method"}
{"err":0,"field":[{"f":"http.request.method","t":26,"n":"Request Method"}]}
{"req":"complete", "field":"http.request"}
{"err":0,"field":[{"f":"http.request","t":2,"n":"Request"},{"f":"http.request_number","t":7,"n":"Request number"},{"f":"http.request.line","t":26,"n":"Request line"},{"f":"http.request.method","t":26,"n":"Request Method"},{"f":"http.request.uri","t":26,"n":"Request URI"},{"f":"http.request.uri.path","t":26,"n":"Request URI Path"},{"f":"http.request.uri.query","t":26,"n":"Request URI Query"},{"f":"http.request.uri.query.parameter","t":26,"n":"Request URI Query Parameter"},{"f":"http.request.version","t":26,"n":"Request Version"},{"f":"http.request.full_uri","t":26,"n":"Full request URI"},{"f":"http.request_in","t":35,"n":"Request in frame"}]}
{"req":"complete", "field":"http.bad_ref"}
{"err":0,"field":[]}
{"req":"complete", "pref":"tcp"}
{"err":0,"pref":[{"f":"tcp","d":"TCP"},{"f":"tcpencap","d":"TCPENCAP"},{"f":"tcpros","d":"TCPROS"}]}
download
Get decoded objects (exported objects, SSL secrets or rtp data); some downloaded data is base64 encoded.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "download" | string | M |
token | Token to download: - eo:<object_ref> - ssl-secrets - rtp:<stream_specification> |
string | M |
M/O: M = Mandatory, O = Optional
Details of the object_ref and stream_specification are under eo and rtp respectively below.
eo
For the eo (Export Object) token we can download data objects of the following types:
- DICOM
- HTTP
- IMF
- SMB
- TFTP
Before requesting a download for an exported object we must export it. This is done by running an appropriate tap command, for example:
{"jsonrpc":"2.0","id":3,"method":"tap", "params":{"tap0":"eo:http"}}
then we can make the request like this:
{"jsonrpc":"2.0","id":3,"method":"download", "params":{"token":"eo:http_0"}}
The object_ref is created by suffixing the type with an underscore character (_) followed by an index into the table of detected objects. In Wireshark, if we display the HTTP Export Objects for a sample file we may see something like this:
To get the first object, we would use the request:
{"req":"download","token":"eo:http_0"}
To get the second object, we would use the request:
{"req":"download","token":"eo:http_1"}
And so on.
ssl-secrets
sharkd can export and download the session keys which are specific to the traffic in a capture file. To extract the session keys we must first decrypt the traffic using the server private (RSA) key. This is done by passing in the private key via the TLS preferences; either using Wireshark to edit the prefs file, or by using the sharkd setconf request prior to loading the trace file.
Once the file is decrypted, we can download the Session Keys (ssl-secrets).
See the TLS page of this wiki for further information.
rtp
With this option we can download the audio content from an rtp stream as an x-wav MIME data file. The request must contain the stream_specification which uniquely identifies the stream as follows:
source-ip_source-port_destination-ip_destination-port_synchronization-source-identifier
A full request would then look like this:
{"req":"download","token":"rtp:200.57.7.204_8000_200.57.7.196_40376_0xd2bd4e3e"}
Response
Name | Value | Type |
---|---|---|
file | Suggested file name | string |
mime | The objects MIME content-type | string |
data | Base64-encoded object | string |
NB: If a request is made for a token that doesn't exist, sharkd responds with \r\n\r\n
only i.e. there is no JSON response.
eo
The exported object can be an HTML page, a jpg image, a CSS stylesheet, etc. The file name is equivalent to the final element of a URL path such as index.html or favicon.ico
If we try to download an exported object that doesn't exist, there will be no response from sharkd.
ssl-secret
Output format is:
RSA Session-ID:xxxx Master-Key:yyyy\n
Where:
- xxxx is the session ID in hex (max 64 chars)
- yyyy is the Master Key in hex (always 96 chars)
So in total max 3+1+11+64+1+11+96+2 = 189 chars
Alternatively, the output is:
CLIENT_RANDOM zzzz yyyy\n
Where:
- zzzz is the client random (always 64 chars)
- yyyy is same as above
So length will always be 13+1+64+1+96+2 = 177 chars
rtp
The file value for an rtp download is the string "rtp:" suffixed with the stream specification. See the rtp example below.
Examples
{"req":"download","token":"eo:http_0"}
{"file":"About","mime":"text/html","data":"PCFET0NUWV ... ib2R5Pg0KPC9odG1sPg0K"}
{"req":"download","token":"rtp:200.57.7.204_8000_200.57.7.196_40376_0xd2bd4e3e"}
{"file":"rtp:200.57.7.204_8000_200.57.7.196_40376_0xd2bd4e3e","mime":"audio/x-wav","data":"UklGRv////9XQVZF ... AQQAsj/eABwA5AC6P4Y/8gB8AJQAzAC"}
dumpconf
Lists one or all configuration parameters.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "dumpconf" | string | M |
pref | A fully qualified preference reference | string | O |
M/O: M = Mandatory, O = Optional
If the pref value is not specified, all preferences are listed.
Response
Name | Objects in the Array | Type |
---|---|---|
prefs | array of objects | |
pref_name | ||
"b":binary_value | 0 - not set, 1 - set | |
"d":"description" | string | |
"e":[Drop_down_list] - "v":value - "s":selected - "d":"description" |
array of objects | |
"r":"[range_of_values]" | string with a comma separated list of numbers or a range specified as start-end |
|
"s":"string_value" | string | |
"t":[table_of_values] | array of objects | |
"u":unsigned_integer_value | integer |
Examples
{"req":"dumpconf","pref":"tcp.desegment_tcp_streams"}
{"prefs":{"tcp.desegment_tcp_streams":{"b":1}}}
{"req":"dumpconf"}
{"prefs": ...
"ber.decode_primitive":{"b":0}, ...
"bgp.asn_len":{"e":[{"v":0,"s":1,"d":"Auto-detect"},{"v":2,"d":"2 octet"},{"v":4,"d":"4 octet"}]} ...
"bjnp.udp.port":{"r": "8611-8614"}, ...
"couchbase.tls.port":{"u": 11207}, ...
"couchbase.tcp.port":{"r": "11210"}, ...
follow
Get client and server information for a particular protocol or stream plus the data payload being carried by the protocol specified. The protocol payload is JSON-Base64 encoded to accommodate binary content.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "follow" | string | M |
follow | Protocol payload to output | string | M |
filter | Filter expression | string | M |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
err | Error code | integer |
shost | Service IP address | string (dotted IP address) |
sport | Service port number | string |
sbytes | Total number of bytes from service to client | integer |
chost | Client IP address | string (dotted IP address) |
cport | Client port number | string |
cbytes | Total number of bytes from client to service | integer |
payloads | The payload carried by the protocol specified in the packets in the stream |
array of objects |
- "n": | Number of bytes in the payload | integer |
- "d": | Protocol payload | bytes encoded as JSON-Base64 |
- "s": | Direction of the flow missing - client to service 1 - service to client |
integer |
Bear in mind that this request will deliver all the data in a stream and so the response may be very large.
Examples
{"req":"follow","follow":"HTTP","filter":"tcp.stream==0"}
{"err":0,"shost":"192.168.3.78","sport":"80","sbytes":110,"chost":"192.168.3.85","cport":"46815","cbytes":5339,"payloads":[{"n":4,"d":"R0VUIC9NeUFwcC9Ib21lL0Fib3V ... 5NQ0KDQo=","s":1},{"n":9,"d":"PCFET0 ... KPC9odG1sPg0K","s":1}]}
{"req":"follow","follow":"TCP","filter":"tcp.stream==1"}
{"err":0,"shost":"192.168.3.79","sport":"1433","sbytes":163222,"chost":"192.168.3.78","cport":"50442","cbytes":66745,"payloads":[{"n":5,"d":"AQkBBAAAA ... hAHQAZQA="},{"n":6,"d":"BAEBCQBH ... AYAAAA=","s":1},{"n":22741,"d":"BgAAABoAQwByAGUAYQB0AGkAdgBlACAAQQByAHQAcwAAAAAAALb7XKyOAAAAAAAABAIAAAAIAAAAAAAAAA+q/xEAwQAKAAAAAAAAAHkAAAAA/gAA4AAAAAAAAAAAAA==","s":1}]}
{"req":"follow","follow":"TCP","filter":"tcp.stream==10000"}
{"err":0,"shost":"NONE","sport":"0","sbytes":0,"chost":"NONE","cport":"0","cbytes":0}
frame
Get full information about a frame including the protocol tree.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "frame" | string | M |
frame | Frame number | integer | M |
proto | If present, output the protocol tree | Any valid JSON value | O |
ref_frame | If present, output the time reference frame number This doesn't seem to work |
Any valid JSON value | O |
prev_frame | If present, output the previously displayed frame number This doesn't seem to work |
Any valid JSON value | O |
columns | If present, output frame columns | Any valid JSON value | O |
color | If present, output color-filter bg/fg | Any valid JSON value | O |
bytes | If present, output frame bytes | Any valid JSON value | O |
hidden | If present, output hidden tree fields | Any valid JSON value | O |
NB: A value of true is acceptable for any field that has a type of Any valid JSON value. However, a value of false is also treated as true i.e. {"req":"frame", "frame":4, "bytes":false}
will output the frame bytes.
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
err | Error code | integer |
tree | Protocol tree information - see below | array of objects |
col | array of column data | array |
bytes | Frame bytes encoded with Base64 | string of base64 |
ds | Other data sources | array of objects |
comment | Frame comment | string |
fol | Follow filter: [0] - protocol [1] - filter string |
array of objects |
i | true if frame is ignored | boolean |
m | true if frame is marked | boolean |
bg | Color filter - background color in hex | string |
fg | Color filter - foreground color in hex | string |
Values in the tree array
Name | Value | Type |
---|---|---|
l | Field label | string |
t | Type of tree or subtree node - "proto", "framenum" or "url" | string |
f | Filter variable (variable that can be used in an expression) | string |
s | Severity e.g. "Chat" | string |
e | Subtree ett index | integer |
n | Array of subtree nodes | array of objects |
h | Two item array: (item start, item length) | array of integers |
i | Two item array: (appendix start, appendix length) | array of integers |
p | [RESERVED] two item array: (protocol start, protocol length) | array of integers |
ds | Data src index | |
url | URL | string |
fnum | Used to reference a frame elsewhere in the file | integer |
g | true if field is generated by Wireshark | boolean |
v | true if field is hidden | boolean |
Examples
{"req":"frame", "frame":4}
{"err":0,"fol":[["HTTP","tcp.stream eq 0"],["TCP","tcp.stream eq 0"]]}
{"req":"frame", "frame":4, "proto":true}
{"err":0,"tree":[{"l":"Frame 4: 176 bytes on wire (1408 bits), 176 bytes captured (1408 bits) on interface \\Device\\NPF_{304D305E-652F-47CD-B730-94986169FE76}, id 0","h":[0,176],"t":"proto","f":"frame","e":10538,"n":[{"l":"Interface id: 0 (\\Device\\NPF_{304D305E-652F-47CD-B730-94986169FE76})","f":"frame.inter ... rue},{"l":"Req Spread: 0.000000000 seconds","f":"transum.reqspread == 0.000000000","g":true},{"l":"Rsp Spread: 0.000164000 seconds","f":"transum.rspspread == 0.000164000","g":true},{"l":"Trace clip filter: tcp.stream==0 && frame.number>=4 && frame.number<=9 && tcp.len>0","f":"transum.clip_filter == \"tcp.stream==0 && frame.number>=4 && frame.number<=9 && tcp.len>0\"","g":true},{"l":"Calculation: Generic TCP","f":"transum.calculation == \"Generic TCP\"","g":true}]}],"fol":[["HTTP","tcp.stream eq 0"],["TCP","tcp.stream eq 0"]]}
{"req":"frame", "frame":4, "columns":true}
{"err":0,"col":["4","0.000319","192.168.3.85","192.168.3.78","HTTP","176","GET /MyApp/Home/About HTTP/1.1 "],"fol":[["HTTP","tcp.stream eq 0"],["TCP","tcp.stream eq 0"]]}
{"req":"frame", "frame":4, "color":true}
{"err":0,"bg":"e4ffc7","fg":"12272e","fol":[["HTTP","tcp.stream eq 0"],["TCP","tcp.stream eq 0"]]}
{"req":"frame", "frame":4, "bytes":"true"}
{"err":0,"bytes":"AAwp+/kTAAwp2dO1CABFAACimmFAAEAGGAHAqANVwKgDTrbfAFAefnCL/KwyboAYAOU0GwAAAQEICgSv6tUOKKxsR0VUIC9NeUFwcC9Ib21lL0Fib3V0IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBjbG9zZQ0KVXNlci1BZ2VudDogSmFrYXJ0YSBDb21tb25zLUh0dHBDbGllbnQvMy4xDQpIb3N0OiB3ZWIwMQ0KDQo=","fol":[["HTTP","tcp.stream eq 0"],["TCP","tcp.stream eq 0"]]}
frames
Get Packet List information for a range of packets.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "frames" | string | M |
column0...columnXX | Requested columns either number in range [0..NUM_COL_FMTS], or custom (syntax <dfilter>:<occurence>). If column0 is not specified, the current profile column set will be used. |
integer or string | O |
filter | Output those frames that pass this filter expression | string | O |
skip | Skip N frames | integer | O |
limit | Limit the output to N frames | integer | O |
refs | Output based on this list (comma separated) of sorted time reference frame numbers. | string | O |
M/O: M = Mandatory, O = Optional
For details regarding the content of each column, see the columns listed on sharkd Info Request Output Example wiki page.
Response
The response is an array of objects. The elements of the object are as follows:
Name | Value | Type |
---|---|---|
c | Output of columns as strings | array of strings |
num | Frame number | integer |
bg | Color filter - background color in hex | string |
fg | Color filter - foreground color in hex | string |
Examples
{"req":"frames","filter":"frame.number<=2"}
[{"c":["1","0.000000","192.168.3.85","192.168.3.78","TCP","74","46815  80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=78637781 TSecr=0 WS=128"],"num":1,"bg":"e4ffc7","fg":"12272e"},{"c":["2","0.000075","192.168.3.78","192.168.3.85","TCP","74","80  46815 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=237546604 TSecr=78637781"],"num":2,"bg":"e4ffc7","fg":"12272e"}]
{"req":"frames","limit":2}
[{"c":["1","0.000000","192.168.3.85","192.168.3.78","TCP","74","46815  80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=78637781 TSecr=0 WS=128"],"num":1,"bg":"e4ffc7","fg":"12272e"},{"c":["2","0.000075","192.168.3.78","192.168.3.85","TCP","74","80  46815 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=237546604 TSecr=78637781"],"num":2,"bg":"e4ffc7","fg":"12272e"}]
{"req":"frames","skip":2,"limit":2}
[{"c":["3","0.000195","192.168.3.85","192.168.3.78","TCP","66","46815  80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=78637781 TSecr=237546604"],"num":3,"bg":"e4ffc7","fg":"12272e"},{"c":["4","0.000319","192.168.3.85","192.168.3.78","HTTP","176","GET /MyApp/Home/About HTTP/1.1 "],"num":4,"bg":"e4ffc7","fg":"12272e"}]
{"req":"frames","skip":2,"limit":1, "column0":20, "column1":"transum.art:1"}
[{"c":["VMware_d9:d3:b5","0.000075000"],"num":1,"bg":"e4ffc7","fg":"12272e"}]
Notes
There are a few considerations when using the frames request:
- The columns must be predefined in the Default profile
- Values for hidden columns are included in the response
- After making a change to the columns with Wireshark, we must:
- Close Wireshark to save the change
- Restart sharkd, including the whole daemon (if using Daemon Mode) not just the running session
- The columns are just listed as quoted comma separated variables
- There are no labels or field names associated with the columns
info
Get a list of format and statistics information types available to sharkd clients.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "info" | string | M |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
columns | array of objects | |
stats | array of objects | |
ftypes | array of objects | |
version | string | |
nstat | array of objects | |
convs | array of objects | |
sequ | array of objects | |
taps | array of objects | |
eo | array of objects | |
srt | array of objects | |
rtd | array of objects | |
follow | array of objects |
For a complete example of the output from the info request see the sharkd Info Request Output Example wiki page.
To be completed
Examples
{"req":"info"}
{"columns":[{"name":"802.1Q VLAN id","format":"%q"},
...
"stats":[{"name":"29West/Queues/Advertisements by Queue","tap":"stat:lbmr_queue_ads_queue"},
...
"ftypes":["FT_NONE","FT_PROTOCOL","FT_BOOLEAN","FT_CHAR","FT_UINT8","FT_UINT16","FT_UINT24","FT_UINT32",
...
"version":"v3.5.0rc0-595-g0d820ddc8d2d",
"nstat":[{"name":"A-I/F BSMAP Statistics","tap":"nstat:ansi_a,bsmap"},
...
"convs":[{"name":"Conversation List/Bluetooth","tap":"conv:Bluetooth"},
...
"seqa":[{"name":"All Flows","tap":"seqa:any"},
...
"taps":[{"name":"RTP streams","tap":"rtp-streams"},{"name":"Expert Information","tap":"expert"}],
"eo":[{"name":"Export Object/DICOM","tap":"eo:dicom"},
...
"srt":[{"name":"Service Response Time/AFP","tap":"srt:afp"},
...
"rtd":[{"name":"Response Time Delay/H.225 RAS","tap":"rtd:h225_ras"},
...
"follow":[{"name":"Follow/HTTP","tap":"follow:HTTP"}, ... }
intervals
This request considers aggregates the packet data to produce a count of the number of frames and a sum of the number of bytes in each interval. The aggregation is performed on fixed time intervals (default is one second).
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "intervals" | string | M |
interval | Interval time in milliseconds | integer | O |
filter | Display filter term applied prior to producing the sample set | string | O |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
intervals | Data array of arrays of integer values in the format [x,y,z] where: x - interval number y - number of frames in this interval z - number of bytes in this interval |
an array of arrays of comma separated integers |
last | The last interval number in the sample | integer |
frames | The total number of frames in the sample | integer |
bytes | The total number of bytes in the sample | integer |
NB: If there are no packets within an interval, no values are generated for that interval
Examples
{"req":"intervals","filter":"frame.number<=60"}
{"intervals":[[0,13,6812],[1,38,31459],[2,9,3775]],"last":2,"frames":60,"bytes":42046}
{"req":"intervals","interval":100,"filter":"frame.number<=60"}
{"intervals":[[0,12,6758],[1,1,54],[10,15,14783],[12,23,16676],[20,9,3775]],"last":20,"frames":60,"bytes":42046}
The output in the final example has intervals missing because there were no packets within these intervals.
iograph
Creates time sequenced list of values for graphing; default is second-by-second.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "iographs" | string | M |
interval | Interval time in milliseconds | integer | O |
filter | Display filter term applied prior to producing the sample set | string | O |
graph0 | First graph request - see below for details | string | M |
graph1...graph9 | Other graph requests - see below for details | string | O |
filter0 | First graph filter | string | O |
filter1...filter9 | Other graph filters | string | O |
M/O: M = Mandatory, O = Optional
Graph requests:
Name | Value | Type |
---|---|---|
graph0...graph9 | "packets" | string |
graph0...graph9 | "bytes" | string |
graph0...graph9 | "bits" | string |
graph0...graph9 | "sum:<field>" | string |
graph0...graph9 | "frames:<field>" | string |
graph0...graph9 | "max:<field>" | string |
graph0...graph9 | "min:<field>" | string |
graph0...graph9 | "avg:<field>" | string |
graph0...graph9 | "load:<field>" | string |
NB: Whichever field we want to graph must appear in the corresponding filter expression. If it doesn't, no values are generated.
An attempt to graph a field that is not a numeric produces an empty output array.
Response
Name | Value | Type |
---|---|---|
iograph | The top level array of output objects, one for each graph | an array of objects |
items | An array of values for one of the graphs specified | integer |
NB: If there are no packets within an interval, no values are generated for that interval
Examples
{"req":"iograph","graph0":"packets","filter0":"frame.number<=100"}
{"iograph":[{"items":[13.000000,38.000000,23.000000,25.000000,1.000000]}]}
{"req":"iograph","graph0":"sum:tcp.len","filter0":"http && frame.number<=100 && tcp.len"}
{"iograph":[{"items":[2553.000000,4640.000000,955.000000,5416.000000]}]}
{"req":"iograph","graph0":"sum:frame.len","filter0":"http && frame.number<=100 && frame.len","graph1":"sum:tcp.len","filter1":"http && frame.number<=100 && tcp.len"}
{"iograph":[{"items":[2685.000000,4904.000000,1153.000000,5614.000000]},{"items":[2553.000000,4640.000000,955.000000,5416.000000]}]}
{"req":"iograph","graph0":"http.request","filter0":"http && frame.number<=100 && http.request"}
{"iograph":[]}
load
Load a packet trace file for analysis.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "load" | string | M |
file | Path and name of the file to be loaded | string | M |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
err | Error code | integer |
Error Codes:
Error Code | Description |
---|---|
0 | The operation was successful |
2 | The file doesn't exist |
Examples
{"req":"load","file":"c:/traces/Contoso_01/web01/web01_00001_20161012151754.pcapng"}
{"err":0}
{"req":"load","file":"c:/traces/Contoso_01/web01/wrong_name.pcapng"}
{"err":2}
setcomment
Sets a comment in a frame for the duration of a sharkd session i.e. the PCAPNG file is not modified and so the comment is not persistent.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "setcomment" | string | M |
frame | The frame in which the comment is set | integer | M |
comment | The comment text | string | O |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
err | Error code | integer |
Error Codes:
Error Code | Description |
---|---|
0 | The operation was successful |
Examples
{"req":"setcomment","frame":1,"comment":"Hello world"}
{"err":0}
{"req":"frame", "frame":1, "proto":"true"}
{"err":0,"comment":"Hello world","tree":[{"l":"Packet comments","t":"proto","f":"pkt_comment","s":"Comment","e":10541,"n":[{"l":"Hello world","f":"frame.comment == \"Hello world\"","s":"Comment","e":55379,"n":[{"l":"Expert Info (Comment/Comment): Hello world","t":"pro ...
setconf
Set a preference for the duration of a sharkd session i.e. the preference file is not modified and so the setting is not persistent.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "setconf" | string | M |
name | The name of the preference | string | M |
value | The new value for the preference | as appropriate | M |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
err | Error code | integer |
Error Codes:
Error Code | Description |
---|---|
0 | The operation was successful |
Examples
{"req":"setconf","name":"tcp.desegment_tcp_streams","value":false}
{"err":0}
{"req":"dumpconf","pref":"tcp.desegment_tcp_streams"}
{"prefs":{"tcp.desegment_tcp_streams":{"b":0}}}
{"req":"setconf","name":"tcp.desegment_tcp_streams","value":true}
{"err":0}
{"req":"dumpconf","pref":"tcp.desegment_tcp_streams"}
{"prefs":{"tcp.desegment_tcp_streams":{"b":1}}}
status
Get basic information about the loaded file (name, size, number of frames, etc.).
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "status" | string | M |
M/O: M = Mandatory, O = Optional
Response
Name | Value | Type |
---|---|---|
frames | Count of currently loaded frames | integer |
duration | Time difference between time of first frame, and last loaded frame | number |
filename | Capture file name - only present if file is loaded | string |
filesize | Capture file size - only present if file is loaded | integer |
Examples
{"req":"status"}
{"frames":53882,"duration":1841.532335000,"filename":"web01_00001_20161012151754.pcapng","filesize":36433896}
tap
Set up to 16 statistics taps and get statistics from them; tap types are stats, nstat, conv, host, rtp-streams, rtp-analyse, eo, expert, rtd, srt and flow.
Request
Name | Value | Type | M/O |
---|---|---|---|
req | "tap" | string | M |
tap0 | First tap type request | string | M |
tap1 ... tap15 | Other tap type request | string | O |
M/O: M = Mandatory, O = Optional
Tap Types
The format of this attribute is "tap0":"<type>:<subtype>"
There are many types and subtypes - too many to list here and the list will change as new protocols are added to Wireshark. Use the info request to get a full list of the values available - click here for example info output.
Response
Name | Value | Type |
---|---|---|
err | Error code | integer |
taps | One array for each tap specified | array of objects |
- tap | Tap type - see above | string |
- type | Tap type - see above | string |
- details | A array of objects, one for each packet | array of objects |
Objects in the details fields:
Name | Value | Type |
---|---|---|
conv | ||
eo | ||
flow | ||
host | ||
expert | ||
f | Frame number | integer |
g | Expert group | string |
"Sequence" | ||
m | Expert message | string |
p | Protocol that this message applies to | string |
s | Severity of this message | string |
"Chat" | ||
nstat | ||
rtd | ||
rtp-streams | ||
rtp-analyse | ||
srt | ||
stat | ||
To be completed.
NB: Many of these taps produce a lot of data.
Examples
{"req":"tap","tap0":"conv:Ethernet"}
{"taps":[{"tap":"conv:Ethernet","type":"conv","convs":[{"saddr":"VMware_d9:d3:b5","daddr":"VMware_fb:f9:13","rxf":1,"rxb":74,"txf":1,"txb":74,"start":0.000000000,"stop":0.000075000,"filter":"eth.addr==00:0c:29:d9:d3:b5 && eth.addr==00:0c:29:fb:f9:13"}],"proto":"Ethernet","geoip":false}],"err":0}
{"taps":[{"tap":"expert","type":"expert","details":[{"f":2,"s":"Chat","g":"Sequence","m":"Connection establish acknowledge (SYN+ACK): server port 80","p":"TCP"},{"f":1,"s":"Chat","g":"Sequence","m":"Connection establish request (SYN): server port 80","p":"TCP"}]}],"err":0}
{"req":"tap","tap0":"seqa:tcp"}
sharkd_session_process_tap() count=1
{"taps":[{"tap":"seqa:tcp","type":"flow","nodes":["192.168.3.85","192.168.3.78"],"flows":[{"t":"0.000000","n":[0,1],"pn":[46815,80],"c":"Seq = 0"},{"t":"0.000075","n":[1,0],"pn":[80,46815],"c":"Seq = 0 Ack = 1"}]}],"err":0}
{"req":"tap","tap0":"stat:http_req"}
{"taps":[{"tap":"stats:http_req","type":"stats","name":"HTTP/Requests","stats":[{"name":"HTTP Requests by HTTP Host","count":1,"rate":0.1431,"perc":100,"burstrate":0.0100,"bursttime":0.000,"sub":[{"name":"web01","count":1,"rate":0.1431,"perc":100.00,"burstrate":0.0100,"bursttime":0.000,"sub":[{"name":"/MyApp/Home/About","count":1,"rate":0.1431,"perc":100.00,"burstrate":0.0100,"bursttime":0.000}]}]}]}],"err":0}