Jump to content

Recommended Posts

Posted (edited)

Hello,

to provide an easy to use starter to capture traffic on all NICs found, I can successfully get all the interfaces of TSHARK.EXE (the command line version that's automatically installed along with wireshark) with this script:

#include <AutoItConstants.au3>
#include <Array.au3>

$TS_WD = "C:\Program Files\Wireshark"
$TS_exe = $TS_WD & "\tshark.exe"

if not FileExists($TS_exe) Then
    MsgBox(48,"Fatal Error","No Wireshark Commandline Tool ""TSHARK.EXE"" found:" & @CRLF & _
    $TS_exe)
    Exit
EndIf

$DString = ""
$PIDGetIFs = Run($TS_exe & " -D", $TS_WD, @SW_HIDE, $STDERR_MERGED)


While ProcessExists($PIDGetIFs)
    $DString &= StdoutRead($PIDGetIFs)
WEnd

; MsgBox(0,"IFs",$DString)

$aNICs = StringSplit($DString, @CRLF, 1)
_ArrayDisplay($aNICs)

$RegExIF = "^(?:\d+\. )(\\.*?})(?: \()(.*?)(\))$" ; $1 = TSHARK Interface Name, $2 = Windows Interface Name
; ... get the names to run TSHARK with the appropriate interface string

 

When I run TSHARK.EXE using this line directly, I see a continuously growing number telling the number of packets captured so far.

"C:\Program Files\Wireshark\tshark.exe" -i \Device\NPF_{AEB931E9-E5FA-4DA5-8328-D87BDF53805C} -b duration:300 -b files:600 -w "y:\TShark-Ringbuffer\LAN-Verbindung\TSHARK-Com-0317_17---LAN-Verbindung___.pcap"

Using this script, I *DO* see the first output line "Capturing on 'LAN-Verbindung'", but I cannot get hold of the continuously growing number of packets captured so far.

#include <AutoItConstants.au3>

$WD="C:\Program Files\Wireshark"
$CMD='"C:\Program Files\Wireshark\tshark.exe" -i \Device\NPF_{AEB931E9-E5FA-4DA5-8328-D87BDF53805C} -b duration:300 -b files:600 -w "y:\TShark-Ringbuffer\LAN-Verbindung\TSHARK-Com-0317_17---LAN-Verbindung___.pcap"'
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $CMD = ' & $CMD & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$PID=Run($CMD,$WD,@SW_SHOW,$stderr_merged)
ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $PID = ' & $PID & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console

$OutputAll=""


While ProcessExists($PID)
    $output=StdoutRead($PID)
    $OutputAll&=$output
    ToolTip($OutputAll)
    if $output <> "" then ConsoleWrite("""" & $output & """" & @CRLF)
    Sleep(1000)
WEnd


ConsoleWrite("Process vanished" & @CRLF)

 

This is the output of SciTE, when I let TSHARK.EXE run for a short while, the "close" it's "box" ...

 

--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
@@ Debug(10) : $CMD = "C:\Program Files\Wireshark\tshark.exe" -i \Device\NPF_{AEB931E9-E5FA-4DA5-8328-D87BDF53805C} -b duration:300 -b files:600 -w "y:\TShark-Ringbuffer\LAN-Verbindung\TSHARK-Com-0317_17---LAN-Verbindung___.pcap"
>Error code: 0
@@ Debug(13) : $PID = 10948
>Error code: 0
"Capturing on 'LAN-Verbindung'
"
Process vanished

 

Howto catch the "growing-packet-number" TSHARK.EXE is writing continuously to the same "window position"???

 

 

Regards, Rudi.

 

tshark-d.jpg

TSHARK-in-CMD-box.jpg

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Posted (edited)

Anybody?

Howto get the "numbers", that TSHARK.EXE is writing in its console window to the always same position?

Marked in the picture of the inital posting with an arrow.

 

It looks like TSHARK.EXE is using STDERR to write this "capture count" to its console window, at least I think so, as when I redirect STDOUT to file, the numers still go on counting in the CLI. When I redirect STDERR or STDOUT and STDERR, these numbers don't show up in both, the CLI *AND* the file, they should go to.

Is there a 3rd "output stream" beside STDERR and STDOUT?

 

Redirecting STROUT only: The numbers continue to show up in CLI:

C:\Program Files\Wireshark>tshark -i \Device\NPF_{F98B3CC7-6320-41FD-A9C0-769989EAEBEA} -b duration:300 -b files:30 -w c:\temp\tshark-test.pcap > c:\temp\tshark-output.txt
Capturing on 'Drahtlosnetzwerkverbindung'
22 <<< showing up in CLI. TAIL.EXE -f c:\temp\tshark-output.txt does *NOT* show the packet counter

Redirecting both ends up that the "packet counter" doesn't show up at all, neither CLI nor the file the redirect is piped to:

C:\Program Files\Wireshark>tshark -i \Device\NPF_{F98B3CC7-6320-41FD-A9C0-769989EAEBEA} -b duration:300 -b files:30 -w c:\temp\tshark-test.pcap 2> c:\temp\tshark-output.txt 1>&2

<<<< neither here, nor in C:\temp\tshark-output.txt the "number of packets" does show up

Same is fact, when only redirecting STDERR to that file:

 

C:\Program Files\Wireshark>tshark -i \Device\NPF_{F98B3CC7-6320-41FD-A9C0-769989EAEBEA} -b duration:300 -b files:30 -w c:\temp\tshark-test.pcap 2> c:\temp\tshark-output.txt
<<< only with 2> (STDERR) redirection the packet counter doesn't show up in either, CLI and redirection target file.

Any suggestions appreciated, TIA, Rudi.

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Posted

Can you send the files needed so I can reproduce this? you provided a lot of information to get my head around, bit confusing, not sure if you just want the count or the actual packets.

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Posted
On 9/7/2018 at 5:12 PM, rudi said:

Howto catch the "growing-packet-number" TSHARK.EXE is writing continuously to the same "window position"???

52 minutes ago, careca said:

or the actual packets.

I think that it is what the OP is looking for :)

Best Regards.

Click here to see my signature:

Spoiler

ALWAYS GOOD TO READ:

 

Posted

I guess the idea is you should keep it simple. The packet count, ok, how can I test ideas?

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

  • 3 weeks later...
Posted

Hello,

I had some really busy days ...


TSHARK.EXE is part of the wireshark installation, the installer can be downloaded here:

https://www.wireshark.org/download.html

 

Once installed, TSHARK.EXE can be used e.g. from inside a CMD box with the commands given in the previous postings. Basically it's as easy as this:

  1. Open CMD box and CD to the Wireshark Installation directory, the default is "c:\Program Files\Wireshark\"
  2. run "TSHARK.EXE -D" (CAPITAL "d" !!) to get the device ID
  3. Create a folder to take all the capture files, e.g. C:\temp\TSHARK-Files
  4. run TSHARK to start capturing to file, it will continuously display the number of packets captured so far:
    TSHARK.EXE -i \Device\NPF_{7B50E6E4-0ACE-4095-A4F2-D8EE2B738491} -b duration:300 -b files:600 -w C:\temp\TSHARK-Files\TSHARK-NIC_NAME__.pcap

What I'm looking for is to catch the count of "packets captured so far".

 

Regards, Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Posted (edited)

NPF driver not running.. weird

Edited by careca
Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Posted

This is what i came up with, had to change the id so you can put yours back.

#include <AutoItConstants.au3>

$WD="C:\Program Files\Wireshark"
$CMD='"C:\Program Files\Wireshark\tshark.exe" -i \Device\NPF_{A7456150-8CCA-428A-9DD3-F6EA541249F5}'; -b duration:3000 -b files:600 -w "C:\Users\W10\Desktop\TSHARK-Com-0317_17---LAN-Verbindung___.pcap"'
;$CMD='"C:\Program Files\Wireshark\tshark.exe" -i \Device\NPF_{A7456150-8CCA-428A-9DD3-F6EA541249F5} -b duration:3000 -b files:600 -w "c:\TShark-Ringbuffer\LAN-Verbindung\TSHARK-Com-0317_17---LAN-Verbindung___.pcap"'
;ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $CMD = ' & $CMD & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console
$PID=Run($CMD,'',@SW_HIDE, $STDIN_CHILD + $STDOUT_CHILD)

While ProcessExists($PID)
    $output=StdoutRead($PID, False, False);True, False
    if $output <> "" then
    $split = StringSplit($output, @CRLF)
    ConsoleWrite(StringLeft($split[$split[0]],7) &' - '&@MSEC&@CRLF)
    EndIf
    Sleep(100)
WEnd

ConsoleWrite("Process vanished" & @CRLF)

 

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Posted

Hello,

 

thanks for your reply.

 

What your posted works fine, when TSHARK.EXE is capturing to STDOUT, and *NOT* to file. That works.

 

 

But what I want to get hold of is the number of packets captured so far, when doing a *CAPTURING TO FILE*

 

$CaputureToFileRingbuffer = ' -b duration:300 -b files:600 -w "y:\TShark-Ringbuffer\LAN-Verbindung\TSHARK-to-File-LAN-Verbindung___.pcap"'
$CMD &=$CaputureToFileRingbuffer

Then the "Number-of-packets-so-far" seems to be "un-grabbable" for Autoit. When starting the TSHARK.EXE directly with the very exact command, it's working fine.

 

 

Any further suggestions?

 

Regards, Rudi.

 

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Posted (edited)

Yeah i understand what you mean, i couldn't do it with the filedump, the console in autoit doesn't retrieve the any value as when you run it directly as you mentioned.

Im out of ideas, short of getting the number of packets in general, in the network interface, instead of through the tshark app

Edited by careca
Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Posted

Hello,

thanks for your reply.

 

Anybody who knows at least, what's going on behind the scenes?

 

How is TSHARK doing this "write-something-to-a-certain-position" of a CMD box, without making use of STDOUT or STDERR?

 

hm...

 

Regards, Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Posted

Maybe you can use a Named Pipe as temp file to collect the data? Better start that cmd window as admin then.

Re. fixed-position cmd window writing, I use SetConsoleCursorPosition (from C++). Technically that uses stdout though; never tested whether it could be captured.

  • 4 weeks later...
Posted

Hi,

back from some marvelous 3 weeks of holiday :D in California to cold and cloudy good old Germany :(

thanks for your reply,

 

That's promising. As I don't have experience with named pipes, can you give me a direction how to tell TSHARK.EXE to send all it's output to a named pipe, and how to grab thatone from autoit?

 

TIA, Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...