Ever located an old capture file and you weren’t sure what was in it or needed to grab some quick statistics about another capture file? What about needed to run statistics on multiple capture files and present them via a database or a spreadsheet? Well if you have ever run into any of these scenarios then capinfos is worth a look. The capinfos command is available via the Backtrack CLI and provides statistic information about cap files. This is one of the gems located on Backtrack that nobody ever hears about.
Cap File Statistics Via capinfos On Backtrack Linux:
Located in the /usr/local/bin directory the capinfos command will provide statistics about capture files. The capinfos command outputs various statistics by default but when using the -T switch it will output those same statistics in what it calls Table Format which could easily be imported into a spreadsheet or a database. The help output which is displayed below explains all of the different stats available when running capinfos against a cap file.
Backtrack Linux capinfos Help Output:
- root@bt:~# capinfos -h
- Capinfos 1.8.3 (SVN Rev Unknown from unknown)
- Prints various information (infos) about capture files.
- See http://www.wireshark.org for more information.
- Usage: capinfos [options] <infile> ...
- General infos:
- -t display the capture file type
- -E display the capture file encapsulation
- -H display the SHA1, RMD160, and MD5 hashes of the file
- Size infos:
- -c display the number of packets
- -s display the size of the file (in bytes)
- -d display the total length of all packets (in bytes)
- -l display the packet size limit (snapshot length)
- Time infos:
- -u display the capture duration (in seconds)
- -a display the capture start time
- -e display the capture end time
- -o display the capture file chronological status (True/False)
- -S display start and end times as seconds
- Statistic infos:
- -y display average data rate (in bytes/sec)
- -i display average data rate (in bits/sec)
- -z display average packet size (in bytes)
- -x display average packet rate (in packets/sec)
- Output format:
- -L generate long report (default)
- -T generate table report
- Table report options:
- -R generate header record (default)
- -r do not generate header record
- -B separate infos with TAB character (default)
- -m separate infos with comma (,) character
- -b separate infos with SPACE character
- -N do not quote infos (default)
- -q quote infos with single quotes (')
- -Q quote infos with double quotes (")
- Miscellaneous:
- -h display this help and exit
- -C cancel processing if file open fails (default is to continue)
- -A generate all infos (default)
- Options are processed from left to right order with later options superceeding
- or adding to earlier options.
- If no options are given the default is to display all infos in long report
- output format.
- root@bt:~#
As you can see from the help output capinfos will provide a bunch of cool info including the cap files MD5, RMD160, and SHA1 hash of the capture file. Using one of the pcap capture files already located on Backtrack lets see the default output of capinfos.
capinfos Default Output: Statistical Info Of Wireless Packet Capture File
- root@bt:~# capinfos /pentest/wireless/aircrack-ng/test/Chinese-SSID-Name.pcap
- File name: /pentest/wireless/aircrack-ng/test/Chinese-SSID-Name.pcap
- File type: Wireshark/tcpdump/... - libpcap
- File encapsulation: IEEE 802.11 Wireless LAN
- Packet size limit: file hdr: 65535 bytes
- Number of packets: 1
- File size: 287 bytes
- Data size: 247 bytes
- Capture duration: n/a
- Start time: Tue Mar 23 05:43:45 2010
- End time: Tue Mar 23 05:43:45 2010
- Data byte rate: n/a
- Data bit rate: n/a
- Average packet size: 247.00 bytes
- Average packet rate: n/a
- SHA1: 08c4f0c8fcc89980f8ce6407c9ad467d324bd65a
- RIPEMD160: 9bf5f967da9ce11f0fdc0260f5357f51fef9c9b4
- MD5: 07595c9731f5db7aa56a12be42a268ce
- Strict time order: True
- root@bt:~#
The above pcap file is included in the Backtrack Linux 5r3 aircrack-ng installation. You can see that capinfos gets the file encapsulation correct and provides a bunch of other stat information about the file including the number of packets, file size, capture start time, capture end time, the file hash information, the average packet size, and more. Capinfos provides a great overview of a capture file and while the above example only has a single packet you get the idea of the information it is capable of providing.
Now if you only needed a single statistic such as the number of packets in a capture file you could obtain that or any of the other data provided by capinfos by using the switches noted in the help command above. Lets run capinfos against another pcap file thats installed on Backtrack Linux by default to see the number of packets in the file.
Use capinfos To Determine Number Of Packets In A Capture File:
- root@bt:~# capinfos -c /pentest/voip/sipp/pcap/dtmf_2833_9.pcap
- File name: /pentest/voip/sipp/pcap/dtmf_2833_9.pcap
- Number of packets: 10
- root@bt:~#
Say you had some form of network logging going on where there were capture files being generated automatically and you needed a nightly report sent to you about those files including the number of packets that had traversed a network segment during a specific time period. You could use capinfos to generate output using the Table Format which would output directly to a spreadsheet or into a database so that data could be easily viewed.