1

I am working with lots of PCAP files and trying to convert them into .tsv files for tabular analysis. So I'm using tshark in a Ubuntu 22 VirtualBox machine to dissect each packet. I have a bash command that I use within a for loop to process each PCAP file.

tshark -r "${pcapFile}" -2 \
        -T fields \
        -E separator=/t \
        -E header=y \
        -E quote=d \
        -e frame.time_epoch \
        -e _ws.col.Info \
        -e _ws.col.Protocol \
        -e ip.src \
        -e ip.dst \
        -e ip.proto \
        -e ip.version \
        -e ip.hdr_len \
        -e ip.src_host \
        -e ip.dst_host \
        -e ip.geoip.dst_city \
        -e ip.geoip.dst_country_iso \
        -e ip.geoip.dst_asnum \
        -e ip.geoip.src_city \
        -e ip.geoip.src_country_iso \
        -e ip.geoip.src_asnum \
        -e eth.src \
        -e eth.dst > "${OUTPUT_FOLDER}/${filename}.tsv"

I'm encountering some strange results.

  1. When I run this command as sudo the processing runs much faster than when I run without sudo.
  2. When I run this command as sudo, the geoip fields are empty, but when I run without sudo they are filled.

I'm hoping to get the best of both worlds here, since I have many pcap files to process and would like it to move quickly, but also, I very much want the geoip information. Why can't I get the geoip fields as sudo and/or why doesn't the processing run as quickly without sudo?

tshark version: 3.6.7-1~ubuntu22.04.0+wiresharkdevstable
wireshark version: 3.6.7-1~ubuntu22.04.0+wiresharkdevstable
System specs: 12 CPU, 24 GB RAM, Ubuntu 22.04

CopyOfA
  • 113
  • 4

1 Answers1

1

You likely have the GeoIP database installed as normal user and not as root. That's why it has nothing to lookup when running as root, which both explains why it is faster and why no geoip results are shown.

I'm hoping to get the best of both worlds here

Unfortunately you likely can't.

Steffen Ullrich
  • 2,500
  • 15
  • 16
  • Couple questions: 1) How can I get root to see the GeoIP databases? Can this be done with `-E` (e.g., `sudo -E process_all_pcap.sh`)? 2) Should I care about the difference between running as root vs. normal user? That is, if I get root to see GeoIP databases, will the speed difference remain or probably not? – CopyOfA Dec 23 '22 at 13:20
  • 1
    @CopyOfA: " How can I get root to see the GeoIP databases? "* - run wireshark as root an install it as described in the documentation. *"Can this be done with -E"* - maybe, just try it. *"That is, if I get root to see GeoIP databases, will the speed difference remain or probably not?"* - given that the speed difference is probably due to the missing GeoIP database and thus the inability to do lookups, it will be again slower once it can do GeoIP lookups. There is no actual reason that running as root should be faster except when it does less things as root. – Steffen Ullrich Dec 23 '22 at 13:28