Raspberry Pi – Tshark Rules AKA Filtering out the Noise

Running Tshark without any Filters or Rules will generate a lot of information to look at, some or most of which you would have any interesting in looking at. I have found that a device generating a lot of ARP requests can either mean a device that is having a problem and needs to be looked at

sudo tshark -R “arp” will show you just the ARP packets that Tshark is seeing on the network.
YouTube Preview Image
Once I have verified that there isn’t an ARP problem, I start weeding things out to reduce the amount of what I have to look at. Using sudo tshark -R “not arp” will do the exact opposite of what we did with the first rule where instead of looking at just arp packets, we dont want to see any arp packets in what tshark shows on the screen or capture file. Anything that you dont want to see need to have a not and a space in front of the protocol that you dont want to see.

One type of packet I have seen a lot of with the Raspberry Pi is the Ethernet-Configuration-Test-protocol packets. I did some research and found a reference that this type of packet is part of the original ethernet protocol spec but didn’t appear in the IEEE 802 implementation. I filter this out by doing sudo tshark -R “not loop”.

Now we can start filtering out part of the background “noise” by ignoring the loop packets we just talked about and adding arp to that ignore list – sudo tshark -R “not loop and not arp”.

One type of packet that is worthwhile knowing what it looks like is the spanning-tree packets. Seeing a lot of these with changing values indicates that STP is recalculating or that someone has plugged in a switch that you don’t know about. Either way, you need see what is normal for your network – sudo tshark -R “stp”.

Once you see what a “normal” amount, we can add STP to what we don’t want to see – sudo tshark -R “not loop and not arp and not stp”. You can exclude or include several protocols at the same by using the and keyword between the different things you are or arent looking for.

As we start to whittle things down a bit, I started seeing a packet named “rfe”. A little bit of digging gave a reference to something called radio free ethernet running on udp port 5002. RFE is a network audio broadcasting system. I tried doing sudo tshark -R “rfe” but tshark errored out. When I used udp.port == 5002 instead of the rfe keyword, I was able to exclude those packets. The command looks something like this sudo tshark -R “not loop and not arp and not stp and not udp.port == 5002”

You can now start to see that as we start to block what we don’t want to see, we start seeing what else is out on the wire. If you want to see the traffic going to/from a particular ip address, you can use a filter something like this – sudo tshark -R “ip.addr ==”.

See who is generating DNS requests or doing more surfing than they need to, you can use sudo tshark -R “udp.port == 53”. This will show you just the A record lookups. Using tcp.port will show you the zone transfers when one DNS server does a lookup of an entire domain. By using udp.port == 53 or tcp.port == 53, you will be able to watch for either type of DNS traffic.

The main thing that I am trying to show you is what can be called “baselining” the network or knowing what is normal for your network.

To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/

Send to Kindle
This entry was posted in Blog Entries, Podcasts, Raspberry Pi, Video Podcast and tagged . Bookmark the permalink.