![]() ![]() To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository. The latest version of Tshark 2.4 includes a number of useful new features. tshark -i wlan0 -Y ' = POST and tcp contains "password"' | grep password csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password= abc123 For our Next Trick If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line. By not specifying the fields option as above we receive the full TCP stream of the HTTP Post. One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output. Tshark -i wlan0 -f "src port 53" -n -T fields -e -e 68 đ71.64.144.142ħ4 đ71.67.215.200Īdd time and source / destination IP addresses -e frame.time -e ip.src -e ip.dst to your output. Here is an example that extracts both the DNS query and the response address. tshark -r example.pcap -Y http.request -T fields -e http.host -e ip.dst -e _uri DNS Analysis with Tshark By combing different filters and output fields, it is possible to create very complex data extraction commands for tshark that can be used to find interesting things within a capture. Other fields we could include in the output are -e ip.dst and -e. We could perform a similar analysis with the request URL in place of the user agent -e _uri. Using additional HTTP filters in Analysis This can be used to detect malware, old browsers on your network and scripts. Using this, we can quickly parse a pcap, even if it is very large and get a summary of all the user agents seen. tshark -r example.pcap -Y http.request -T fields -e http.host -e er_agent | sort | uniq -c | sort -n Note in this example, combining with standard shell commands allows us to sort and count the occurrences of the er_agent. Using the previous command to extract er_agent, this time extracting from a pcap rather than off the live interface. Parse User Agents and Frequency with Standard Shell Commands We could also use the parameter -E seperator=, to change the delimiter to a comma. The default separator for the fields in the output above is TAB. Tshark -i wlan0 -Y http.request -T fields -e http.host -e er_agent Mozilla/5.0 (X11 Ubuntu Linux x86_64 rv:36.0) Gecko/20100101 Firefox/36.0 The -e option identifies which fields to extract. Using the -T specifies we want to extract fields. The following example extracts data from any HTTP requests that are seen. Capture Packets with Tshark tshark -i wlan0 -w capture-output.pcap Read a Pcap with Tshark tshark -r capture-output.pcap HTTP Analysis with Tshark This translates to "pass any traffic except with a source IPv4 address of 10.43.54.65 or a destination IPv4 address of 10.43.54.65".Use these as the basis for starting to build extraction commands.The syntax for capturing and reading a pcap is very similar to tcpdump. This translates to "pass all traffic except for traffic with a source IPv4 address of 10.43.54.65 and a destination IPv4 address of 10.43.54.65", which isn't what we wanted. Filter out any traffic to or from 10.43.54.65 The same is true for "tcp.port", "udp.port", "eth.addr", and others. ![]() For example, "ip.addr" matches against both the IP source and destination addresses in the IP header. This translates to "pass any traffic except with a source IPv4 address of 192.168.65.129 or a destination IPv4 address of 192.168.65.129"ġ5.Some filter fields match against multiple protocol fields. TCP buffer full - Source is instructing Destination to stop sending data tcp.window_size = 0 & != 1ġ3.Filter on Windows - Filter out noise, while watching Windows Client - DC exchanges smb || nbns || dcerpc || nbss || dns Show only traffic in the LAN (.x), between workstations and servers - no Internet: ip.src =192.168.0.0/16 and ip.dst =192.168.0.0/16ġ2. ![]() Show only SMTP (port 25) and ICMP traffic: tcp.port eq 25 or icmpġ1. Display http response code of 200 in network traffic = 200ġ0. Show traffic which contains google tcp contains googleħ. display all protocols other than arp, icmp and dns !(arp or icmp or dns)Ħ. Display traffic with source or destination port as 443 tcp.port = 443ĥ. Display tcp and dns packets both tcp or dnsģ. ![]()
0 Comments
Leave a Reply. |