Difference between revisions of "Tshark"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
+ | SNI capture | ||
+ | ``` | ||
+ | tshark -l -i F5_External -f 'dst port ( 80 or 8054 or 443 or 993 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | ||
+ | ``` | ||
+ | |||
Quick and dirty packet counting smtp syn packets for host | Quick and dirty packet counting smtp syn packets for host | ||
``` | ``` |
Revision as of 17:57, 13 January 2022
SNI capture
tshark -l -i F5_External -f 'dst port ( 80 or 8054 or 443 or 993 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
Quick and dirty packet counting smtp syn packets for host
tshark -i any -f "host 10.x.x.x and port 25 and tcp[13]==2" -T fields -e ip.src > dstip.10.x.x.x.tcp25.syn.txt cat dstip.10.x.x.x.tcp25.syn.txt | sort | uniq -c | sort -nr top -p `pidof tshark`
C:\Program Files\Wireshark\tshark.exe -i 1 -f "port 53" -Y "dns" tshark -i internal -f "host 192.168.24.13 and port 25" -Y "smtp.req" # https://www.wireshark.org/docs/dfref/s/smtp.html tshark -i eth0 -f "host 10.x.x.x and tcp port 80 or port 8080" -Y "http.request || http.response" sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -q -z sip,stat sudo tshark -l -i eth0 -f 'dst port ( 80 or 8054 or 443 or 993 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host tshark -i any -f "dst port 389" -O ldap -V # This probably won't work cuz double filter tshark -i any -2 -R ldap.filter -f "dst port 389" -O ldap -V
tshark -r ../rpcap/trace00 tcp.port==3000 tshark -r ../rpcap/trace00 ip.proto==47 tshark -V -i eth0 -f "host 10.x.x.x" -d tcp.port==162,snmp | grep -i msgAuthoritativeEngineID sudo tcpdump -nnpi ens160 proto 47 sudo tshark -i ens160 -f "proto 47" tshark -r ../rpcap/trace00 -T fields -e data tshark -V -r ../rpcap/trace00 -d tcp.port==3000,sip editcap -C 38 pcap.pcap pcap_edited.pcap tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre | grep -i sip tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre -d tcp.port==3000,sip | grep INVITE tshark -r ../rpcap/trace00 -d ip.proto==47,gre -q -z sip,stat
- https://www.linuxjournal.com/content/using-tshark-watch-and-inspect-network-traffic
- https://linux.die.net/man/1/tshark
- conv,ip
Using ncat ?
db shell "tcpdump -i any -n -U -w - not port 1122 | nc -l 1122" In the second CMD window adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122 | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp"