Difference between revisions of "Tshark Scripts"
Jump to navigation
Jump to search
| Line 5: | Line 5: | ||
#!/bin/bash | #!/bin/bash | ||
set -eu | set -eu | ||
| − | duration= | + | duration=90 |
interface=internal | interface=internal | ||
# pmatch=python | # pmatch=python | ||
pmatch=tshark | pmatch=tshark | ||
| + | snimatch=example.com | ||
get_sni() { | get_sni() { | ||
| Line 14: | Line 15: | ||
echo "I: Running tshark instance to get sni info. ${ts}" | echo "I: Running tshark instance to get sni info. ${ts}" | ||
sleep 1 | sleep 1 | ||
| − | tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log & | + | # tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log & |
| + | tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log & | ||
} | } | ||
Revision as of 23:45, 8 February 2022
Collect SNIs without using up a lot of memory
get-snis-via-tshark.sh
#!/bin/bash
set -eu
duration=90
interface=internal
# pmatch=python
pmatch=tshark
snimatch=example.com
get_sni() {
ts=$(date +"%Y-%m-%dT%T.%3N%z")
echo "I: Running tshark instance to get sni info. ${ts}"
sleep 1
# tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log &
tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log &
}
is_tshark_running() {
echo foo
}
main() {
echo Staring tshark looper
while true; do
if ! pgrep -x "$pmatch" > /dev/null; then
get_sni
else
echo "$pmatch command is already running."
fi
sleep 5
done
}
main
nohup get-snis.sh &
Watch memory usage of tshark command
top | grep tshark
ps | grep snis kill id pkill tshark