Difference between revisions of "Tshark"
Jump to navigation
Jump to search
| (20 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | SNI capture | + | PCAP |
| + | ``` | ||
| + | tshark -l -i any -f 'host 10.x.x.x' -w 10.x.x.x.pcap | ||
| + | ``` | ||
| + | |||
| + | HTTP 80 | ||
| + | ``` | ||
| + | tshark -i any -f "port 80" -Y "http.request.method == GET || http.request.method == POST" | ||
| + | ``` | ||
| + | |||
| + | Decode tls/ssl | ||
| + | ``` | ||
| + | tshark -l -i any -f 'dst port ( 82 ) and host 10.x.x.x' -d tcp.port==82,ssl | ||
| + | ``` | ||
| + | |||
| + | syslog | ||
| + | ``` | ||
| + | tshark -l -i any -f 'dst port ( 514 ) and host 10.x.x.x' -d tcp.port==514,syslog -T fields -E separator=" " -e ip.src -e ip.dst -e syslog.msg | ||
| + | tshark -l -i any -f 'dst port ( 9514 ) and host log.example.com' -d tcp.port==9514,syslog -T fields -E separator=" " -e ip.src -e syslog.msg | ||
| + | ``` | ||
| + | |||
| + | tshark syn packets | ||
| + | ``` | ||
| + | tcp[0xd]&18=2 | ||
| + | ``` | ||
| + | tshark -G fields | ||
| + | |||
| + | SNI capture on 3.x (note tls vs ssl) | ||
| + | ``` | ||
| + | sudo tshark -l -i ens160 -f 'dst port ( 443 ) and host 10.x.x.y' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name | ||
| + | |||
| + | sudo tshark -l -i any -f 'dst port ( 443 ) and src net 10' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name | ||
| + | |||
| + | # GRE | ||
| + | sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name | ||
| + | ``` | ||
| + | |||
| + | SNI capture 2.x | ||
``` | ``` | ||
tshark -l -i any -f 'dst port ( 443 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | tshark -l -i any -f 'dst port ( 443 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | ||
tshark -l -i any -f 'dst port ( 443 )' -f 'host 10.x.xy' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | tshark -l -i any -f 'dst port ( 443 )' -f 'host 10.x.xy' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | ||
tshark -l -i any -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | grep 204.1 | tshark -l -i any -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | grep 204.1 | ||
| + | ``` | ||
| + | curl | ||
| + | ``` | ||
| + | curl -vik --resolve example.com:443:66.x.x.y https://example.com/ | ||
``` | ``` | ||
| Line 52: | Line 93: | ||
adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122 | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp" | adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122 | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp" | ||
| + | ``` | ||
| + | |||
| + | |||
| + | Oneliners | ||
| + | - http://snippets1000.blogspot.com/2012/04/tshark-one-liners.html | ||
| + | |||
| + | |||
| + | ``` | ||
| + | Show uris | ||
| + | tshark -T fields -e http.request.uri | grep -v “^$” | ||
| + | |||
| + | Unique urls | ||
| + | tshark -r sample.pcap -R http.request -T fields -e http.host -e http.request.uri | sort -u | ||
| + | |||
| + | Top ten urls from (http://goo.gl/qd5aI) | ||
| + | tshark -r sample1.cap -R http.request | ||
| + | -T fields -e http.host -e http.request.uri | | ||
| + | sed -e 's/?.*$//' | | ||
| + | sed -e 's#^\(.*\)\t\(.*\)$#http://\1\2#' | | ||
| + | sort | uniq -c | sort -rn | head | ||
| + | |||
| + | |||
| + | List user agents | ||
| + | sudo tshark -nn -r capture_file.pcap -Tfields -e ip.src -e http.user_agent -R "http.user_agent" | ||
| + | |||
| + | |||
| + | List conversations | ||
| + | |||
| + | |||
| + | tshark -r sample.pcap -tad -R"tcp" -o column.format:'"Time","%t", "Source", "%s","Destination", "%d"' | ||
| + | |||
| + | |||
| + | tshark -r samples.cap -q -z conv,tcp | ||
| + | |||
| + | |||
| + | HTTP statistics | ||
| + | tshark -q -z http,stat, -z http,tree -r sample.pcap | ||
| + | |||
| + | DNS | ||
| + | |||
| + | Show responses | ||
| + | |||
| + | tshark -tad -r lupus.pcap -R dns.flags.response==1 | ||
| + | ``` | ||
| + | |||
| + | |||
| + | https://gist.github.com/shahifaqeer/eff11a51bf8e8b77557564006f70c36c | ||
| + | ``` | ||
| + | #!/bin/bash | ||
| + | # sh tshark_extract_fields.sh [-h] | [ -i /input_path/trace.pcap -o output_path/tshark_trace.log -k ] | ||
| + | |||
| + | usage="sh $(basename "$0") [-h] | [-i input.pcap -o output.log][-k] -- program to extract packet fields from pcap for KPI calculations using tshark | ||
| + | where: | ||
| + | -h show this help text | ||
| + | -i path to input pcap | ||
| + | -o path to output csv log file | ||
| + | -k output only specific KPI related fields" | ||
| + | |||
| + | while getopts hkfi:o: option | ||
| + | do | ||
| + | case "${option}" | ||
| + | in | ||
| + | h|help) echo "$usage" | ||
| + | exit 0 | ||
| + | ;; | ||
| + | i) INPUTPCAPPATH=${OPTARG};; | ||
| + | o) OUTPUTLOGPATH=${OPTARG};; | ||
| + | k) KPIONLY=1;; | ||
| + | esac | ||
| + | done | ||
| + | |||
| + | if [[ $KPIONLY -eq 1 ]]; then | ||
| + | |||
| + | tshark -r $INPUTPCAPPATH -Y "not(ip.addr == 127.0.0.1) && (ipv6 || ip)" -T fields -E header=y -E separator=\| \ | ||
| + | -e frame.number -e frame.time -e frame.time_relative -e frame.len -e ip.version -e ip.proto -e ip.src -e ip.dst -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len -e ip.fragment.error \ | ||
| + | -e tcp.stream -e tcp.time_relative -e tcp.time_delta -e tcp.srcport -e tcp.dstport -e tcp.len -e tcp.hdr_len -e tcp.pdu.size -e tcp.window_size -e tcp.flags -e tcp.flags.fin -e tcp.flags.ack -e tcp.flags.syn \ | ||
| + | -e tcp.analysis.retransmission -e tcp.analysis.rto -e tcp.analysis.ack_rtt -e tcp.analysis.initial_rtt -e tcp.analysis.bytes_in_flight -e tcp.analysis.duplicate_ack -e tcp.analysis.fast_retransmission -e tcp.analysis.flags -e tcp.analysis.keep_alive -e tcp.analysis.keep_alive_ack -e tcp.analysis.lost_segment -e tcp.analysis.out_of_order \ | ||
| + | -e tcp.analysis.reused_ports -e tcp.analysis.rto_frame -e tcp.analysis.spurious_retransmission -e tcp.analysis.tfo_syn \ | ||
| + | -e tcp.analysis.window_full -e tcp.analysis.window_update -e tcp.analysis.zero_window -e tcp.analysis.zero_window_probe -e tcp.analysis.zero_window_probe_ack \ | ||
| + | -e tcp.options.wscale.multiplier -e tcp.segment.error \ | ||
| + | -e tls.record.content_type -e tls.handshake.type -e tls.alert_message -e tls.handshake.cert_type.type -e tls.handshake.extensions_server_name -e tls.handshake.extensions_alpn_str -e tls.resumed -e tls.handshake.ciphersuite -e tls.segment.error -e tls.alert_message -e tls.alert_message.desc -e tls.alert_message.level \ | ||
| + | -e x509ce.dNSName \ | ||
| + | -e http.response.code -e http.location -e http.request.full_uri -e http.request.method -e http.request.uri -e http.time -e http.content_length -e http.referer \ | ||
| + | -e _ws.expert.severity \ | ||
| + | -e udp.stream -e udp.dstport -e udp.srcport -e udp.length.bad -e udp.length.bad_zero -e udp.possible_traceroute -e udp.checksum.bad \ | ||
| + | -e dns.flags -e dns.flags.rcode -e dns.flags.response -e dns.time -e dns.count.queries -e dns.qry.name -e dns.resp.ttl \ | ||
| + | > $OUTPUTLOGPATH | ||
| + | |||
| + | # -e tcp.options.wscale -e tcp.options.wscale_val \ | ||
| + | |||
| + | else | ||
| + | |||
| + | tshark -r $INPUTPCAPPATH -T fields -E header=y -E separator=, \ | ||
| + | -e frame.number -e frame.time_delta -e frame.len -e vlan.id -e eth.trailer -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info -e icmp.type \ | ||
| + | -e ip.proto -e ip.src -e ip.dst -e ip.dsfield -e ip.dsfield.dscp -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len \ | ||
| + | -e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.len -e tcp.ack -e tcp.ack.nonzero -e tcp.window_size -e tcp.nxtseq -e tcp.time_delta -e tcp.time_relative \ | ||
| + | -e tcp.options -e tcp.options.mss -e tcp.options.mss_val -e tcp.options.qs -e tcp.options.sack -e tcp.options.snack -e tcp.options.tfo -e tcp.options.wscale.multiplier \ | ||
| + | -e tcp.connection.syn -e tcp.connection.sack -e tcp.connection.rst -e tcp.connection.fin -e tcp.flags -e tcp.segment -e tcp.segment.count -e tcp.segment.error -e tcp.segment.multipletails -e tcp.segment.overlap \ | ||
| + | -e tcp.analysis.ack_lost_segment -e tcp.analysis.ack_rtt -e tcp.analysis.acks_frame -e tcp.analysis.bytes_in_flight -e tcp.analysis.duplicate_ack -e tcp.analysis.duplicate_ack_frame -e tcp.analysis.duplicate_ack_num \ | ||
| + | -e tcp.analysis.fast_retransmission -e tcp.analysis.flags -e tcp.analysis.initial_rtt -e tcp.analysis.keep_alive -e tcp.analysis.keep_alive_ack -e tcp.analysis.lost_segment -e tcp.analysis.out_of_order \ | ||
| + | -e tcp.analysis.retransmission -e tcp.analysis.reused_ports -e tcp.analysis.rto -e tcp.analysis.rto_frame -e tcp.analysis.spurious_retransmission -e tcp.analysis.tfo_syn \ | ||
| + | -e tcp.analysis.window_full -e tcp.analysis.window_update -e tcp.analysis.zero_window -e tcp.analysis.zero_window_probe -e tcp.analysis.zero_window_probe_ack \ | ||
| + | -e ssl.handshake.type -e ssl.alert_message -e ssl.record -e ssl.record.content_type -e ssl.handshake -e ssl.handshake.cert_type.type -e ssl.handshake.extensions_alpn_str -e ssl.handshake.extensions_server_name \ | ||
| + | -e x509ce.dNSName \ | ||
| + | -e http.request.method -e http.request.uri -e http.location -e http.request.full_uri -e http.request.version -e http.user_agent -e http.host -e http.connection -e http.accept_encoding -e http.request_number -e http.response_in -e http.next_request_in -e http.response.code -e http.content_type -e http.content_length -e http.referer \ | ||
| + | -e _ws.expert.severity \ | ||
| + | -e udp.stream -e udp.dstport -e udp.srcport -e udp.length.bad -e udp.length.bad_zero -e udp.possible_traceroute \ | ||
| + | -e dns.time -e dns.flags -e dns.flags.rcode -e dns.count.queries -e dns.qry.name -e dns.count.labels -e dns.qry.type -e dns.qry.class -e dns.count.answers -e dns.count.add_rr -e dns.count.auth_rr -e dns.count.prerequisites -e dns.count.updates -e dns.count.zones -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.resp.ttl -e dns.a -e dns.aaaa -e dns.cname -e dns.dname \ | ||
| + | > $OUTPUTLOGPATH | ||
| + | |||
| + | fi | ||
| + | |||
| + | # -Y http.request -T fields -e http.host -e http.user_agent -e ip.dst -e http.request.full_uri | ||
| + | |||
| + | # simple | ||
| + | #-e frame.number -e frame.time_delta -e frame.len -e eth.src -e eth.dst -e frame.protocols \ | ||
| + | #-e ip.proto -e ip.src -e ip.dst -e ip.flags -e ip.len \ | ||
| + | #-e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.ack -e tcp.window_size -e -e tcp.flags | ||
| + | #-e tcp.analysis.<STUFF HERE> | ||
| + | |||
| + | # TCP Flags | ||
| + | # tcp.flags.cwr | ||
| + | # tcp.flags.ecn | ||
| + | # tcp.flags.fin | ||
| + | # tcp.flags.ns | ||
| + | # tcp.flags.push | ||
| + | # tcp.flags.res | ||
| + | # tcp.flags.reset | ||
| + | # tcp.flags.syn | ||
| + | # tcp.flags.urg | ||
| + | # -- tcp.urgent_pointer | ||
| + | |||
| + | # TCP Options | ||
| + | # MSS, QS, SACK, SNACK, TFO, TimeStamp, WindowScaling | ||
| + | |||
| + | # TCP Checksum seems to be disabled | ||
| + | |||
| + | # Use ssl instead of tls | ||
| + | #-e tls.handshake -e tls.handshake.ciphersuite -e tls.alert_message -e tls.alert_message.level -e tls. \ | ||
| + | |||
| + | # SSL | ||
| + | # extensions_alpn_str = next protocol usually HTTP1.1 | ||
| + | # extensions_server_name = only server name not the full resource URL | ||
| + | |||
| + | # x509ce.dNSName = server name from certificate | ||
| + | |||
| + | # HTTP | ||
| + | # _ws.expert.severity = chat level | ||
| + | # media.type = image/webp but prints all data | ||
| + | |||
| + | # INVALID FIELDS | ||
| + | # -e udp.time_delta -e udp.time_relative | ||
| + | # -e tcp.analysis.push_bytes_sent -e tcp.options.qs.rate | ||
| + | # -e tcp.options.time_stamp -e tcp.options.wscale | ||
| + | ``` | ||
| + | |||
| + | pdml for extracting detailed information | ||
| + | ``` | ||
| + | tshark -l -i any -f 'port 443' -Y "ssl.handshake.ciphersuites" -T pdml | grep ssl.handshake.ciphersuite | ||
| + | ``` | ||
| + | |||
| + | # Headers | ||
| + | ``` | ||
| + | tshark -i any -Y 'http.request.method == "GET" and http.host contains "uvoo.io" and http contains "X-Forwarded-For:"' | ||
| + | ``` | ||
| + | ``` | ||
| + | tshark -i any -f 'host 10.1.x.x' -Y 'http.request.method == "GET" or http.request.method == "POST"' -T fields -e http.request.method -e http.host -e http.request.uri -e http.user_agent -e http.referer -e http.accept -e http.accept_language -e http.accept_encoding -e http.connection -e http.cookie -e http.cache_control -e http.authorization -e http.content_length -e http.content_type | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | tshark -i any -Y "http and http contains "X-Forwarded-For:"" -T fields -e http.x_forwarded_for | ||
| + | ``` | ||
| + | |||
| + | All | ||
| + | ``` | ||
| + | tshark -i <interface> -Y "http" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e http.request.method -e http.request.uri -e http.host -e http.user_agent -e http.referer -e http.accept -e http.accept_language -e http.accept_encoding -e http.connection -e http.cookie -e http.cache_control -e http.authorization -e http.content_length -e http.content_type -e http.range -e http.accept_charset -e http.if_modified_since -e http.if_none_match -e http.if_range -e http.if_unmodified_since -e http.host -e http.location -e http.max_forwards -e http.pragma -e http.proxy_authorization -e http.range -e http.referer -e http.server -e http.te -e http.upgrade -e http.via -e http.warning -e http.www_authenticate -e http.x_forwarded_for | ||
| + | |||
| + | ``` | ||
| + | |||
| + | Decode real time (a lot of info) | ||
| + | ``` | ||
| + | tshark -T pdml -i eth0 | ||
| + | ``` | ||
| + | tshark converations | ||
| + | ``` | ||
| + | tshark -i any -f "host example.com" -q -n -z conv,tcp | ||
| + | tshark -i any -f "host example.com" -Y tcp.analysis.retransmission | ||
``` | ``` | ||
Latest revision as of 18:32, 29 June 2024
PCAP
tshark -l -i any -f 'host 10.x.x.x' -w 10.x.x.x.pcap
HTTP 80
tshark -i any -f "port 80" -Y "http.request.method == GET || http.request.method == POST"
Decode tls/ssl
tshark -l -i any -f 'dst port ( 82 ) and host 10.x.x.x' -d tcp.port==82,ssl
syslog
tshark -l -i any -f 'dst port ( 514 ) and host 10.x.x.x' -d tcp.port==514,syslog -T fields -E separator=" " -e ip.src -e ip.dst -e syslog.msg tshark -l -i any -f 'dst port ( 9514 ) and host log.example.com' -d tcp.port==9514,syslog -T fields -E separator=" " -e ip.src -e syslog.msg
tshark syn packets
tcp[0xd]&18=2
tshark -G fields
SNI capture on 3.x (note tls vs ssl)
sudo tshark -l -i ens160 -f 'dst port ( 443 ) and host 10.x.x.y' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name sudo tshark -l -i any -f 'dst port ( 443 ) and src net 10' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name # GRE sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name
SNI capture 2.x
tshark -l -i any -f 'dst port ( 443 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host tshark -l -i any -f 'dst port ( 443 )' -f 'host 10.x.xy' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host tshark -l -i any -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | grep 204.1
curl
curl -vik --resolve example.com:443:66.x.x.y https://example.com/
Quick and dirty packet counting smtp syn packets for host
tshark -i any -f "host 10.x.x.x and port 25 and tcp[13]==2" -T fields -e ip.src > dstip.10.x.x.x.tcp25.syn.txt cat dstip.10.x.x.x.tcp25.syn.txt | sort | uniq -c | sort -nr top -p `pidof tshark`
C:\Program Files\Wireshark\tshark.exe -i 1 -f "port 53" -Y "dns" tshark -i internal -f "host 192.168.24.13 and port 25" -Y "smtp.req" # https://www.wireshark.org/docs/dfref/s/smtp.html tshark -i eth0 -f "host 10.x.x.x and tcp port 80 or port 8080" -Y "http.request || http.response" sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -q -z sip,stat sudo tshark -l -i eth0 -f 'dst port ( 80 or 8054 or 443 or 993 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host tshark -i any -f "dst port 389" -O ldap -V # This probably won't work cuz double filter tshark -i any -2 -R ldap.filter -f "dst port 389" -O ldap -V
tshark -r ../rpcap/trace00 tcp.port==3000 tshark -r ../rpcap/trace00 ip.proto==47 tshark -V -i eth0 -f "host 10.x.x.x" -d tcp.port==162,snmp | grep -i msgAuthoritativeEngineID sudo tcpdump -nnpi ens160 proto 47 sudo tshark -i ens160 -f "proto 47" tshark -r ../rpcap/trace00 -T fields -e data tshark -V -r ../rpcap/trace00 -d tcp.port==3000,sip editcap -C 38 pcap.pcap pcap_edited.pcap tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre | grep -i sip tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre -d tcp.port==3000,sip | grep INVITE tshark -r ../rpcap/trace00 -d ip.proto==47,gre -q -z sip,stat
- https://www.linuxjournal.com/content/using-tshark-watch-and-inspect-network-traffic
- https://linux.die.net/man/1/tshark
- conv,ip
Using ncat ?
db shell "tcpdump -i any -n -U -w - not port 1122 | nc -l 1122" In the second CMD window adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122 | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp"
Oneliners - http://snippets1000.blogspot.com/2012/04/tshark-one-liners.html
Show uris tshark -T fields -e http.request.uri | grep -v “^$” Unique urls tshark -r sample.pcap -R http.request -T fields -e http.host -e http.request.uri | sort -u Top ten urls from (http://goo.gl/qd5aI) tshark -r sample1.cap -R http.request -T fields -e http.host -e http.request.uri | sed -e 's/?.*$//' | sed -e 's#^\(.*\)\t\(.*\)$#http://\1\2#' | sort | uniq -c | sort -rn | head List user agents sudo tshark -nn -r capture_file.pcap -Tfields -e ip.src -e http.user_agent -R "http.user_agent" List conversations tshark -r sample.pcap -tad -R"tcp" -o column.format:'"Time","%t", "Source", "%s","Destination", "%d"' tshark -r samples.cap -q -z conv,tcp HTTP statistics tshark -q -z http,stat, -z http,tree -r sample.pcap DNS Show responses tshark -tad -r lupus.pcap -R dns.flags.response==1
https://gist.github.com/shahifaqeer/eff11a51bf8e8b77557564006f70c36c
#!/bin/bash
# sh tshark_extract_fields.sh [-h] | [ -i /input_path/trace.pcap -o output_path/tshark_trace.log -k ]
usage="sh $(basename "$0") [-h] | [-i input.pcap -o output.log][-k] -- program to extract packet fields from pcap for KPI calculations using tshark
where:
-h show this help text
-i path to input pcap
-o path to output csv log file
-k output only specific KPI related fields"
while getopts hkfi:o: option
do
case "${option}"
in
h|help) echo "$usage"
exit 0
;;
i) INPUTPCAPPATH=${OPTARG};;
o) OUTPUTLOGPATH=${OPTARG};;
k) KPIONLY=1;;
esac
done
if [[ $KPIONLY -eq 1 ]]; then
tshark -r $INPUTPCAPPATH -Y "not(ip.addr == 127.0.0.1) && (ipv6 || ip)" -T fields -E header=y -E separator=\| \
-e frame.number -e frame.time -e frame.time_relative -e frame.len -e ip.version -e ip.proto -e ip.src -e ip.dst -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len -e ip.fragment.error \
-e tcp.stream -e tcp.time_relative -e tcp.time_delta -e tcp.srcport -e tcp.dstport -e tcp.len -e tcp.hdr_len -e tcp.pdu.size -e tcp.window_size -e tcp.flags -e tcp.flags.fin -e tcp.flags.ack -e tcp.flags.syn \
-e tcp.analysis.retransmission -e tcp.analysis.rto -e tcp.analysis.ack_rtt -e tcp.analysis.initial_rtt -e tcp.analysis.bytes_in_flight -e tcp.analysis.duplicate_ack -e tcp.analysis.fast_retransmission -e tcp.analysis.flags -e tcp.analysis.keep_alive -e tcp.analysis.keep_alive_ack -e tcp.analysis.lost_segment -e tcp.analysis.out_of_order \
-e tcp.analysis.reused_ports -e tcp.analysis.rto_frame -e tcp.analysis.spurious_retransmission -e tcp.analysis.tfo_syn \
-e tcp.analysis.window_full -e tcp.analysis.window_update -e tcp.analysis.zero_window -e tcp.analysis.zero_window_probe -e tcp.analysis.zero_window_probe_ack \
-e tcp.options.wscale.multiplier -e tcp.segment.error \
-e tls.record.content_type -e tls.handshake.type -e tls.alert_message -e tls.handshake.cert_type.type -e tls.handshake.extensions_server_name -e tls.handshake.extensions_alpn_str -e tls.resumed -e tls.handshake.ciphersuite -e tls.segment.error -e tls.alert_message -e tls.alert_message.desc -e tls.alert_message.level \
-e x509ce.dNSName \
-e http.response.code -e http.location -e http.request.full_uri -e http.request.method -e http.request.uri -e http.time -e http.content_length -e http.referer \
-e _ws.expert.severity \
-e udp.stream -e udp.dstport -e udp.srcport -e udp.length.bad -e udp.length.bad_zero -e udp.possible_traceroute -e udp.checksum.bad \
-e dns.flags -e dns.flags.rcode -e dns.flags.response -e dns.time -e dns.count.queries -e dns.qry.name -e dns.resp.ttl \
> $OUTPUTLOGPATH
# -e tcp.options.wscale -e tcp.options.wscale_val \
else
tshark -r $INPUTPCAPPATH -T fields -E header=y -E separator=, \
-e frame.number -e frame.time_delta -e frame.len -e vlan.id -e eth.trailer -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info -e icmp.type \
-e ip.proto -e ip.src -e ip.dst -e ip.dsfield -e ip.dsfield.dscp -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len \
-e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.len -e tcp.ack -e tcp.ack.nonzero -e tcp.window_size -e tcp.nxtseq -e tcp.time_delta -e tcp.time_relative \
-e tcp.options -e tcp.options.mss -e tcp.options.mss_val -e tcp.options.qs -e tcp.options.sack -e tcp.options.snack -e tcp.options.tfo -e tcp.options.wscale.multiplier \
-e tcp.connection.syn -e tcp.connection.sack -e tcp.connection.rst -e tcp.connection.fin -e tcp.flags -e tcp.segment -e tcp.segment.count -e tcp.segment.error -e tcp.segment.multipletails -e tcp.segment.overlap \
-e tcp.analysis.ack_lost_segment -e tcp.analysis.ack_rtt -e tcp.analysis.acks_frame -e tcp.analysis.bytes_in_flight -e tcp.analysis.duplicate_ack -e tcp.analysis.duplicate_ack_frame -e tcp.analysis.duplicate_ack_num \
-e tcp.analysis.fast_retransmission -e tcp.analysis.flags -e tcp.analysis.initial_rtt -e tcp.analysis.keep_alive -e tcp.analysis.keep_alive_ack -e tcp.analysis.lost_segment -e tcp.analysis.out_of_order \
-e tcp.analysis.retransmission -e tcp.analysis.reused_ports -e tcp.analysis.rto -e tcp.analysis.rto_frame -e tcp.analysis.spurious_retransmission -e tcp.analysis.tfo_syn \
-e tcp.analysis.window_full -e tcp.analysis.window_update -e tcp.analysis.zero_window -e tcp.analysis.zero_window_probe -e tcp.analysis.zero_window_probe_ack \
-e ssl.handshake.type -e ssl.alert_message -e ssl.record -e ssl.record.content_type -e ssl.handshake -e ssl.handshake.cert_type.type -e ssl.handshake.extensions_alpn_str -e ssl.handshake.extensions_server_name \
-e x509ce.dNSName \
-e http.request.method -e http.request.uri -e http.location -e http.request.full_uri -e http.request.version -e http.user_agent -e http.host -e http.connection -e http.accept_encoding -e http.request_number -e http.response_in -e http.next_request_in -e http.response.code -e http.content_type -e http.content_length -e http.referer \
-e _ws.expert.severity \
-e udp.stream -e udp.dstport -e udp.srcport -e udp.length.bad -e udp.length.bad_zero -e udp.possible_traceroute \
-e dns.time -e dns.flags -e dns.flags.rcode -e dns.count.queries -e dns.qry.name -e dns.count.labels -e dns.qry.type -e dns.qry.class -e dns.count.answers -e dns.count.add_rr -e dns.count.auth_rr -e dns.count.prerequisites -e dns.count.updates -e dns.count.zones -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.resp.ttl -e dns.a -e dns.aaaa -e dns.cname -e dns.dname \
> $OUTPUTLOGPATH
fi
# -Y http.request -T fields -e http.host -e http.user_agent -e ip.dst -e http.request.full_uri
# simple
#-e frame.number -e frame.time_delta -e frame.len -e eth.src -e eth.dst -e frame.protocols \
#-e ip.proto -e ip.src -e ip.dst -e ip.flags -e ip.len \
#-e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.ack -e tcp.window_size -e -e tcp.flags
#-e tcp.analysis.<STUFF HERE>
# TCP Flags
# tcp.flags.cwr
# tcp.flags.ecn
# tcp.flags.fin
# tcp.flags.ns
# tcp.flags.push
# tcp.flags.res
# tcp.flags.reset
# tcp.flags.syn
# tcp.flags.urg
# -- tcp.urgent_pointer
# TCP Options
# MSS, QS, SACK, SNACK, TFO, TimeStamp, WindowScaling
# TCP Checksum seems to be disabled
# Use ssl instead of tls
#-e tls.handshake -e tls.handshake.ciphersuite -e tls.alert_message -e tls.alert_message.level -e tls. \
# SSL
# extensions_alpn_str = next protocol usually HTTP1.1
# extensions_server_name = only server name not the full resource URL
# x509ce.dNSName = server name from certificate
# HTTP
# _ws.expert.severity = chat level
# media.type = image/webp but prints all data
# INVALID FIELDS
# -e udp.time_delta -e udp.time_relative
# -e tcp.analysis.push_bytes_sent -e tcp.options.qs.rate
# -e tcp.options.time_stamp -e tcp.options.wscale
pdml for extracting detailed information
tshark -l -i any -f 'port 443' -Y "ssl.handshake.ciphersuites" -T pdml | grep ssl.handshake.ciphersuite
Headers
tshark -i any -Y 'http.request.method == "GET" and http.host contains "uvoo.io" and http contains "X-Forwarded-For:"'
tshark -i any -f 'host 10.1.x.x' -Y 'http.request.method == "GET" or http.request.method == "POST"' -T fields -e http.request.method -e http.host -e http.request.uri -e http.user_agent -e http.referer -e http.accept -e http.accept_language -e http.accept_encoding -e http.connection -e http.cookie -e http.cache_control -e http.authorization -e http.content_length -e http.content_type
tshark -i any -Y "http and http contains "X-Forwarded-For:"" -T fields -e http.x_forwarded_for
All
tshark -i <interface> -Y "http" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e http.request.method -e http.request.uri -e http.host -e http.user_agent -e http.referer -e http.accept -e http.accept_language -e http.accept_encoding -e http.connection -e http.cookie -e http.cache_control -e http.authorization -e http.content_length -e http.content_type -e http.range -e http.accept_charset -e http.if_modified_since -e http.if_none_match -e http.if_range -e http.if_unmodified_since -e http.host -e http.location -e http.max_forwards -e http.pragma -e http.proxy_authorization -e http.range -e http.referer -e http.server -e http.te -e http.upgrade -e http.via -e http.warning -e http.www_authenticate -e http.x_forwarded_for
Decode real time (a lot of info)
tshark -T pdml -i eth0
tshark converations
tshark -i any -f "host example.com" -q -n -z conv,tcp tshark -i any -f "host example.com" -Y tcp.analysis.retransmission