Difference between revisions of "Tshark Scripts"
Jump to navigation
Jump to search
| (4 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
``` | ``` | ||
#!/bin/bash | #!/bin/bash | ||
| + | # nohup get-snis-via-tshark.sh & | ||
| + | # cat sni.log | awk '{print $4}' | sort -u | ||
| + | # cat sni.log | awk '{print $1, $2, $4}' | sort -u | ||
set -eu | set -eu | ||
| − | duration= | + | sleep=5 |
| + | duration=90 | ||
interface=internal | interface=internal | ||
| − | |||
pmatch=tshark | pmatch=tshark | ||
| + | snimatch=example.com | ||
| + | sleep_secs=5 | ||
get_sni() { | get_sni() { | ||
ts=$(date +"%Y-%m-%dT%T.%3N%z") | ts=$(date +"%Y-%m-%dT%T.%3N%z") | ||
| − | echo "I: Running tshark instance to get sni info. ${ts}" | + | # echo "I: Running tshark instance to get sni info. ${ts}" |
| − | sleep 1 | + | # sleep 1 |
| − | tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log & | + | # tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log & |
| + | tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log & | ||
| + | } | ||
| + | |||
| + | test_interface_exists() { | ||
| + | if ! tshark -D | grep $interface; then | ||
| + | echo E: Interface $interface does not exist! | ||
| + | exit 1 | ||
| + | fi | ||
} | } | ||
| Line 22: | Line 35: | ||
main() { | main() { | ||
| − | echo | + | test_interface_exists |
| + | start_ts=$(date +"%Y-%m-%dT%T.%3N%z") | ||
| + | echo "I: Starting tshark looper for interfarce: $interface and SNImatch: $snimatch at $start_ts" | ||
while true; do | while true; do | ||
if ! pgrep -x "$pmatch" > /dev/null; then | if ! pgrep -x "$pmatch" > /dev/null; then | ||
get_sni | get_sni | ||
else | else | ||
| − | echo "$pmatch command is already running." | + | # echo "$pmatch command is already running." |
| + | true | ||
fi | fi | ||
| − | sleep | + | sleep $sleep_secs |
done | done | ||
} | } | ||
| Line 37: | Line 53: | ||
``` | ``` | ||
| − | nohup get-snis.sh & | + | nohup ./get-snis.sh & |
| + | cat sni.log | awk '{print $1, $2, $4}' | sort -u | ||
``` | ``` | ||
Latest revision as of 15:51, 9 February 2022
Collect SNIs without using up a lot of memory
get-snis-via-tshark.sh
#!/bin/bash
# nohup get-snis-via-tshark.sh &
# cat sni.log | awk '{print $4}' | sort -u
# cat sni.log | awk '{print $1, $2, $4}' | sort -u
set -eu
sleep=5
duration=90
interface=internal
pmatch=tshark
snimatch=example.com
sleep_secs=5
get_sni() {
ts=$(date +"%Y-%m-%dT%T.%3N%z")
# echo "I: Running tshark instance to get sni info. ${ts}"
# sleep 1
# tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log &
tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log &
}
test_interface_exists() {
if ! tshark -D | grep $interface; then
echo E: Interface $interface does not exist!
exit 1
fi
}
is_tshark_running() {
echo foo
}
main() {
test_interface_exists
start_ts=$(date +"%Y-%m-%dT%T.%3N%z")
echo "I: Starting tshark looper for interfarce: $interface and SNImatch: $snimatch at $start_ts"
while true; do
if ! pgrep -x "$pmatch" > /dev/null; then
get_sni
else
# echo "$pmatch command is already running."
true
fi
sleep $sleep_secs
done
}
main
nohup ./get-snis.sh &
cat sni.log | awk '{print $1, $2, $4}' | sort -u
Watch memory usage of tshark command
top | grep tshark
ps | grep snis kill id pkill tshark