Latest revision as of 18:32, 29 June 2024

PCAP

tshark -l -i any -f 'host 10.x.x.x' -w 10.x.x.x.pcap

HTTP 80

 tshark -i any  -f "port 80" -Y "http.request.method == GET || http.request.method == POST"

Decode tls/ssl

tshark -l -i any -f 'dst port ( 82 ) and host 10.x.x.x' -d tcp.port==82,ssl

syslog

tshark -l -i any -f 'dst port ( 514 ) and host 10.x.x.x' -d tcp.port==514,syslog -T fields -E separator="  " -e ip.src -e ip.dst -e syslog.msg
tshark -l -i any -f 'dst port ( 9514 ) and host log.example.com' -d tcp.port==9514,syslog -T fields -E separator="  " -e ip.src -e syslog.msg

tshark syn packets

tcp[0xd]&18=2

tshark -G fields

SNI capture on 3.x (note tls vs ssl)

sudo tshark -l -i ens160 -f 'dst port ( 443 ) and host 10.x.x.y' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name

sudo tshark -l -i any -f 'dst port ( 443 ) and src net 10' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name

# GRE
sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name

SNI capture 2.x

tshark -l -i any -f 'dst port ( 443 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
tshark -l -i any -f 'dst port ( 443 )' -f 'host 10.x.xy' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
tshark -l -i any -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | grep 204.1

curl

 curl -vik --resolve example.com:443:66.x.x.y https://example.com/

Quick and dirty packet counting smtp syn packets for host

tshark -i any -f "host 10.x.x.x and port 25 and tcp[13]==2" -T fields -e ip.src > dstip.10.x.x.x.tcp25.syn.txt
cat dstip.10.x.x.x.tcp25.syn.txt | sort | uniq -c | sort -nr
top -p `pidof tshark`

C:\Program Files\Wireshark\tshark.exe -i 1 -f "port 53" -Y "dns"
tshark -i internal -f "host 192.168.24.13 and port 25" -Y "smtp.req" # https://www.wireshark.org/docs/dfref/s/smtp.html
tshark -i eth0 -f "host 10.x.x.x and tcp port 80 or port 8080" -Y "http.request || http.response"
sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -q -z sip,stat
sudo tshark -l -i eth0 -f 'dst port ( 80 or 8054 or 443 or 993 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
tshark -i any -f "dst port 389"  -O ldap  -V  # This probably won't work cuz double filter tshark -i any -2 -R ldap.filter -f "dst port 389"  -O ldap  -V

tshark -r ../rpcap/trace00 tcp.port==3000
tshark -r ../rpcap/trace00 ip.proto==47
tshark -V -i eth0 -f "host 10.x.x.x" -d tcp.port==162,snmp | grep -i msgAuthoritativeEngineID
sudo tcpdump -nnpi ens160 proto 47
sudo tshark -i ens160 -f "proto 47"


tshark -r ../rpcap/trace00 -T fields -e data
tshark -V -r ../rpcap/trace00 -d tcp.port==3000,sip

editcap -C 38 pcap.pcap pcap_edited.pcap

tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre | grep -i sip
tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre -d tcp.port==3000,sip | grep INVITE
tshark -r ../rpcap/trace00 -d ip.proto==47,gre -q -z sip,stat

Using ncat ?

db shell "tcpdump -i any -n -U -w - not port 1122 | nc -l 1122"
In the second CMD window

adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122  | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp"

Oneliners - http://snippets1000.blogspot.com/2012/04/tshark-one-liners.html

Show uris
tshark -T fields -e http.request.uri | grep -v “^$”

Unique urls
tshark -r sample.pcap -R http.request -T fields -e http.host -e http.request.uri | sort -u

Top ten urls from (http://goo.gl/qd5aI)
tshark -r sample1.cap -R http.request 
  -T fields -e http.host -e http.request.uri |
  sed -e 's/?.*$//' |
  sed -e 's#^\(.*\)\t\(.*\)$#http://\1\2#' |
  sort | uniq -c | sort -rn | head


List user agents
sudo tshark -nn -r capture_file.pcap -Tfields -e ip.src -e http.user_agent -R "http.user_agent"


List conversations 


tshark -r sample.pcap  -tad -R"tcp" -o column.format:'"Time","%t", "Source", "%s","Destination", "%d"'


tshark -r samples.cap -q -z conv,tcp


HTTP statistics
tshark -q -z http,stat, -z http,tree -r sample.pcap

DNS

Show responses

tshark -tad -r lupus.pcap -R dns.flags.response==1

https://gist.github.com/shahifaqeer/eff11a51bf8e8b77557564006f70c36c

#!/bin/bash
# sh tshark_extract_fields.sh  [-h] | [ -i /input_path/trace.pcap -o output_path/tshark_trace.log -k ]

usage="sh $(basename "$0") [-h] | [-i input.pcap -o output.log][-k] -- program to extract packet fields from pcap for KPI calculations using tshark 
where:
    -h  show this help text
    -i  path to input pcap
    -o  path to output csv log file
    -k  output only specific KPI related fields"

while getopts hkfi:o: option
do
    case "${option}"
    in
    h|help) echo "$usage"
            exit 0
            ;;
    i) INPUTPCAPPATH=${OPTARG};;
    o) OUTPUTLOGPATH=${OPTARG};;
    k) KPIONLY=1;;
    esac
done

if [[ $KPIONLY -eq 1 ]]; then

    tshark -r $INPUTPCAPPATH -Y "not(ip.addr == 127.0.0.1) && (ipv6 || ip)" -T fields -E header=y -E separator=\| \
    -e frame.number -e frame.time -e frame.time_relative -e frame.len -e ip.version -e ip.proto -e ip.src -e ip.dst -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len -e ip.fragment.error \
    -e tcp.stream -e tcp.time_relative -e tcp.time_delta -e tcp.srcport -e tcp.dstport -e tcp.len -e tcp.hdr_len -e tcp.pdu.size -e tcp.window_size -e tcp.flags -e tcp.flags.fin -e tcp.flags.ack -e tcp.flags.syn \
    -e tcp.analysis.retransmission -e tcp.analysis.rto  -e tcp.analysis.ack_rtt -e tcp.analysis.initial_rtt -e tcp.analysis.bytes_in_flight -e tcp.analysis.duplicate_ack -e tcp.analysis.fast_retransmission -e tcp.analysis.flags -e tcp.analysis.keep_alive -e tcp.analysis.keep_alive_ack -e tcp.analysis.lost_segment -e tcp.analysis.out_of_order \
    -e tcp.analysis.reused_ports -e tcp.analysis.rto_frame -e tcp.analysis.spurious_retransmission -e tcp.analysis.tfo_syn \
    -e tcp.analysis.window_full -e tcp.analysis.window_update -e tcp.analysis.zero_window -e tcp.analysis.zero_window_probe -e tcp.analysis.zero_window_probe_ack \
    -e tcp.options.wscale.multiplier -e tcp.segment.error \
    -e tls.record.content_type -e tls.handshake.type -e tls.alert_message -e tls.handshake.cert_type.type -e tls.handshake.extensions_server_name -e tls.handshake.extensions_alpn_str -e tls.resumed -e tls.handshake.ciphersuite -e tls.segment.error -e tls.alert_message -e tls.alert_message.desc -e tls.alert_message.level \
    -e x509ce.dNSName \
    -e http.response.code -e http.location -e http.request.full_uri -e http.request.method -e http.request.uri -e http.time -e http.content_length -e http.referer \
    -e _ws.expert.severity \
    -e udp.stream -e udp.dstport -e udp.srcport -e udp.length.bad -e udp.length.bad_zero -e udp.possible_traceroute -e udp.checksum.bad \
    -e dns.flags -e dns.flags.rcode -e dns.flags.response -e dns.time -e dns.count.queries -e dns.qry.name -e dns.resp.ttl \
    > $OUTPUTLOGPATH

    # -e tcp.options.wscale -e tcp.options.wscale_val \

else

    tshark -r $INPUTPCAPPATH -T fields -E header=y -E separator=, \
    -e frame.number -e frame.time_delta -e frame.len -e vlan.id -e eth.trailer -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info -e icmp.type \
    -e ip.proto -e ip.src -e ip.dst -e ip.dsfield -e ip.dsfield.dscp -e ip.flags -e ip.frag_offset -e ip.ttl -e ip.len \
    -e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.len -e tcp.ack -e tcp.ack.nonzero -e tcp.window_size -e tcp.nxtseq -e tcp.time_delta -e tcp.time_relative \
    -e tcp.options -e tcp.options.mss -e tcp.options.mss_val -e tcp.options.qs -e tcp.options.sack -e tcp.options.snack -e tcp.options.tfo -e tcp.options.wscale.multiplier \
    -e tcp.connection.syn -e tcp.connection.sack -e tcp.connection.rst -e tcp.connection.fin -e tcp.flags -e tcp.segment -e tcp.segment.count -e tcp.segment.error -e tcp.segment.multipletails -e tcp.segment.overlap \
    -e tcp.analysis.ack_lost_segment -e tcp.analysis.ack_rtt -e tcp.analysis.acks_frame -e tcp.analysis.bytes_in_flight -e tcp.analysis.duplicate_ack -e tcp.analysis.duplicate_ack_frame -e tcp.analysis.duplicate_ack_num \
    -e tcp.analysis.fast_retransmission -e tcp.analysis.flags -e tcp.analysis.initial_rtt -e tcp.analysis.keep_alive -e tcp.analysis.keep_alive_ack -e tcp.analysis.lost_segment -e tcp.analysis.out_of_order \
    -e tcp.analysis.retransmission -e tcp.analysis.reused_ports -e tcp.analysis.rto -e tcp.analysis.rto_frame -e tcp.analysis.spurious_retransmission -e tcp.analysis.tfo_syn \
    -e tcp.analysis.window_full -e tcp.analysis.window_update -e tcp.analysis.zero_window -e tcp.analysis.zero_window_probe -e tcp.analysis.zero_window_probe_ack \
    -e ssl.handshake.type -e ssl.alert_message -e ssl.record -e ssl.record.content_type -e ssl.handshake -e ssl.handshake.cert_type.type -e ssl.handshake.extensions_alpn_str -e ssl.handshake.extensions_server_name \
    -e x509ce.dNSName \
    -e http.request.method -e http.request.uri -e http.location -e http.request.full_uri -e http.request.version -e http.user_agent -e http.host -e http.connection -e http.accept_encoding -e http.request_number -e http.response_in -e http.next_request_in -e http.response.code -e http.content_type -e http.content_length -e http.referer \
    -e _ws.expert.severity \
    -e udp.stream -e udp.dstport -e udp.srcport -e udp.length.bad -e udp.length.bad_zero -e udp.possible_traceroute \
    -e dns.time -e dns.flags -e dns.flags.rcode -e dns.count.queries -e dns.qry.name -e dns.count.labels -e dns.qry.type -e dns.qry.class -e dns.count.answers -e dns.count.add_rr -e dns.count.auth_rr -e dns.count.prerequisites -e dns.count.updates -e dns.count.zones -e dns.resp.name -e dns.resp.type -e dns.resp.class -e dns.resp.ttl -e dns.a -e dns.aaaa -e dns.cname -e dns.dname \
    > $OUTPUTLOGPATH

fi

# -Y http.request -T fields -e http.host -e http.user_agent -e ip.dst -e http.request.full_uri

# simple
#-e frame.number -e frame.time_delta -e frame.len -e eth.src -e eth.dst -e frame.protocols \
#-e ip.proto -e ip.src -e ip.dst -e ip.flags -e ip.len \
#-e tcp.stream -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.hdr_len -e tcp.ack -e tcp.window_size -e -e tcp.flags
#-e tcp.analysis.<STUFF HERE>

# TCP Flags
# tcp.flags.cwr
# tcp.flags.ecn
# tcp.flags.fin
# tcp.flags.ns
# tcp.flags.push
# tcp.flags.res
# tcp.flags.reset
# tcp.flags.syn
# tcp.flags.urg
# -- tcp.urgent_pointer

# TCP Options
# MSS, QS, SACK, SNACK, TFO, TimeStamp, WindowScaling

# TCP Checksum seems to be disabled

# Use ssl instead of tls
#-e tls.handshake -e tls.handshake.ciphersuite -e tls.alert_message -e tls.alert_message.level -e tls. \

# SSL
# extensions_alpn_str = next protocol usually HTTP1.1
# extensions_server_name = only server name not the full resource URL

# x509ce.dNSName = server name from certificate

# HTTP
# _ws.expert.severity = chat level
# media.type = image/webp but prints all data

# INVALID FIELDS
# -e udp.time_delta -e udp.time_relative
# -e tcp.analysis.push_bytes_sent -e tcp.options.qs.rate
# -e tcp.options.time_stamp -e tcp.options.wscale

pdml for extracting detailed information

tshark -l -i any -f 'port 443' -Y "ssl.handshake.ciphersuites" -T pdml | grep ssl.handshake.ciphersuite

Headers

tshark -i any -Y 'http.request.method == "GET" and http.host contains "uvoo.io" and http contains "X-Forwarded-For:"'

 tshark -i any -f 'host 10.1.x.x' -Y 'http.request.method == "GET" or http.request.method == "POST"' -T fields -e http.request.method -e http.host -e http.request.uri -e http.user_agent -e http.referer -e http.accept -e http.accept_language -e http.accept_encoding -e http.connection -e http.cookie -e http.cache_control -e http.authorization -e http.content_length -e http.content_type

tshark -i any -Y "http and http contains "X-Forwarded-For:"" -T fields -e http.x_forwarded_for

All

tshark -i <interface> -Y "http" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e http.request.method -e http.request.uri -e http.host -e http.user_agent -e http.referer -e http.accept -e http.accept_language -e http.accept_encoding -e http.connection -e http.cookie -e http.cache_control -e http.authorization -e http.content_length -e http.content_type -e http.range -e http.accept_charset -e http.if_modified_since -e http.if_none_match -e http.if_range -e http.if_unmodified_since -e http.host -e http.location -e http.max_forwards -e http.pragma -e http.proxy_authorization -e http.range -e http.referer -e http.server -e http.te -e http.upgrade -e http.via -e http.warning -e http.www_authenticate -e http.x_forwarded_for

Decode real time (a lot of info)

tshark -T pdml -i eth0

tshark converations

tshark -i any -f "host example.com" -q -n -z conv,tcp
tshark -i any -f "host example.com" -Y tcp.analysis.retransmission

Difference between revisions of "Tshark"

Latest revision as of 18:32, 29 June 2024

Headers

Navigation menu

Search