Difference between revisions of "Tshark"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 2: Line 2:
 
```
 
```
 
sudo tshark -l -i ens160 -f 'dst port ( 443 ) and host 10.250.183.88' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name
 
sudo tshark -l -i ens160 -f 'dst port ( 443 ) and host 10.250.183.88' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name
 +
 +
# GRE
 +
sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name
 
```
 
```
  

Revision as of 23:57, 7 February 2022

SNI capture on 3.x (note tls vs ssl) 

sudo tshark -l -i ens160 -f 'dst port ( 443 ) and host 10.250.183.88' -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name

# GRE
sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -Y 'tls.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e tls.handshake.extensions_server_name

SNI capture 2.x 

tshark -l -i any -f 'dst port ( 443 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
tshark -l -i any -f 'dst port ( 443 )' -f 'host 10.x.xy' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
tshark -l -i any -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host | grep 204.1

curl 

 curl -vik --resolve example.com:443:66.x.x.y https://example.com/

Quick and dirty packet counting smtp syn packets for host 

tshark -i any -f "host 10.x.x.x and port 25 and tcp[13]==2" -T fields -e ip.src > dstip.10.x.x.x.tcp25.syn.txt
cat dstip.10.x.x.x.tcp25.syn.txt | sort | uniq -c | sort -nr
top -p `pidof tshark`

C:\Program Files\Wireshark\tshark.exe -i 1 -f "port 53" -Y "dns"
tshark -i internal -f "host 192.168.24.13 and port 25" -Y "smtp.req" # https://www.wireshark.org/docs/dfref/s/smtp.html
tshark -i eth0 -f "host 10.x.x.x and tcp port 80 or port 8080" -Y "http.request || http.response"
sudo tshark -i ens160 -f "proto 47" -d ip.proto==47,gre -q -z sip,stat
sudo tshark -l -i eth0 -f 'dst port ( 80 or 8054 or 443 or 993 ) ' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e ssl.handshake.extensions_server_name -e http.host
tshark -i any -f "dst port 389"  -O ldap  -V  # This probably won't work cuz double filter tshark -i any -2 -R ldap.filter -f "dst port 389"  -O ldap  -V

tshark -r ../rpcap/trace00 tcp.port==3000
tshark -r ../rpcap/trace00 ip.proto==47
tshark -V -i eth0 -f "host 10.x.x.x" -d tcp.port==162,snmp | grep -i msgAuthoritativeEngineID
sudo tcpdump -nnpi ens160 proto 47
sudo tshark -i ens160 -f "proto 47"


tshark -r ../rpcap/trace00 -T fields -e data
tshark -V -r ../rpcap/trace00 -d tcp.port==3000,sip

editcap -C 38 pcap.pcap pcap_edited.pcap

tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre | grep -i sip
tshark -V -r ../rpcap/trace00 -d ip.proto==47,gre -d tcp.port==3000,sip | grep INVITE
tshark -r ../rpcap/trace00 -d ip.proto==47,gre -q -z sip,stat

Using ncat ? 

db shell "tcpdump -i any -n -U -w - not port 1122 | nc -l 1122"
In the second CMD window

adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122  | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp"
Retrieved from "https://tech.uvoo.io/index.php?title=Tshark&oldid=2687"