Difference between revisions of "Tshark Scripts"
Jump to navigation
Jump to search
| Line 5: | Line 5: | ||
#!/bin/bash | #!/bin/bash | ||
set -eu | set -eu | ||
| + | sleep=5 | ||
duration=90 | duration=90 | ||
| − | interface= | + | interface=F5_internal |
| − | |||
pmatch=tshark | pmatch=tshark | ||
| − | snimatch= | + | snimatch=exchange-solutions.tech |
get_sni() { | get_sni() { | ||
ts=$(date +"%Y-%m-%dT%T.%3N%z") | ts=$(date +"%Y-%m-%dT%T.%3N%z") | ||
| − | echo "I: Running tshark instance to get sni info. ${ts}" | + | # echo "I: Running tshark instance to get sni info. ${ts}" |
| − | sleep 1 | + | # sleep 1 |
# tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log & | # tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log & | ||
tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log & | tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log & | ||
| Line 24: | Line 24: | ||
main() { | main() { | ||
| − | echo | + | start_ts=$(date +"%Y-%m-%dT%T.%3N%z") |
| + | echo "I: Starting tshark looper for interfarce: $interface and SNImatch: $snimatch at $start_ts" | ||
while true; do | while true; do | ||
if ! pgrep -x "$pmatch" > /dev/null; then | if ! pgrep -x "$pmatch" > /dev/null; then | ||
| Line 31: | Line 32: | ||
echo "$pmatch command is already running." | echo "$pmatch command is already running." | ||
fi | fi | ||
| − | sleep | + | sleep $sleep |
done | done | ||
} | } | ||
Revision as of 14:49, 9 February 2022
Collect SNIs without using up a lot of memory
get-snis-via-tshark.sh
#!/bin/bash
set -eu
sleep=5
duration=90
interface=F5_internal
pmatch=tshark
snimatch=exchange-solutions.tech
get_sni() {
ts=$(date +"%Y-%m-%dT%T.%3N%z")
# echo "I: Running tshark instance to get sni info. ${ts}"
# sleep 1
# tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log &
tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log &
}
is_tshark_running() {
echo foo
}
main() {
start_ts=$(date +"%Y-%m-%dT%T.%3N%z")
echo "I: Starting tshark looper for interfarce: $interface and SNImatch: $snimatch at $start_ts"
while true; do
if ! pgrep -x "$pmatch" > /dev/null; then
get_sni
else
echo "$pmatch command is already running."
fi
sleep $sleep
done
}
main
nohup get-snis.sh &
Watch memory usage of tshark command
top | grep tshark
ps | grep snis kill id pkill tshark