Tshark Scripts
Jump to navigation
Jump to search
Collect SNIs without using up a lot of memory
get-snis-via-tshark.sh
#!/bin/bash
set -eu
sleep=5
duration=90
interface=internal
pmatch=tshark
snimatch=example.com
sleep_secs=5
get_sni() {
ts=$(date +"%Y-%m-%dT%T.%3N%z")
# echo "I: Running tshark instance to get sni info. ${ts}"
# sleep 1
# tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name 2>&1 >> sni.log &
tshark -l -i $interface -a duration:$duration -f 'dst port ( 443 )' -Y 'ssl.handshake.extension.type == "server_name" || http.host' -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.host -e ssl.handshake.extensions_server_name | grep $snimatch 2>&1 >> sni.log &
}
test_interface_exists() {
if ! tshark -D | grep $interface; then
echo E: Interface $interface does not exist!
exit 1
fi
}
is_tshark_running() {
echo foo
}
main() {
test_interface_exists
start_ts=$(date +"%Y-%m-%dT%T.%3N%z")
echo "I: Starting tshark looper for interfarce: $interface and SNImatch: $snimatch at $start_ts"
while true; do
if ! pgrep -x "$pmatch" > /dev/null; then
get_sni
else
# echo "$pmatch command is already running."
true
fi
sleep $sleep_secs
done
}
main
nohup ./get-snis.sh &
cat sni.log | awk '{print $1, $2, $4}' | sort -u
Watch memory usage of tshark command
top | grep tshark
ps | grep snis kill id pkill tshark