Tshark -q -r $PCAP -Y "tcp.dstport = 25" -T fields -e ip.dst | sort | uniq -c # List out SMTP servers communicated with Tshark -q -r $PCAP -Y "openvpn" -T fields -e ip.dst | sort | uniq -c Tshark -q -r $PCAP -Y "tcp.dstport = 5222" -T fields -e ip.dst | sort | uniq -c # List out XMPP servers communicated with Tshark -q -r $PCAP -Y "dns" -T fields -e 4 | sort | uniq -c # Grab any EDNS Client Subnet (ECS) infomation # Get the value of RCODE for your desired response filter from RFC1035, RFC2136, RFC2845 etc Tshark -q -r $PCAP -z "io,stat,1,COUNT() = 5" Tshark -q -r $PCAP -z "io,stat,1,COUNT() = 2" Tshark -q -r $PCAP -z "io,stat,1,COUNT()" # Count responses per sec (change "1" for longer interval) Tshark -q -r $PCAP -Y "dns" -T fields -e | sort | uniq -c Tshark -q -r $PCAP -Y "dns" -T fields -e ip.dst | sort | uniq -c
Tshark -q -r "$PCAP" -Y "ssl.handshake" -T fields -e x509sat.printableString | sort | uniq -c Tshark -q -r "$PCAP" -Y "ssl.handshake" -T fields -e | sort | uniq -c # Extract supported ciphersuites from the handshake Tshark -q -r $PCAP -Y "ssl.handshake" -T fields -e _server_name | sort | uniq -c Tshark -q -r $PCAP -Y " = POST" -T fields -e http.host | sort | uniq -c # Output a list of host headers observed in POST requests only Tshark -q -r $PCAP -Y "http.response" -T fields -e | sort | uniq -c # Output a list of observed HTTP status codes # Other HTTP headers can all be dumped too, http.x_forwarded_for etc. Tshark -q -r $PCAP -Y "http.host" -T fields -e er_agent | sort | uniq -c # Extract a list of User-agents (to help identify devices) Tshark -q -r $PCAP -Y "http.host" -T fields -e http.referer | sort | uniq -c e http.host -e -e -e http.referer -e er_agent -e okie -e thorization Tshark -q -r "$PCAP" -Y "http.host" -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ipv6.src -e ipv6.dst \ # Extract a list of HTTP requests made, with common headers Tshark -q -r $PCAP -Y "http.host" -T fields -e http.host | sort | uniq -c Tshark -r $PCAP -Y "tcp.srcport = 80" -T fields -e ip.dst | sort | uniq -c # List out destinations observed fro a given source port Tshark -r $PCAP -Y "udp.dstport = 53" -T fields -e ip.dst | sort | uniq -c # List out destinations observed for a given dest port Tshark -r $PCAP -T fields -e udp.dstport | sort | uniq -c Tshark -r $PCAP -T fields -e tcp.dstport | sort | uniq -c Tshark -r $PCAP -T fields -e ip.dst | sort | uniq -c # For tcp packet type, use tcp.flags (output is hex) # To add the time of the frame use -e frame.time_epoch Tshark -r $PCAP -T fields -e ip.dst -e tcp.dstport | sort | uniq -c # Just add an additional -e with the field: A Practical Demonstration of what IPB will allow.Some of these examples are lifted, almost directly, from my PAS project, others from my own notes Based On If you're wanting to build a new command based on some field you can see in wireshark, the easiest way to find out the name to pass to tshark, is just to filter by it in wireshark and then pinch the name out of the filter field There's no way any list of examples could ever be exhaustive, but this list is intended to provide various examples containing some nuts and bolts which you can piece together to create useful commands (most examples exclude basics like -e ip.src for brevity's sake TShark uses the same underlying libraries as Wireshark, so you get the benefit of it's dissectors allowing you to easily filter by traffic type ( -Y "ssh"), or to build more advanced filters Ever since I discovered it, I've preferred tshark as a means of extracting information and stats from a packet capture, particularly when that information needs to be communicated onwards via email - it's far better to provide simple tabulated data than 40 odd screenshots trying to highlight what you mean.
0 kommentar(er)
