Packet Captures: Difference between revisions
Content added Content deleted
(→Misc: adv pcaps) |
(→Advanced Packet Filtering: added section) |
||
Line 426:
== Advanced Packet Filtering ==
{{UC}}
Wireshark Filter:
((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb
<pre style="width: 2000px; overflow-x: scroll;">
find . -type f | egrep "All.pcap"
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb' ; echo -e "\n"; done
Line 435 ⟶ 439:
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t a -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done > smb-time.txt
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 192.168.80.80 or host 10.1.1.56) and host 192.168.30.20) and port 445' ; echo -e "\n"; done▼
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock
</pre>
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 192.168.80.80 or host 10.1.1.56) and host 192.168.30.20) and port 445' ; echo -e "\n"; done
= Misc =
|
Revision as of 22:21, 2 July 2017
Various Pcap files for studies are as follows:
PCAP files
Common packet captures files used across the site and for studies are below:
VPN Captures
Packet Type | Description | Page Link |
---|---|---|
ScreenOS Site to Site VPN | Main Mode VPN negotiations (FW1 is Responder; FW2 is Initiator) | VPN Lab, Debug |
Dialup VPN | Aggressive mode Dailup VPN | VPN Lab, Debug |
Aggressive Mode VPN | ||
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth IP Assignment | VPN Lab, Debug |
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth User login | VPN Lab, Debug |
NAT Traversal | NAT Traversal on Cisco Routers | VPN Lab, Debug |
Manual Key VPN | Manual Key or Static VPN captures | Manual Key VPN |
FTP-TFTP
Packet Type | Description | Page Link |
---|---|---|
Active Mode FTP | FTP in Active Mode | Active FTP |
Passive Mode FTP | FTP in Passive Mode | Passive FTP |
TFTP RRQ | TFTP Read Request | TFTP |
TFTP WRQ | TFTP Write Request | TFTP |
Routing Protocols
Packet Type | Description | Page Link |
---|---|---|
BGP | BGP | |
eBGP | BGP | |
BGP Notification | BGP | |
BGP MD5 | BGP | |
OSPF | OSPF | |
OSPF MD5 | OSPF | |
OSPF LSAs | OSPF | |
OSPF over GRE Tunnel | OSPF | |
EIGRP Neighbors | EIGRP | |
EIGRP adjacency | EIGRP | |
EIGRP goodbye | EIGRP | |
EIGRPv2 adjacency | EIGRP | |
RIPv1 | ||
RIPv2 |
ARP
Packet Type | Description | Page Link |
---|---|---|
ARP | ARP | |
ARP Storm | ARP | |
Gratuitous ARP | ARP | |
Gratuitous ARP HSRP | ARP | |
RARP Request | ARP |
DNS-DHCP
Packet Type | Description | Page Link |
---|---|---|
DNS Capture | Contains TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries | DNS |
DHCP | All packets broadcast implementation | DHCP |
DHCP 2 | Unicast packets implementation | DHCP |
DHCP Inter VLAN | DHCP | |
Dhcp-auth | DHCP |
Misc Captures
Packet Type | Description | Page Link |
---|---|---|
TCP SACK | SACK(frame #31), Timestamp | TCP/IP |
Smtp | ||
Teardrop | ||
Telnet | ||
Port Scan | ||
Traceroute | Traceroute | |
Path MTU | Fragmentation Needed message in packet #6 | Path MTU Discovery |
HTTP | Sack Used | HTTP |
NAT | Ping Packet with & without NAT | |
IP Fragmentation | ||
SNMP | ||
SIP | ||
GRE Encapsulated Ping | ||
RADIUS | ||
DTP | ||
Slammer Worm | ||
GLBP election | ||
HDLC | ||
HSRP | ||
HSRP election | ||
HSRP failover | ||
Hsrp-and-ospf-in-LAN | ||
RADIUS2 | ||
SSHv2 | ||
TACACS+ | ||
Bittorrent | ||
IPv6 | ||
Vnc-sample | ||
Blaster Worm | ||
OS Fingerprinting | ||
STP | ||
MySQL |
Filtering Packets
Information related to Packet filtering is as follows:
Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25
Wireshark Common Filters
Description | Filter |
---|---|
Sets a filter for any packet with 10.0.0.1, as either the source or dest | ip.addr == 10.0.0.1 |
Sets a conversation filter between the two defined IP addresses | ip.addr==10.0.0.1 && ip.addr==10.0.0.2 |
Sets a filter to display all http and dns | http or dns |
Sets a filter for any TCP packet with 4000 as a source or dest port | tcp.port==4000 |
Displays all TCP resets | tcp.flags.reset==1 |
Display all SYN packets | tcp.flags.syn==1 |
Filter packets using Identification Field (across multiple traces) | ip.id==518 |
Displays all HTTP GET requests | http.request |
Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID |
tcp contains traffic |
Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest |
!(arp or icmp or dns) |
Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset | udp contains 33:27:58 |
Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss |
tcp.analysis.retransmission |
Fragmented Traffic | ip.flags.mf == 1 or ip.frag_offset > 0 |
ICMP Fragmentation needed packets | icmp.type==3 and icmp.code==4 |
Combination of above two | ip[0,9,20:2]==4501:0304||ip[6:2]&3fff |
Starting and Ending sessions | tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0) |
Wireshark Column Filters
Value to display | Filter |
---|---|
TTL | ip.ttl |
Flags | tcp.flags |
SEQ | tcp.seq |
ACK | tcp.ack |
MSS | tcp.options.mss_val |
In-Flight | tcp.analysis.bytes_in_flight |
Payload | tcp.len |
Window | tcp.window_size |
Content-Length | http.content_length_header |
TCPDump Filters
Source: [thegeekstuff.com]
- General TCPDump command:
tcpdump -s 0 -i eth0 host 10.1.1.1 -v -w /tmp/packet_capture.cap
Description | Command |
---|---|
Capture packets from a particular interface | tcpdump -i eth1 |
Capture only N number of packets | tcpdump -c 200 -i eth0 |
Display Captured Packets in ASCII | tcpdump -A -i eth0 |
Display Captured Packets in HEX and ASCII | tcpdump -XX -i eth0 |
Capture the packets and write into a file | tcpdump -w 08232010.pcap -i eth0 |
Capture packets with IP address without DNS resolution | tcpdump -n -i eth0 |
Capture packets with proper readable timestamp | tcpdump -n -tttt -i eth0 |
Read packets only longer or smaller than N bytes | tcpdump -w capture.pcap greater 1024 tcpdump -w capture.pcap less 1024 |
Receive only the packets of a specific protocol type | tcpdump -i eth0 arp |
Receive packets flows on a particular port | tcpdump -i eth0 port 22 |
Capture packets for particular destination IP and Port | tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22 |
Capture TCP communication packets between two hosts | tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\) |
Capture all the packets other than arp and rarp 'and' 'or' and 'not' condition are used to filter the packets |
tcpdump -i eth0 not arp and not rarp |
Reading PCAPs
Header text | Header text |
---|---|
Reading pcap file | tcpdump -r data.pcap |
Viewing all headers | tcpdump -e -nn -vv -r data.pcap |
Viewing hexadecimal data | tcpdump -XX -r data.pcap |
TCPDump Parameters
Modifiers
Symbol | Words |
---|---|
! | not |
&& | and |
|| | or |
Examples
Filter | Description |
---|---|
udp dst port not 53 | UDP not bound for port 53 |
host 10.0.0.1 && host 10.0.0.2 | Traffic between these hosts |
tcp dst port 80 or 8080 | Packets to either TCP port |
Protocol keywords
Keywords | ||
---|---|---|
arp | ether | icmp |
ip | ip6 | ppp |
rarp | tcp | udp |
wlan |
TCP Flags
Flag Keywords | ||
---|---|---|
tcp-urg | tcp-rst | |
tcp-ack | tcp-syn | |
tcp-psh | tcp-fin |
Capture Filter Primitives
Filter | Description |
---|---|
[src|dst] host <host> | Matches a host as the IP source, destination, or either |
ether [src|dst] host <ehost> | Matches a host as the Ethernet source, destination, or either |
gateway host <host> | Matches packets which used host as a gateway |
[src|dst] net <network>/<len> | Matches packets to or from an endpoint residing in network |
[tcp|udp] [src|dst] port <port> | Matches TCP or UDP packets sent to/from port |
[tcp|udp] [src|dst] portrange <p1>-<p2> | Matches TCP or UDP packets to/from a port in the given range |
less <length> | Matches packets less than or equal to length |
greater <length> | Matches packets greater than or equal to length |
(ether|ip|ip6) proto <protocol> | Matches an Ethernet, IPv4, or IPv6 protocol |
(ether|ip) broadcast | Matches Ethernet or IPv4 broadcasts |
(ether|ip|ip6) multicast | Matches Ethernet, IPv4, or IPv6 multicasts |
type (mgt|ctl|data) [subtype <subtype>] | Matches 802.11 frames based on type and optional subtype |
vlan [<vlan>] | Matches 802.1Q frames, optionally with a VLAN ID of vlan |
mpls [<label>] | Matches MPLS packets, optionally with a label of label |
<expr> <relop> <expr> | Matches packets by an arbitrary expression |
Command Line Options
-A Print frame payload in ASCII -c <count> Exit after capturing count packets -D List available interfaces -e Print link-level headers -F <file> Use file as the filter expression -G <n> Rotate the dump file every n seconds -i <iface> Specifies the capture interface -K Don't verify TCP checksums -L List data link types for the interface -n Don't convert addresses to names -p Don't capture in promiscuous mode -q Quick output -r <file> Read packets from file -s <len> Capture up to len bytes per packet -S Print absolute TCP sequence numbers -t Don't print timestamps -v[v[v]] Print more verbose output -w <file> Write captured packets to file -x Print frame payload in hex -X Print frame payload in hex and ASCII -y <type> Specify the data link type
Advanced Packet Filtering
This section is under construction. |
Wireshark Filter:
((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb
find . -type f | egrep "All.pcap" for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb' ; echo -e "\n"; done for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep 'error|unknown|denied' for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt & for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t a -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done > smb-time.txt for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 192.168.80.80 or host 10.1.1.56) and host 192.168.30.20) and port 445' ; echo -e "\n"; done for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock
Misc
- In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.
- In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.
Non-Root Capture in Ubuntu
sudo apt-get install libcap2-bin sudo groupadd wireshark sudo usermod -a -G wireshark kirat newgrp wireshark sudo chgrp wireshark /usr/bin/dumpcap sudo chmod 750 /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
Verification:
getcap /usr/bin/dumpcap => /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
If still unable to capture:
sudo dpkg-reconfigure wireshark-common sudo chmod +x /usr/bin/dumpcap
Tshark
apt-get install tshark tshark -r lotsapackets.cap -R dns -w dns.cap tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w web.cap capinfos web.cap editcap -c 50000 lotsapackets.cap fewerpackets.cap
{{#widget:DISQUS
|id=networkm
|uniqid=Packet Captures
|url=https://aman.awiki.org/wiki/Packet_Captures
}}