Packet Captures: Difference between revisions
→Advanced Packet Filtering: formatted
(→Advanced Packet Filtering: added section) |
(→Advanced Packet Filtering: formatted) |
||
Line 426:
== Advanced Packet Filtering ==
Use Case:
I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices.
I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic.
Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445).
We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast.
Wireshark Filter:
((ip.addr==
<pre style="width: 2000px; overflow-x: scroll;">▼
List all Pcap files using any of the below commands:
find . -type f | egrep "All.pcap"
find . -type f | egrep ".pcap"
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb' ; echo -e "\n"; done▼
find . -type f | egrep "*.pcap"
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep 'error|unknown|denied'▼
find . -type f | grep ".pcap"
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)'▼
find . -type f | grep "pcap"
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt &▼
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t a -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done▼
List interesting traffic from all the PCAP files:
▲<pre style="width: 2000px; overflow-x: scroll;">
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==
</pre>
Filter out errors:
<pre style="width: 2000px; overflow-x: scroll;">
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==
</pre>
Filter out errors and save output to text file in backgroup:
<pre style="width: 2000px; overflow-x: scroll;">
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==
</pre>
Show Timestamps in the output and save it to a text file:
<pre style="width: 2000px; overflow-x: scroll;">
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==
a absolute time (local time in your time zone, actual time the packet was captured)
ad absolute with date
u Absolute UTC time
ud Absolute UTC time with date
</pre>
Search for keyworks in hte text files created along with traces:
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock
Using TCPDump instead of Tshark
<pre style="width: 2000px; overflow-x: scroll;">
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i;
</pre>
| |||