Wireshark: Difference between revisions
→Membership Operator
(→Tshark) |
|||
(10 intermediate revisions by the same user not shown) | |||
Line 11:
<br />
== Wireshark Common Filters ==
=== Operators ===
{| class="wikitable"
|-
! Description !! English !! Alias !! C-like !! Example
|-
| Equal (any if more than one) || eq || any_eq || == || ip.src == 10.0.0.5
|-
| Not equal (all if more than one) || ne || all_ne || != || ip.src != 10.0.0.5
|-
| Equal (all if more than one) || || all_eq || === || ip.src === 10.0.0.5
|-
| Not equal (any if more than one) || || any_ne || !== || ip.src !== 10.0.0.5
|-
| Greater than || gt || || > || frame.len > 10
|-
| Less than || lt || || < || frame.len < 128
|-
| Greater than or equal to || ge || || >= || frame.len ge 0x100
|-
| Less than or equal to || le || || <= || frame.len <= 0x20
|-
| Protocol, field or slice contains a value || contains || || || sip.To contains "a1762"
|-
| Protocol or text field matches a Perl-compatible regular expression || matches || || ~ || <nowiki>http.host matches "acme\\.(org|com|net)"</nowiki>
|}
=== Combining Expressions ===
{| class="wikitable"
!Description !! English !! C-like !! Example
|-
|Logical AND || and || && || ip.src==10.0.0.5 and tcp.flags.fin
|-
| Logical OR || or || <nowiki>||</nowiki> || ip.src==10.0.0.5 or ip.src==192.1.1.1
|-
| Logical XOR || xor || ^^ || tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
|-
| Logical NOT || not || ! || not llc
|}
=== Membership Operator ===
* Below are equivalent:
tcp.port in {80, 443, 8080} --> tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
http.request.method in {"HEAD", "GET"}
ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9}
tcp.port in {443,4430..4434}
* More Details: [https://www.wireshark.org/docs/dfref/ Reference]
{| class="wikitable"
|-
Line 49 ⟶ 101:
|}
<br />
* SSL Traffic Filters
Client Hello:
ssl.handshake.type == 1
Server Hello:
ssl.handshake.type == 2
NewSessionTicket:
ssl.handshake.type == 4
Certificate:
ssl.handshake.type == 11
CertificateRequest
ssl.handshake.type == 13
ServerHelloDone:
ssl.handshake.type == 14
Note: “ServerHellpDone” means full-handshake TLS session.
Cipher Suites:
ssl.handshake.ciphersuite
SSL handshake message types:
0 HelloRequest
1 ClientHello
2 ServerHello
4 NewSessionTicket
8 EncryptedExtensions (TLS 1.3 only)
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished
== Wireshark Column Filters ==
Line 153 ⟶ 245:
sudo apt-get install libcap2-bin
sudo groupadd wireshark
sudo usermod -a -G wireshark
newgrp wireshark
sudo chgrp wireshark /usr/bin/dumpcap
Line 165 ⟶ 257:
sudo dpkg-reconfigure wireshark-common
sudo chmod +x /usr/bin/dumpcap
==Tshark==
*Installation:
sudo apt-get install tshark
*Filter Traffic from capture file:
tshark -r lotsapackets.cap -R dns -w trace.cap
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap
Line 183 ⟶ 274:
*Extract data from any HTTP requests:
-e Mention which fields to Extract
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent
''google.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0''
*Extracts both the DNS query and the response address
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.a
''google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10''
Even more details:
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.a
''Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127''
*Tshark can use stdout to manipulate/clean output:
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password
''csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123''
*Tshark 2.4 is required for some features, Install it in Ubuntu:
sudo add-apt-repository ppa:dreibh/ppa
sudo apt-get update && sudo apt-get install wireshark tshark
*
tshark -nr test.pcap --export-objects smb,tmpfolder
*Extract files from HTTP stream:
tshark -nr test.pcap --export-objects http,tmpfolder
*Detailed output:
Figure out the Frame number:
tshark -r ~/dhcp.pcap bootp.option.dhcp == 1
View Full details:
tshark -r ~/dhcp.pcap -V frame.number == 12
<br />
;References
|