Wireshark: Difference between revisions

← Older edit

Wireshark (view source)

Revision as of 21:45, 5 June 2023

2,089 bytes added , 11 months ago

→‎Membership Operator

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 23:37, 1 September 2017 (view source) Amanjosan2008 (talk \| contribs) (→‎Tshark) ← Older edit		Latest revision as of 21:45, 5 June 2023 (view source) Amanjosan2008 (talk \| contribs) (→‎Membership Operator)
(10 intermediate revisions by the same user not shown)
Line 11: <br /> == Wireshark Common Filters == === Operators === {\| class="wikitable" \|- ! Description !! English !! Alias !! C-like !! Example \|- \| Equal (any if more than one) \|\| eq \|\| any_eq \|\| == \|\| ip.src == 10.0.0.5 \|- \| Not equal (all if more than one) \|\| ne \|\| all_ne \|\| != \|\| ip.src != 10.0.0.5 \|- \| Equal (all if more than one) \|\| \|\| all_eq \|\| === \|\| ip.src === 10.0.0.5 \|- \| Not equal (any if more than one) \|\| \|\| any_ne \|\| !== \|\| ip.src !== 10.0.0.5 \|- \| Greater than \|\| gt \|\| \|\| > \|\| frame.len > 10 \|- \| Less than \|\| lt \|\| \|\| < \|\| frame.len < 128 \|- \| Greater than or equal to \|\| ge \|\| \|\| >= \|\| frame.len ge 0x100 \|- \| Less than or equal to \|\| le \|\| \|\| <= \|\| frame.len <= 0x20 \|- \| Protocol, field or slice contains a value \|\| contains \|\| \|\| \|\| sip.To contains "a1762" \|- \| Protocol or text field matches a Perl-compatible regular expression \|\| matches \|\| \|\| ~ \|\| <nowiki>http.host matches "acme\\.(org\|com\|net)"</nowiki> \|} === Combining Expressions === {\| class="wikitable" !Description !! English !! C-like !! Example \|- \|Logical AND \|\| and \|\| && \|\| ip.src==10.0.0.5 and tcp.flags.fin \|- \| Logical OR \|\| or \|\| <nowiki>\|\|</nowiki> \|\| ip.src==10.0.0.5 or ip.src==192.1.1.1 \|- \| Logical XOR \|\| xor \|\| ^^ \|\| tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29 \|- \| Logical NOT \|\| not \|\| ! \|\| not llc \|} === Membership Operator === * Below are equivalent: tcp.port in {80, 443, 8080} --> tcp.port == 80 \|\| tcp.port == 443 \|\| tcp.port == 8080 http.request.method in {"HEAD", "GET"} ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9} tcp.port in {443,4430..4434} * More Details: [https://www.wireshark.org/docs/dfref/ Reference] {\| class="wikitable" \|- Line 49 ⟶ 101: \|} <br /> * SSL Traffic Filters Client Hello: ssl.handshake.type == 1 Server Hello: ssl.handshake.type == 2 NewSessionTicket: ssl.handshake.type == 4 Certificate: ssl.handshake.type == 11 CertificateRequest ssl.handshake.type == 13 ServerHelloDone: ssl.handshake.type == 14 Note: “ServerHellpDone” means full-handshake TLS session. Cipher Suites: ssl.handshake.ciphersuite SSL handshake message types: 0 HelloRequest 1 ClientHello 2 ServerHello 4 NewSessionTicket 8 EncryptedExtensions (TLS 1.3 only) 11 Certificate 12 ServerKeyExchange 13 CertificateRequest 14 ServerHelloDone 15 CertificateVerify 16 ClientKeyExchange 20 Finished == Wireshark Column Filters == Line 153 ⟶ 245: sudo apt-get install libcap2-bin sudo groupadd wireshark sudo usermod -a -G wireshark ~~kirat~~user newgrp wireshark sudo chgrp wireshark /usr/bin/dumpcap Line 165 ⟶ 257: sudo dpkg-reconfigure wireshark-common sudo chmod +x /usr/bin/dumpcap ==Tshark== Installation: sudo apt-get install tshark Filter Traffic from capture file: tshark -r lotsapackets.cap -R dns -w trace.cap tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap Line 183 ⟶ 274: Extract data from any HTTP requests: ~~Using the~~ -T we ~~specify~~ ~~that~~ we ~~want~~ Specify to extract ~~fields~~Fields -e Mention which fields to Extract ~~with the -e options we identify which fields we want to extract.~~ ~~tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent~~ ~~searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0~~ tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent ''google.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0'' Extracts both the DNS query and the response address.: tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.a ''google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10'' Even more details: ~~tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr~~ tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.a ~~campus-map.stanford.edu 171.64.144.142~~ ''Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127'' Tshark can use stdout to manipulate/clean output: ~~tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr~~ ~~Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127~~ One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output. ~~If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.~~ tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' \| grep password ''csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123'' Tshark 2.4 is required for some features, Install it in Ubuntu: For the Next option you will need to install Tshark 2.4 ~~To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository.~~ sudo add-apt-repository ppa:dreibh/ppa sudo apt-get update && sudo apt-get install wireshark tshark ~~This command will extract~~Extract files from an SMB stream ~~and extract them to the location tmpfolder.~~: tshark -nr test.pcap --export-objects smb,tmpfolder Extract files from HTTP stream: And this command will do the same except from HTTP, extracting all the files seen in the pcap. tshark -nr test.pcap --export-objects http,tmpfolder Detailed output: Figure out the Frame number: tshark -r ~/dhcp.pcap bootp.option.dhcp == 1 View Full details: tshark -r ~/dhcp.pcap -V frame.number == 12 <br /> ;References