Wireshark: Difference between revisions

Content added Content deleted
Line 170: Line 170:


*Installation:
*Installation:
apt-get install tshark
sudo apt-get install tshark


*Filter Traffic:
*Filter Traffic from capture file:
tshark -r lotsapackets.cap -R dns -w trace.cap
tshark -r lotsapackets.cap -R dns -w trace.cap
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap
Line 183: Line 183:


*Extract data from any HTTP requests:
*Extract data from any HTTP requests:
Using the -T we specify that we want to extract fields
-T Specify to extract Fields
-e Mention which fields to Extract
with the -e options we identify which fields we want to extract.
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent
searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0


tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent
''google.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0''


*Extracts both the DNS query and the response address.
*Extracts both the DNS query and the response address:
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.a
''google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10''


Even more Details:
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.a
campus-map.stanford.edu 171.64.144.142
''Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127''
*Tshark can use stdout to manipulate/clean output:
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr
Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127
*One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output.
If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.


tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password
csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123
''csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123''
*Tshark 2.4 is required for some features, Install it in Ubuntu:
*For the Next option you will need to install Tshark 2.4
To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository.

sudo add-apt-repository ppa:dreibh/ppa
sudo add-apt-repository ppa:dreibh/ppa
sudo apt-get update && sudo apt-get install wireshark tshark
sudo apt-get update && sudo apt-get install wireshark tshark


*This command will extract files from an SMB stream and extract them to the location tmpfolder.
*Extract files from an SMB stream:
tshark -nr test.pcap --export-objects smb,tmpfolder
tshark -nr test.pcap --export-objects smb,tmpfolder


*Extract files from HTTP stream:
*And this command will do the same except from HTTP, extracting all the files seen in the pcap.
tshark -nr test.pcap --export-objects http,tmpfolder
tshark -nr test.pcap --export-objects http,tmpfolder
Retrieved from "https://aman.awiki.org/wiki/Wireshark"