Wireshark: Difference between revisions
Content added Content deleted
(→Tshark) |
(→Tshark) |
||
Line 170: | Line 170: | ||
*Installation: |
*Installation: |
||
apt-get install tshark |
sudo apt-get install tshark |
||
*Filter Traffic: |
*Filter Traffic from capture file: |
||
tshark -r lotsapackets.cap -R dns -w trace.cap |
tshark -r lotsapackets.cap -R dns -w trace.cap |
||
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap |
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap |
||
Line 183: | Line 183: | ||
*Extract data from any HTTP requests: |
*Extract data from any HTTP requests: |
||
-T Specify to extract Fields |
|||
-e Mention which fields to Extract |
|||
with the -e options we identify which fields we want to extract. |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
*Extracts both the DNS query and the response address |
*Extracts both the DNS query and the response address: |
||
⚫ | |||
''google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10'' |
|||
Even more Details: |
|||
⚫ | |||
⚫ | |||
campus-map.stanford.edu 171.64.144.142 |
|||
⚫ | |||
*Tshark can use stdout to manipulate/clean output: |
|||
⚫ | |||
⚫ | |||
*One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output. |
|||
If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line. |
|||
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password |
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password |
||
csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123 |
''csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123'' |
||
*Tshark 2.4 is required for some features, Install it in Ubuntu: |
|||
*For the Next option you will need to install Tshark 2.4 |
|||
To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository. |
|||
sudo add-apt-repository ppa:dreibh/ppa |
sudo add-apt-repository ppa:dreibh/ppa |
||
sudo apt-get update && sudo apt-get install wireshark tshark |
sudo apt-get update && sudo apt-get install wireshark tshark |
||
* |
*Extract files from an SMB stream: |
||
tshark -nr test.pcap --export-objects smb,tmpfolder |
tshark -nr test.pcap --export-objects smb,tmpfolder |
||
*Extract files from HTTP stream: |
|||
*And this command will do the same except from HTTP, extracting all the files seen in the pcap. |
|||
tshark -nr test.pcap --export-objects http,tmpfolder |
tshark -nr test.pcap --export-objects http,tmpfolder |
||