Wireshark: Difference between revisions
Content added Content deleted
(→Tshark) |
|||
Line 168: | Line 168: | ||
==Tshark== |
==Tshark== |
||
*Installation: |
|||
apt-get install tshark |
apt-get install tshark |
||
⚫ | |||
*Filter Traffic: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
*Information about the capture file: |
|||
capinfos web.cap |
capinfos web.cap |
||
*Split capture file: |
|||
editcap -c 50000 lotsapackets.cap fewerpackets.cap |
editcap -c 50000 lotsapackets.cap fewerpackets.cap |
||
*Extract data from any HTTP requests: |
|||
Using the -T we specify that we want to extract fields |
|||
with the -e options we identify which fields we want to extract. |
|||
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent |
|||
searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 |
|||
*Extracts both the DNS query and the response address. |
|||
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr |
|||
campus-map.stanford.edu 171.64.144.142 |
|||
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr |
|||
Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127 |
|||
*One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output. |
|||
If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line. |
|||
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password |
|||
csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123 |
|||
*For the Next option you will need to install Tshark 2.4 |
|||
To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository. |
|||
sudo add-apt-repository ppa:dreibh/ppa |
|||
sudo apt-get update && sudo apt-get install wireshark tshark |
|||
*This command will extract files from an SMB stream and extract them to the location tmpfolder. |
|||
tshark -nr test.pcap --export-objects smb,tmpfolder |
|||
*And this command will do the same except from HTTP, extracting all the files seen in the pcap. |
|||
tshark -nr test.pcap --export-objects http,tmpfolder |
|||
<br /> |
<br /> |
||
;References |
;References |