Wireshark: Difference between revisions
→Tshark
(→Tshark) |
|||
Line 168:
==Tshark==
*Installation:
apt-get install tshark
tshark -r lotsapackets.cap -R dns -w dns.cap▼
*Filter Traffic:
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w web.cap▼
*Information about the capture file:
capinfos web.cap
*Split capture file:
editcap -c 50000 lotsapackets.cap fewerpackets.cap
*Extract data from any HTTP requests:
Using the -T we specify that we want to extract fields
with the -e options we identify which fields we want to extract.
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent
searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
*Extracts both the DNS query and the response address.
tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr
campus-map.stanford.edu 171.64.144.142
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr
Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127
*One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output.
If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password
csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123
*For the Next option you will need to install Tshark 2.4
To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository.
sudo add-apt-repository ppa:dreibh/ppa
sudo apt-get update && sudo apt-get install wireshark tshark
*This command will extract files from an SMB stream and extract them to the location tmpfolder.
tshark -nr test.pcap --export-objects smb,tmpfolder
*And this command will do the same except from HTTP, extracting all the files seen in the pcap.
tshark -nr test.pcap --export-objects http,tmpfolder
<br />
;References
| |||