Wireshark: Difference between revisions
→Tshark
(→Tshark) |
(→Tshark) |
||
Line 170:
*Installation:
sudo apt-get install tshark
*Filter Traffic from capture file:
tshark -r lotsapackets.cap -R dns -w trace.cap
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap
Line 183:
*Extract data from any HTTP requests:
-e Mention which fields to Extract
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent ▼
searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 ▼
▲
*Extracts both the DNS query and the response address
''google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10''
Even more Details:
▲ tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr
tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.
''Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127''▼
*Tshark can use stdout to manipulate/clean output:
▲ tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr
▲ Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127
tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password
''csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123''
*Tshark 2.4 is required for some features, Install it in Ubuntu:
sudo add-apt-repository ppa:dreibh/ppa
sudo apt-get update && sudo apt-get install wireshark tshark
*
tshark -nr test.pcap --export-objects smb,tmpfolder
*Extract files from HTTP stream:
tshark -nr test.pcap --export-objects http,tmpfolder
|