Revision as of 23:37, 1 September 2017 (view source) Amanjosan2008 (talk \| contribs) (→‎Tshark) ← Older edit		Revision as of 23:54, 1 September 2017 (view source) Amanjosan2008 (talk \| contribs) (→‎Tshark) Newer edit →
Line 170: Installation: sudo apt-get install tshark Filter Traffic from capture file: tshark -r lotsapackets.cap -R dns -w trace.cap tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w trace.cap Line 183: Extract data from any HTTP requests: ~~Using the~~ -T we ~~specify~~ ~~that~~ we ~~want~~ Specify to extract ~~fields~~Fields -e Mention which fields to Extract ~~with the -e options we identify which fields we want to extract.~~ tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent ▼ searchdns.netcraft.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 ▼ ▲ tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent ▲ ~~searchdns.netcraft~~''google.com Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 '' Extracts both the DNS query and the response address.: tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.~~resp.addr~~a▼ ''google.com 216.58.197.46,216.239.32.10,216.239.34.10,216.239.36.10'' Even more Details: ▲ tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.~~resp.addr~~ a▼ ~~campus-map.stanford.edu 171.64.144.142~~ ''Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127''▼ Tshark can use stdout to manipulate/clean output: ▲ tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr ▲ Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com 198.74.56.127 One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output. ~~If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.~~ tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' \| grep password ''csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123'' Tshark 2.4 is required for some features, Install it in Ubuntu: For the Next option you will need to install Tshark 2.4 ~~To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository.~~ sudo add-apt-repository ppa:dreibh/ppa sudo apt-get update && sudo apt-get install wireshark tshark ~~This command will extract~~Extract files from an SMB stream ~~and extract them to the location tmpfolder.~~: tshark -nr test.pcap --export-objects smb,tmpfolder Extract files from HTTP stream: *And this command will do the same except from HTTP, extracting all the files seen in the pcap. tshark -nr test.pcap --export-objects http,tmpfolder

Wireshark: Difference between revisions

Wireshark (view source)

Revision as of 23:54, 1 September 2017