Versions Compared

Old Version 3

changes.mady.by.user Michael C (TheCoolest)

Saved on

compared with

New Version Current

changes.mady.by.user Michael C (TheCoolest)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • $ tshark -r "filename"
    • To write raw packet data to file
      • $ tshark -i "eth0" -w "filename"

  • NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the -w option for this.

DNS Protocol

How to filter DNS packets

a.  tshark –i “eth0” –Y “dns”

How to filter DNS query packets

a.     $ tshark –I “eth0” –Y “dns.flags.response==0”

How to filter DNS response packets

a.     $ tshark -i "eth0" -Y "dns.flags.response==1"

How to filter inverse packets

a.     $ tshark -i "eth0" -Y "dns.qry.type==0x000c"

How to find DNS query packets for a specific domain name

a.     $ tshark -i "eth0" -Y 'dns.qry.name=="www.example.com"'

How to find DNS packets that contain a specific string

a.     $ tshark -i "eth0" -Y 'dns contains "example"'

How to find DNS packets that contain a canonical name

a.     $ tshark -i "eth0" -Y "dns.resp.type==0x0005"

How to filter DNS traffic that has error conditions

a.     $ tshark -i "eth0" -Y "dns.flags.rcode!=0"

How to Identify possible ip-flux (Fast-flux) response traffic

a.     $ tshark -i "eth0" -Y "(dns.flags.response==1) && (dns.count.answers>=5) && (dns.resp.ttl<3600 || dns.resp.ttl<86400 || dns.resp.ttl<259200)"

How to identify possible domain-flux (DGA) query traffic

a.     $  tshark -i "eth0" -Y "dns.flags.rcode==3"

DHCP Protocol

How to filter DHCP packets

a.     $ tshark -i "eth0" -Y "dhcpv6"

How to filter TCP packets

a.     $ tshark -i "eth0" -Y "tcp"

How to filter IP packets

a.     $ tshark -i "eth0" -Y "ip"

b.     $ tshark –I “eth0” –Y “ipv6”

How to find fragmented ip packets?

a.     $ tshark -i "eth0" -Y "ip.flags.mf == 1 || ip.frag_offset > 0"

How to filter on a speciffic ip address?

a.     $ tshark -i "eth0" -Y "ip.src==8.8.8.8"

b.     $ tshark –I “eth0” –Y “ip.dst==8.8.8.8”

c.     $  tshark -i "eth0" -Y "ip.addr==8.8.8.8"

How to detect ARP poisoning

a.     $ tshark -i "eth0" -Y "arp.duplicate-address-detected"

How to filter ARP packets

a.     $ tshark -i "eth0" -Y "arp"

How to find ARP reply packets

a.     $ tshark -i "eth0" -Y "arp.opcode==0x0002"

How to find ARP request packets

a.     $ tshark -i "eth0" -Y "arp.opcode==0x0001"

How to filter http packets

a.     $ tshark -i "eth0" -Y "http"

b.     $ tshark -i "eth0" -f "tcp.port==80"

How to filter http get or post requests

a.     $ tshark -i "eth0" -Y 'http.request.method=="GET" || http.request.method=="POST"'

How to find http client or server errors

a.     $ tshark -i "eth0" -Y "http.response.code > 399"

How to find http requests to a specific target

a.     $ tshark -i "eth0" -Y 'http.host=="www.example.com"'

How to find http requests which contain a specific string in user-agent

a.     $ tshark -i "eth0" -Y 'http.user_agent contains "Mozilla"'

Anylze HTTP Traffic

How to filter FTP packets

a.     $ tshark -i "eth0" -Y "ftp || ftp-data"

How to find successful ftp logins

a.     $ tshark -i "eth0" -Y ftp.request.code==230

How to look for all hosts attempting to login to a ftp server

a.     $ tshark -i "eth0" -Y ftp.request.command==USER || ftp.request.command==PASS

How to filter ICMP packets

a.     $ tshark -i "eth0" -Y "icmp"

How to detect OS fingerprinting

$ tshark -i "eth0" -Y "icmp.type==13 || icmp.type==15 || icmp.type==17"

How to find icmp fragmentation needed packets from a router

a.     $ tshark -i "eth0" -Y "icmp.type==3 && icmp.code==4"

How to find icmp ping request (ping sweep detection) or response

a.     $ tshark -i "eth0" -Y "icmp.type==8 || icmp.type==0"

How to discover icmp destination unreachable response due to a possible firewall reject

a.     $ tshark -i "eth0" -Y "icmp.type==3 && (icmp.code==0 || icmp.code==1 || icmp.code==2  || icmp.code==3 || icmp.code==9 || icmp.code==10 || icmp.code==13)" 

How to filter SSL packets

a.     $ tshark -i "eth0" -Y "ssl"

b.     $ tshark -i "eth0" -f "tcp.port==443"

  How to find TLS/SSL change cipher spec message

a.     $ tshark -i "eth0" -Y "ssl.record.content_type==20"

How to find tls/ssl handshake traffic

a.     $ tshark -i "eth0" -Y "ssl.record.content_type==22"

How to find tls/ssl client hello message

a.     $ tshark -i "eth0" -Y "ssl.handshake.type==1"

How to find tls/ssl Server hello message

a.     $ tshark -i "eth0" -Y "ssl.handshake.type==2"

How to find tls/ssl client key exchange message

a.     $ tshark -i "eth0" -Y "ssl.handshake.type==1"

Show Hosts

a.     $ tshark -r $FILE -q -z hosts,ipv4

Show Hierarchy

a.     $ tshark -r $FILE -q -z io,phs

Show all sessions and destination ports

a.     $ tshark -o column.format:'"Source", "%s", "Destination", "%d", "dstport", "%uD"' -r $FILE |sort|uniq

Show all conversations

a.     $ tshark -o column.format:'"Source", "%s", "Destination", "%d", "dstport", "%uD"' -r $FILE |sort|uniq

Show all TCP Streams

a.     tshark -r $FILE -q -z conv,tcp

35.  Show top talkers for all packets using tcpdump

TCP Protocol

IP Protocol

Arp Protocol

HTTP Protocol

        a. $tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

FTP Protocol

ICMP Protocol

SSL Protocol

TSHARK Statistical Data

Filters for Extracting useful information from pcaps

Note: This is useful to see who are the noisiest hosts on the network. A noisy
host is a busy host and therefore requires further investigation.

tcpdump -tnr $FILE |awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail

 45. Show uris

...

46. Unique urls

...

47. Top ten urls from (http://goo.gl/qd5aI)

...

a.                   tshark -r sample.pcap  -tad -R"tcp" -o column.format:'"Time","%t", "Source", "%s","Destination", "%d"'

...

49. HTTP statistics

...

50. Counting the total number of packets in trace files

$ tshark -r traffic_sample.pcap | wc –l

449802