tshark show payload as text - pcap

I am trying to get tshark to show the payload of packages in clear text and I am failing in that. Which makes me really sad.
tshark -r pcap -T fiels -e data (or data.text) gives blank results.
tshark -r pcap -T fiels -e tcp.payload gives hex results.
So the question is how do I get tshark to show the tcp.payload als text (ascii).

Related

How to find out tshark boolean filter is empty?

I have a tshark with the following usage:
tshark -r my_pcap_file.pcap -Y 'my and boolean statement'
Now, I want to write a capture file with -w , But before any writing file, I have to find out my tshark is empty or not.
How to can I do it?

Determining throughput from pcap containing flow records

I have a single packet capture (acquired via tcpdump) that contains flow records between an exporter and a collector.
I want to determine throughput across a given interface using the bytes (octets) field in the v9 record. I have filtered down to the network that I want like so:
tshark -r input.pcap -Y "ip.src == X.X.X.X" -F pcap -w filtered.pcap
I further filtered to the interface that I needed like so:
tshark -r filtered.pcap -Y "cflow.inputint == Y" -F pcap -w filtered2.pcap
I'm lost after that. Is there a better tool to aggregate across the flows to get throughput?
Any help would be greatly appreciated!
You may try to print netflow fields and then process the results.
For example:
tshark -T fields -e cflow.version -e cflow.srcaddr -e cflow.dstaddr -e cflow.octets -e cflow.timedelta -e cflow.abstimestart
Field names are visible in wireshark status bar when you select packet details.
Better option:
install or compile https://github.com/phaag/nfdump with --enable-readpcap flag.
process your pcap nfcapd -f <path to your pcap file> -l <path to output directory> -T all
count statistics nfdump -o extended -r <path to output directory>

Searching through many pcap files with tcpdump

I have a bunch of pcap files that I got with tcpdump. I need to search through all of them for specific keywords and record which files contain these strings. Is there a way to automate the search for these keywords using a tcpdump command perhaps?
Probably the most generic solution using tshark would be to run something like:
tshark -r file.pcap -Y "frame contains foo"
... where foo is the string you're searching for. Refer to the wireshark-filter man page for more information on filtering using the contains and other operators, such as the matches operator which supports Perl compatible regular expressions.
Using that command, the output you'll see will be a 1-line summary of each packet matching the filter. You could tailor the output using a number of methods, but for example, suppose you only wanted to know the frame number of the matching packet, you could run:
tshark -r file.pcap -Y "frame contains foo" -T fields -e frame.number
Refer to the tshark man page for more information on the -T and -e options, as well as other options which may be of use to you.
There is more powerful version of tcpdump, tshark (it is the command line tool from wireshark package). You could use tshark -T fields|pdml|ps|psml|text to dump packets in format you like, and just grep it. tshark could read tcpdump dumps.

mitmproxy record to outfile utf8 encoding error

I am using mitmproxy and want to record every request and reponse to file,so I use "-w" option just as following:
mitmproxy -b 192.168.1.107 -p 9527 -w ~/Desktop/aaa.txt
but when I open the 'aaa.txt',it display unreadable content which is just as following:
[x§‡:ÖáHi4GÐL¿¤Ìé4Îæyùͧq¼<µYÂ&É‹¶Mñ+GÒ‡i8
avÅÆdT£<_‰»ÚÀ—æÏÂÓSòo“çˆ$B6KƒßÛVÚ¼rq{”2w.®NÉRhÔ…x)¥qÕ¾0‡8éÙOøóŸüÍ—òÛ_þãnñ—‡"Ä‚NqiŠ¬#JÔî"œE§"CJ&0‡Í*NCBé r:G£O1yùè“æRQB4
I also try the script:https://github.com/mitmproxy/mitmproxy/blob/master/examples/flowwriter.py
it still doesn't work, so is there some encoding error?
mitmproxy -w writes a serialized (not primarily human-readable) dump file that can be read again using -r. If the content of a message are e.g. gzip-encoded, you'll see gzip-encoded data in the dumpfile. If you want human-readable output to a text file, I'd suggest running
mitmdump -r ~/Desktop/aaa.txt -n -dd
Explanation:
-r: Read an existing dump file
-n: Do not start a proxy server
-d: increase output details/verbosity (-ddd if you don't want contents to be cut off)

Filtering VoIP calls with tshark

I'm analyzing VoIP calls on my network
For now i'm using a generated .pcap file, but later i'll be listening for this at real time.
I'm using tshark, and i can filter some important data pretty easily from the .pcap (like "source ip address and port", "destination ip addr and Port", payload pckt lost, Max Delta(ms),Max Jitter(ms),Mean Jitter(ms)) with
tshark -r myfile -q -z rtp,streams
What i want to know is: how can i get the sip addrs of a call? (client and server)
I can retrieve some sip addrs (only client) by filtering all sip INVITE like this:
tshark -r myFile -R "sip.Request-Line contains INVITE"
But i can't get the address of the server.
To clarify a bit, my idea was to get this "statistic" in tshark, like wireshark gives me when i access "Telephony>VoIP Calls" (the same way that tshark -r myfile -q -z rtp,streamsreturns me statistics just like wireshark's Telephony>RTP>Show All Streams), is there a way to do this? If not with "statistics" (-z) how can i create a filter (-R) to do something similar of the "VoIPCall" function of wireshark
I'm using tshark as i want to work with this data, and not just analyze it on my screen
Thanks
try:
tshark -r myFile -R "sip.CSeq.method eq INVITE"
That will filter for the request sent from the client and the corresponding reply from the server.
I was in a similar situation and ended up going through tshark man pages.
Command: tshark -r input_file.pcap -q -z sip,stat
Explanation:
-r <infile> : Read packet data from infile
-q : When reading a capture file, don't print packet information; this is useful if you're using a -z option to calculate statistics and don't want the packet information printed, just the statistics.
-z <statistics> : Get TShark to collect various types of statistics and display the result after finishing reading the capture file.
You can additionally add filters to the filtering as well, so for example you want to summarize all packets which had only SIP 480 Status Code, you can do so by:
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480
-z sip,stat[,filter] : This option will activate a counter for SIP messages. You will get the number of occurrences of each SIP Method and of each SIP Status-Code
In case you want multiple filters, you can add them one by one
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480 -z sip,stat,sip.Status-Code==500
If you want to summarize by sip address, you can filter by that:
tshark -r input_file.pcap -q -z sip,stat,sip.to.host==sip-to-host.com
Refer:
TShark Man Page: https://www.wireshark.org/docs/man-pages/tshark.html
SIP Filters: https://www.wireshark.org/docs/dfref/s/sip.html