In my office firewall I use a command like this:
$ sudo tcpdump -v -s 1500 -i eth0 port 25 | grep 'smtp: S'
to monitor LAN clients sending mail (I need to early detect any possible spammer bot from some client, we have very looooose security policies, here... :-().
So far, so good: I have a continuous output as soon any client sends an email.
But, if I add some filter to get a cleaner output, something like this:
$ sudo tcpdump -v -s 1500 -i eth0 port 25 | grep 'smtp: S' | perl -pe 's/(.*?\)) (.*?)\.\d+ \>(.*)/$2/'
(here I intend to get only source ip/name), I do not get any output until tcpdump output is more than (bash?) buffer size... (or at least I suppose so...).
Nothing changes using 'sed' instead of 'perl'...
Any hint to get a continuous output of filtered data?
Put stdbuf before the first command:
sudo stdbuf -o0 tcpdump ...
But, if I add some filter to get a cleaner output, something like
this:
Use the --line-buffered option for grep:
--line-buffered
Use line buffering on output. This can cause a performance
penalty.
try maybe a sed --unbuffered (or -u sometimes like on AIX) to have a stram version (not waiting the EOF)
Related
i need to see only HTTP GET requests HOST once (only the webpage), only from defined source ip, not other information/data.
The first request to that url.
For example:
The first packet what goes from client to server.
GET / HTTP/1.1\r\n
What filters should i add? I have tried few, but still get too much information/data...
Is there any possibilities to look HTTPS first request packet too? To see where the client is sending the request?
If you're on a Un*x platform, you could try something like:
tshark -r file.pcap -Y 'ip.src == 1.2.3.4 and http.request.method == "GET"' -T fields -e http.request.method -e http.request.version -e http.request.uri | head -n 1
... or maybe you want to use http.request.full_uri instead of http.request.uri?
If you're on Windows, you may need to install Cygwin coreutils in order to use head, and you may have to quote things a bit differently, e.g.:
tshark -r file.pcap -Y "ip.src == 1.2.3.4 and http.request.method == \"GET\"" -T fields -e http.request.method -e http.request.version -e http.request.uri | head -n 1
For https, you'll need to decrypt the SSL. You can read how to do that on the Wireshark SSL wiki page.
I would like to know that is there any option in Wireshark to capture packets in the streaming network dynamically. Since I need to capture packets with out doing the export each time and packets capture automatically in a CSV file without exporting it periodically. Thanks.
You should be able to use tshark to achieve this. For example, suppose you want to capture the frame number and source and destination IP addresses of each packet (to keep the example simple), you could use:
tshark -i foo -T fields -E separator=, -E quote=d -E header=y -Y ip -e frame.number -e ip.src -i ip.dst > output.csv
You can specify as many fields as you want using the -e option
I have a bunch of pcap files that I got with tcpdump. I need to search through all of them for specific keywords and record which files contain these strings. Is there a way to automate the search for these keywords using a tcpdump command perhaps?
Probably the most generic solution using tshark would be to run something like:
tshark -r file.pcap -Y "frame contains foo"
... where foo is the string you're searching for. Refer to the wireshark-filter man page for more information on filtering using the contains and other operators, such as the matches operator which supports Perl compatible regular expressions.
Using that command, the output you'll see will be a 1-line summary of each packet matching the filter. You could tailor the output using a number of methods, but for example, suppose you only wanted to know the frame number of the matching packet, you could run:
tshark -r file.pcap -Y "frame contains foo" -T fields -e frame.number
Refer to the tshark man page for more information on the -T and -e options, as well as other options which may be of use to you.
There is more powerful version of tcpdump, tshark (it is the command line tool from wireshark package). You could use tshark -T fields|pdml|ps|psml|text to dump packets in format you like, and just grep it. tshark could read tcpdump dumps.
I want to capture messages of Diameter protocol (over SCTP) by tshark on the screen, expanded.
First, I couldn't find what to write after switch '-f' to filter only diameter messages, but then I found the switch '-R' which accepted 'diameter'.
So, currently my command seems like:
tshark -i el0 -R diameter -V
This is all fine, at least, until the packets are small enough..
However, for bigger packets, I get the error [Unreassembled Packet: DIAMETER]
[Expert Info (Warn/Reassemble): Unreassembled Packet (Exception occurred)]
[Message: Unreassembled Packet (Exception occurred)],
and the packets are indeed not reassembled in the output.
I was googling for solution, and found that the below modification might do the defragmentation:
tshark -i el0 -R diameter -V -o ip.defragment:TRUE
But it just doesn't help.
Any simple solution for this problem? (It is also ok to process the defragmentation afterwards somehow..)
Finally I have found it!
In wireshark there is a checkbox for several protocol related options, in particular, for diameter defragmentation you need to mark the checkbox
Reassemble fragmented SCTP user messages
to get the long diameter messages properly displayed.
Each of these protocol options has its own tshark correspondent parameter, here you have to use -o sctp.reassembly:TRUE.
(For general, look for the file preferences belonging to wireshark.)
So, what method finally worked is
First capture all (sctp) messages regularly:
tshark -i EL0 -f sctp -w raw_capture.pcap
Then, if it is done, process the file by a further tshark command:
tshark -r raw_capture.pcap -R diameter -o sctp.reassembly:TRUE -V
I'm analyzing VoIP calls on my network
For now i'm using a generated .pcap file, but later i'll be listening for this at real time.
I'm using tshark, and i can filter some important data pretty easily from the .pcap (like "source ip address and port", "destination ip addr and Port", payload pckt lost, Max Delta(ms),Max Jitter(ms),Mean Jitter(ms)) with
tshark -r myfile -q -z rtp,streams
What i want to know is: how can i get the sip addrs of a call? (client and server)
I can retrieve some sip addrs (only client) by filtering all sip INVITE like this:
tshark -r myFile -R "sip.Request-Line contains INVITE"
But i can't get the address of the server.
To clarify a bit, my idea was to get this "statistic" in tshark, like wireshark gives me when i access "Telephony>VoIP Calls" (the same way that tshark -r myfile -q -z rtp,streamsreturns me statistics just like wireshark's Telephony>RTP>Show All Streams), is there a way to do this? If not with "statistics" (-z) how can i create a filter (-R) to do something similar of the "VoIPCall" function of wireshark
I'm using tshark as i want to work with this data, and not just analyze it on my screen
Thanks
try:
tshark -r myFile -R "sip.CSeq.method eq INVITE"
That will filter for the request sent from the client and the corresponding reply from the server.
I was in a similar situation and ended up going through tshark man pages.
Command: tshark -r input_file.pcap -q -z sip,stat
Explanation:
-r <infile> : Read packet data from infile
-q : When reading a capture file, don't print packet information; this is useful if you're using a -z option to calculate statistics and don't want the packet information printed, just the statistics.
-z <statistics> : Get TShark to collect various types of statistics and display the result after finishing reading the capture file.
You can additionally add filters to the filtering as well, so for example you want to summarize all packets which had only SIP 480 Status Code, you can do so by:
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480
-z sip,stat[,filter] : This option will activate a counter for SIP messages. You will get the number of occurrences of each SIP Method and of each SIP Status-Code
In case you want multiple filters, you can add them one by one
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480 -z sip,stat,sip.Status-Code==500
If you want to summarize by sip address, you can filter by that:
tshark -r input_file.pcap -q -z sip,stat,sip.to.host==sip-to-host.com
Refer:
TShark Man Page: https://www.wireshark.org/docs/man-pages/tshark.html
SIP Filters: https://www.wireshark.org/docs/dfref/s/sip.html