I have been trying to filter tcpdump output based on packets lengths. But I had no luck.
This is the simple output for a command;
tcpdump -n -i eth0 dst port 443 -A
17:03:30.866890 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [S], seq 2685064927, win 14600, options [mss 1460,sackOK,TS val 7028787 ecr 0,nop,wscale 4], length 0
E..<..#.#.......>K.<.0...
........9............
.k#3........
17:03:30.867658 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 2285019097, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 0
E..4..#.#.......>K.<.0...
...2.............
.k#3:..U
17:03:30.867928 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 0:171, ack 1, win 913, options [nop,nop,TS val 7028787 ecr 974439509], length 171
E.....#.#..f....>K.<.0...
...2.............
.k#3:..U...........Opw2.....l..".T.7.q.]h..8W..%.....H...
.......9.8.......5... .....E.D.3.2...........A...../.........
...1.........alice.sni.velox.ch.
.................#..
17:03:30.869712 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [.], ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 0
E..4..#.#.......>K.<.0...
...2.....6.......
.k#4:..W
17:03:30.870724 IP 192.168.0.149.45104 > 62.75.148.60.443: Flags [P.], seq 171:178, ack 1319, win 1078, options [nop,nop,TS val 7028788 ecr 974439511], length 7
E..;..#.#.......>K.<.0...
...2.....6.......
.k#4:..W......0
I want to see packages only if they have more then 100bytes length. for this case, only the 3rd packet.
options [nop,nop,TS val 7028787 ecr 974439509], length 171
I have looked at man pages for tcpdump, but couldn't find any useful parameter. there is an expression 'greater length' mentioned here; http://www.ethereal.com/docs/man-pages/tcpdump.8.html but i couldn't use that expression too.
$ tcpdump -n -i eth0 dst port 443 -A -x greater 100
tcpdump: syntax error
Thank's for any help.
greater length works, but you have to use it as part of a complete filter expression, and the filter expression has to come after all the command-line flag arguments.
Working example:
tcpdump -n -i eth0 -A -x dst port 443 and greater 100
Should work - dst port 443 and greater 100 is a complete filter expression, which checks for packets that are being sent to TCP or UDP port 443 and that have a total length (including link-layer, IP, and TCP headers!) greater than 100.
NOT working example:
tcpdump -n -i eth0 dst port 443 -A -x greater 100
Will not work - the dst in dst port 443 is treated as the beginning of a filter expression, meaning that it and everything after it, including -A and -x, are treated as part of the filter expression, but -A and -x are not valid components of a filter expression. They are presumably intended to be command-line options, so they must go before all non-flag arguments, including the components of the filter expression.
Related
Attempting to capture traffic but I don't know the write syntax to filter the output to a readable pcap file.
I need to use the syntax
tcpdump -r file.pcap
and to filter eth0 icmp traffic
tcpdump -i eth0 icmp -c 10 > file.pcap
is there a way to do this in one line of command?
Yes, but, if you're writing a pcap file rather than a text file, it doesn't involve the > character.
By default, tcpdump captures traffic from an interface, or reads a capture file, and writes out a human-readable dissection of the packets to the standard output.
You need the -w flag to write out a pcap file, so, in your case, the command is
tcpdump -r file.pcap -w file.pcap ICMP
Your command
tcpdump -i eth0 icmp -c 10 > file.pcap
wouldn't write out a pcap file, it writes out text such as
16:30:59.808885 IP 192.168.1.5 > example.com: ICMP echo request, id 40541, seq 0, length 64
16:30:59.841404 IP example.com > 192.168.1.5: ICMP echo reply, id 40541, seq 0, length 64
If you wanted to write the ICMP traffic to a pcap file, you would do
tcpdump -i eth0 icmp -c 10 -w file.pcap
I am capturing TCP packets using a Wireshark tool, TShark.exe. See below code example:
cd 'c:\program files\WireShark\'
.\tshark.exe -c 10
Capturing on 'Ethernet0'
1 0.000000 192.168.1.0 -> 192.168.2.0 TCP 60 49188 -> 445 [ACK]
1 0.000198 192.168.1.0 -> 22.14.2.0 TCP 60 53144 -> 3389 [ACK]
All ok so far, but now if storing in a variable:
$packets = .\tshark.exe -c 10
$packets
1 0.000000 192.168.1.0 ÅÖ% 192.168.2.0 TCP 60 49188 ÅÖ% 445 [ACK]
The directional arrows are lost and replaced with rogue characters. How can I preserve the formatting when storing in a variable?
I want filter first 100 packets inside a pcap file and show the result on stdout. for filtering first 100 packet I used below command:
editcap -r test.pcap output.pcap 1-100
for showing result and filtering packet for the further purpose I want to used tcpdump.
tcpdump -tttt tcp and host ip 192.168.1.1 -r inputfile.pcap
i want to redirect output of editcap to tcpdump, like this:
editcap -r test.pcap - | tcpdump -tttt tcp and host ip 192.168.1.1 -r -
but in this command I couldnt filter first 100 packets. Is it possible to do so??
If not is it possible to rediredt output of editcap to RAM and then the tcpdump read from RAM ??
thanks in advanced.
P.S by the way, I don't want to use the below command, because this command read the all Packet inside the file. I need the command read some packets inside he pcap file and shows then was finished the job.
tshark -r ~/test1.pcap -R "frame.number<20 and frame.number>10"
but in this command I couldnt filter first 100 packets
I.e., you don't see any packets?
Try doing
editcap -F pcap -r test.pcap - 1-100 | tcpdump -tttt tcp and host ip 192.168.1.1 -r -
as editcap might be writing out a pcap-ng file and there is a bug in some versions of libpcap when reading pcap-ng files that causes filtering in tcpdump not to work.
I have the following trace :
:
In the wireshark preferences I have the following option set to Off :
In TCP Prefs : Allow subdissector to reassemble TCP streams
In SIP prefs : Reassemble sIP headers spanning multiple TCP segments
In SIP prefs : Reassemble sIP bodies spanning multiple TCP segments
I am trying to analyze this trace with the tshark command given below. But in the output I am not shown any packets even though the packets are there in the trace :
[rishabh#pc Test]$tshark -T fields -E header=y -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -R "sip.Status-Code eq 500" -r "4.cap"
ip.src tcp.srcport ip.dst tcp.dstport
[rishabh#pc Test]$
How do i modify the filter to capture the highlighted packet?
I found out that if I switch on all of the above wireshark options the TCP packets are shown as :
Maybe tshark allows reassembly by default and thus it is not able to filter the packet as a SIP message. Also I am able to capture the data with the tshark filter : "tcp contains '500 Responder'"
But I need to filter it as a sip status code only. How do I achieve this?
Note that the SIP status code is indeed 500, so the initial filter should work.
Found the solution:
tshark allows you to set the settings for the reassembly preferences. The preferences are :
Whether subdissector can request TCP streams to be reassembled
TRUE or FALSE (case-insensitive)
tcp.desegment_tcp_streams: TRUE
Whether the SIP dissector should reassemble headers of a request spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings.
TRUE or FALSE (case-insensitive)
sip.desegment_headers: TRUE
Whether the SIP dissector should use the "Content-length:" value, if present, to reassemble the body of a request spanning multiple TCP segments, and reassemble chunked data spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings.
TRUE or FALSE (case-insensitive)
sip.desegment_body: TRUE
Using these flags with -o option in tshark, preferences can be custiomized. I used the following tshark command for my problem :
/home/atsuser/Tools/wireshark/tshark -T fields -E header=y -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e frame.number -r 4.cap -o sip.desegment_headers:FALSE -o sip.desegment_body:FALSE -o tcp.desegment_tcp_streams:FALSE -R "sip.Status-Code eq 500"
I found the preference names at the location "%USERPROFILE%\Application Data\Wireshark" on my windows machine.
Okay, I want to have Nmap scan an IP range for computers with a certain port open (port 80 in this case) and have it output all the IP's it finds into a text file, stored in this format:
192.168.0.1
192.168.0.185
192.168.0.192
192.168.0.195
So to output the file, I tried using this command:
nmap -sT -p 80 -ttl 40 192.168.0.0-255 -oG - | grep "80/open" > output.txt
Where "output.txt" is the output file that contains the results. So a line of output.txt looks
like this:
Host: 192.168.0.1 () Ports: 80/open/tcp//http///
So I basically want it only to output the IP address with port 80 open, and nothing else.
I want it to not output the "Host: " or the "()" and "Ports: 80/open/tcp//http///" lines. So is there anyway I can have Nmap not put that stuff into the output file? Or make it only
output the IP addresses? I tried looking at the map page, it was of little help. And I looked all over the Internet and that wasn't very useful either. So does anyone know how I can do this? Thanks
Awk is your friend!
$ nmap -sT -p 80 192.168.0.0/24 -oG - | awk '/ 80\/open/{print $2}' > output.txt
This will find lines with port 80 open (notice the space before 80, if you plan to scan more than the one port!), and print field 2, splitting on whitespace. Another way to do it would be:
$ nmap -sT -p 80 --open 192.168.0.0/24 -oG - | awk '$4=="Ports:"{print $2}' > output.txt
This one uses the --open argument to Nmap to only produce output for hosts with open ports. The awk command checks that this is a "Ports" line, not a "Status" line (which may only show up when using -v, but I'm not positive) before printing the IP address.
Note that it is usually in your best interests to save the scan results to a file, to avoid needing to repeat the scan if you decide to extract some different information. If you choose to do this, I would recommend using the XML output (-oX), since there are lots of analysis tools that have parsers built for it already.
Having nmap produce exactly what you want would indeed be nice. But as a more general solution:
$ nmap ... | grep ... | tr '/' ' ' | awk '{ print $2,$5; }
192.168.0.1 80
Or maybe:
nmap ... | grep ... | tr '/' ' ' | cut -d' ' -f2,8
I found a script called scanreport.sh very useful. Although its not necessary, you could just use awk as suggested, but thought it might be of interest.
It gives the ability to output the nmap results nicely by service or port (with highlighting). It uses the grep-able output from nmap (-oG) after a quick tidy from grep -v ^# nmapoutput.txt > report.txt
Example
nmap -sS 192.168.1.22 -oG /directory/of/choice/results.txt
grep -v ^# results.txt > report.txt
./scanreport.sh -f report.txt
Host: 192.168.1.22 ()
22 open tcp ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
80 open tcp http Apache httpd 2.2.14 ((Ubuntu))
./scanreport.sh -f report.txt -p 80
Host: 192.168.1.22 ()
80 open tcp http Apache httpd 2.2.14 ((Ubuntu))
./scanreport.sh -f report.txt -s ssh
Host: 192.168.1.22 ()
22 open tcp ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
Plenty of stuff on google about it but here a link to one ref.
./scanreport.sh