Category Archives: internet

tshark examples

Packet display rules

tshark -R “ip.addr ==” -r /tmp/capture.cap

“Ethernet address 00:08:15:00:08:15” eth.addr == 00:08:15:00:08:15
“Ethernet type 0×0806 (ARP)” eth.type == 0×0806
“Ethernet broadcast” eth.addr == ff:ff:ff:ff:ff:ff
“No ARP” not arp
“IP only” ip
“IP address” ip.addr ==
“IP address isn't, don't use != for this!” !(ip.addr ==
“IPX only” ipx
“TCP only” tcp
“UDP only” udp
“UDP port isn't 53 (not DNS), don't use != for this!” !(udp.port == 53)
“TCP or UDP port is 80 (HTTP)” tcp.port == 80 || udp.port == 80
HTTP http
“No ARP and no DNS not arp and not (udp.port == 53)
“Non-HTTP and non-SMTP to/from” not (tcp.port == 80) and not (tcp.port == 25) and ip.addr ==

tshark -R “http.response and http.content_type contains image”
-z “proto,colinfo,http.content_length,http.content_length”
-z “proto,colinfo,http.content_type,http.content_type”
-r /tmp/capture.tmp

for creating a “;” separated file with “source IP” “destination IP” and “Destination Port” from all with SYN initiated connections, you can use following sample:
Use the options -T , -E and -e (see man pages for infos)

tshark -nn -r capturefile.dmp -T fields -E separator=’;’ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport ‘(tcp.flags.syn == 1 and tcp.flags.ack == 0)’

Display http response codes:

tshark -o “tcp.desegment_tcp_streams:TRUE” -i eth0 -R “http.response” -T fields -e http.response.code

Display Top 10 URLs

tshark -r sample1.cap -R http.request -T fields -e -e http.request.uri |
sed -e ‘s/?.*$//’ | sed -e ‘s#^(.*)t(.*)$#http://12#’ | sort | uniq -c | sort -rn | head

Display Source IP and MAC Address. (coma sep) tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip Display Target IP and Mac Address (coma sep)

tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip

Soure and Target IP

tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip

Source and Target IPv6

tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ip

Source IP and DNS Query

tshark -i eth0 -nn -e ip.src -e -E separator=”;” -T fields port 53

Answer Seq Numbers
for a test , if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet.
the -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr.

tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host and tcp[13]=0x12

You can define the output of tshark : And here a Samples:
display only the Source and the Destination IP

tshark -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext


tshark -i eth0 -c 100 -f “udp dst port 137″ -T fields -t ad -e -e frame.time -e ip.src -e ip.dst -e -e nbns.flags.opcode -e nbns.flags.rcode

tshark -r samples.cap -o column.format:'”No.”, “%m”, “Info”, “%i”, “Len”, “%Cus:tcp.len”‘

tshark -r samples.cap -Ttext > outfile.txt

tshark -r samples.cap -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext

tshark -r samples.cap -R http.response.code==200 -T fiels -e http.content_type

tshark -r samples.cap -R dns.cflags.response==0

Statistics from a capture file
And here a Samples:

tshark -r samples.cap -qz io,stat,1,0,sum(tcp.analysis.retransmission)”ip.addr==″ > stat.txt

tshark -r samples.cap -qz io,stat,120,”ip.addr== && tcp”,”COUNT(tcp.analysis.retransmission)ip.addr== && tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,

tshark -r samples.cap -q -z io,stat,5,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”,”COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack”,
“COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment”,
“COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission”

tshark -r samples.cap -q -z io,stat,5,”MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,

tshark -r samples.cap -q -z ip_hosts,tree

tshark -r samples.cap -q -z conv,tcp

tshark -r samples.cap -q -z ptype,tree

MySQL snooping

tshark -i eth0 -aduration:60 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'

Logging all the queries with MySQL

1. Capturing the MySQL traffic
tcpdump -i eth0 port 3306 -s 1500 -w tcpdump.out
2. Extracting the queries
tshark -r tcpdump.out -d tcp.port==3306,mysql -T fields -e mysql.query > query_log.out
remove the blank lines and redundant SQL:
cat query_log.out | grep -v "^$" | grep -v "^commit" | grep -v "^SET autocommit" | grep -v "^rollback" > query_log_no_blank.out

tcpdump cheatsheet
посмотреть трафик на интерфейсе:

tcpdump -i fxp1

посмотреть трафик одного хоста:

tcpdump host

посмотреть трафик на порте:

tcpdump src port 80

посмотреть IP трафик на хост:

tcpdump ip host

осмотреть ARP трафик на хост:

tcpdump arp host

посмотреть RARP трафик на хост:

tcpdump rarp host

посмотреть трафик, кроме хоста unixserver:

tcpdump not host unixserver

посмотреть трафик на server1 и server2

tcpdump host server1 or host server2

посмотреть содержимое пакетов на интерфейсе tun0 на хост

tcpdump -X -i tun0 host

подсмотреть номера и пароли к icq

tcpdump -X -i fxp1 port aol

посмотреть содержимое пакетов на интерфейсе tun0 на хост, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста

tcpdump -X -s 1500 -n -i tun0 host



Postfix antispam
хорошая статья: “режем спам, дополнительные методы” Денис Назаров
N2(27) 2005 Системный администратор

Public DNS Servers

Level 3 Communications (Broomfield, CO, US)

Verizon (Reston, VA, US)

GTE (Irving, TX, US)

One Connect IP (Albuquerque, NM, US)

OpenDNS (San Francisco, CA, US)

Exetel (Sydney, AU)

VRx Network Services (New York, NY, US)

SpeakEasy (Seattle, WA, US)

Sprintlink (Overland Park, KS, US)

Cisco (San Jose, CA, US)

todo: evaluate the Horde Project
It’s just amazing web-mail solution at a first glance at least.
I wonder if it could be some kind of alternative to Microsoft Outlook, as it also contains calendar, contact manager and some other stuff as well.
I really should try to install it.

Migrate BlogSpot to WordPress

I tried to use the Import Blogger function in WordPress manage but failed.

Lots of people face the same problem when migrate from BlogSpot (or to WordPress.

Found a workaround to migrate BlogSpot’s blog.

  1. Register a free blog at
  2. Import BlogSpot ( posts and comments using Import Blogger feature.
  3. Export Blog posts and comments from (as .xml in WXR format)
  4. In your own WordPress web host, import “WordPress” in WXR format (the exported .xml file)
  5. Done!

Таблица сетевых масок. ( cheat-sheet:) )

IV. Таблица сетевых масок. Bit Boundary Chart
Historically, IP addresses have been assigned in the form of network numbers of class A, B, or C. With the introduction of CIDR (Classless Inter-Domain Routing) classful restrictions are no longer valid. Address space is now allocated and assigned on bit boundaries. The following table illustrates this:

|addrs bits pref mask |
| 1 0 /32 |
| 2 1 /31 |
| 4 2 /30 |
| 8 3 /29 |
| 16 4 /28 |
| 32 5 /27 |
| 64 6 /26 |
| 128 7 /25 |
| 256 8 /24 255.255.255 |
| 512 9 /23 255.255.254 |
| 1K 10 /22 255.255.252 |
| 2K 11 /21 255.255.248 |
| 4K 12 /20 255.255.240 |
| 8K 13 /19 255.255.224 |
| 16K 14 /18 255.255.192 |
| 32K 15 /17 255.255.128 |
| 64K 16 /16 255.255 |
| 128K 17 /15 255.254 |
| 256K 18 /14 255.252 |
| 512K 19 /13 255.248 |
| 1M 20 /12 255.240 |
| 2M 21 /11 255.224 |
| 4M 22 /10 255.192 |
| 8M 23 /9 255.128 |
| 16M 24 /8 255 |
| 32M 25 /7 254 |
| 64M 26 /6 252 |
| 128M 27 /5 248 |
| 256M 28 /4 240 |
| 512M 29 /3 224 |
|1024M 30 /2 192 |