Category Archives: tcp/ip

tshark examples

Packet display rules

tshark -R “ip.addr == 192.168.0.1” -r /tmp/capture.cap

“Ethernet address 00:08:15:00:08:15” eth.addr == 00:08:15:00:08:15
“Ethernet type 0×0806 (ARP)” eth.type == 0×0806
“Ethernet broadcast” eth.addr == ff:ff:ff:ff:ff:ff
“No ARP” not arp
“IP only” ip
“IP address 192.168.0.1” ip.addr == 192.168.0.1
“IP address isn't 192.168.0.1, don't use != for this!” !(ip.addr == 192.168.0.1)
“IPX only” ipx
“TCP only” tcp
“UDP only” udp
“UDP port isn't 53 (not DNS), don't use != for this!” !(udp.port == 53)
“TCP or UDP port is 80 (HTTP)” tcp.port == 80 || udp.port == 80
HTTP http
“No ARP and no DNS not arp and not (udp.port == 53)
“Non-HTTP and non-SMTP to/from 192.168.0.1” not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1

tshark -R “http.response and http.content_type contains image”
-z “proto,colinfo,http.content_length,http.content_length”
-z “proto,colinfo,http.content_type,http.content_type”
-r /tmp/capture.tmp

http://www.packetlevel.ch/

for creating a “;” separated file with “source IP” “destination IP” and “Destination Port” from all with SYN initiated connections, you can use following sample:
Use the options -T , -E and -e (see man pages for infos)

tshark -nn -r capturefile.dmp -T fields -E separator=’;’ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport ‘(tcp.flags.syn == 1 and tcp.flags.ack == 0)’

Display http response codes:

tshark -o “tcp.desegment_tcp_streams:TRUE” -i eth0 -R “http.response” -T fields -e http.response.code

Display Top 10 URLs

tshark -r sample1.cap -R http.request -T fields -e http.host -e http.request.uri |
sed -e ‘s/?.*$//’ | sed -e ‘s#^(.*)t(.*)$#http://12#’ | sort | uniq -c | sort -rn | head

Display Source IP and MAC Address. (coma sep) tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip Display Target IP and Mac Address (coma sep)

tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip

Soure and Target IP

tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip

Source and Target IPv6

tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ip

Source IP and DNS Query

tshark -i eth0 -nn -e ip.src -e dns.qry.name -E separator=”;” -T fields port 53

Answer Seq Numbers
for a test , if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet.
the -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr.

tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host 192.168.1.1 and tcp[13]=0x12

You can define the output of tshark : And here a Samples:
display only the Source and the Destination IP

tshark -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext

Samples:

tshark -i eth0 -c 100 -f “udp dst port 137″ -T fields -t ad -e frame.date -e frame.time -e ip.src -e ip.dst -e nbns.id -e nbns.flags.opcode -e nbns.flags.rcode

tshark -r samples.cap -o column.format:'”No.”, “%m”, “Info”, “%i”, “Len”, “%Cus:tcp.len”‘

tshark -r samples.cap -Ttext > outfile.txt

tshark -r samples.cap -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext

tshark -r samples.cap -R http.response.code==200 -T fiels -e http.content_type

tshark -r samples.cap -R dns.cflags.response==0

Statistics from a capture file
And here a Samples:

tshark -r samples.cap -qz io,stat,1,0,sum(tcp.analysis.retransmission)”ip.addr==10.10.10.10″ > stat.txt

tshark -r samples.cap -qz io,stat,120,”ip.addr==194.134.109.48 && tcp”,”COUNT(tcp.analysis.retransmission)ip.addr==194.134.109.48 && tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,
“COUNT(tcp.analysis.retranmission)tcp.analysis.retransmission”,
“AVG(tcp.window_size)tcp.window_sizeтАЭ,тАЭMAX(tcp.window_size)”,
“MIN(tcp.window_size)tcp.window_size”

tshark -r samples.cap -q -z io,stat,5,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”,”COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack”,
“COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment”,
“COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission”

tshark -r samples.cap -q -z io,stat,5,”MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,
“MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,”AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”

tshark -r samples.cap -q -z ip_hosts,tree

tshark -r samples.cap -q -z conv,tcp

tshark -r samples.cap -q -z ptype,tree

MySQL snooping

tshark -i eth0 -aduration:60 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'

Logging all the queries with MySQL

1. Capturing the MySQL traffic
tcpdump -i eth0 port 3306 -s 1500 -w tcpdump.out
2. Extracting the queries
tshark -r tcpdump.out -d tcp.port==3306,mysql -T fields -e mysql.query > query_log.out
remove the blank lines and redundant SQL:
cat query_log.out | grep -v "^$" | grep -v "^commit" | grep -v "^SET autocommit" | grep -v "^rollback" > query_log_no_blank.out

tcpdump cheatsheet

http://openwiki.ru/wiki/Tcpdump
посмотреть трафик на интерфейсе:

tcpdump -i fxp1

посмотреть трафик одного хоста:

tcpdump host 1.2.3.4

посмотреть трафик на порте:

tcpdump src port 80

посмотреть IP трафик на хост:

tcpdump ip host 1.2.3.4

осмотреть ARP трафик на хост:

tcpdump arp host 1.2.3.4

посмотреть RARP трафик на хост:

tcpdump rarp host 1.2.3.4

посмотреть трафик, кроме хоста unixserver:

tcpdump not host unixserver

посмотреть трафик на server1 и server2

tcpdump host server1 or host server2

посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru

tcpdump -X -i tun0 host ya.ru

подсмотреть номера и пароли к icq

tcpdump -X -i fxp1 port aol

посмотреть содержимое пакетов на интерфейсе tun0 на хост ya.ru, при этом прочитать из каждого пакета по 1500 байт и не преобразовывать IP в имя хоста

tcpdump -X -s 1500 -n -i tun0 host ya.ru

Таблица сетевых масок. ( cheat-sheet:) )

IV. Таблица сетевых масок. Bit Boundary Chart
Historically, IP addresses have been assigned in the form of network numbers of class A, B, or C. With the introduction of CIDR (Classless Inter-Domain Routing) classful restrictions are no longer valid. Address space is now allocated and assigned on bit boundaries. The following table illustrates this:

+———————————————-+
|addrs bits pref mask |
+———————————————-+
| 1 0 /32 255.255.255.255 |
| 2 1 /31 255.255.255.254 |
| 4 2 /30 255.255.255.252 |
| 8 3 /29 255.255.255.248 |
| 16 4 /28 255.255.255.240 |
| 32 5 /27 255.255.255.224 |
| 64 6 /26 255.255.255.192 |
| 128 7 /25 255.255.255.128 |
| 256 8 /24 255.255.255 |
| 512 9 /23 255.255.254 |
| 1K 10 /22 255.255.252 |
| 2K 11 /21 255.255.248 |
| 4K 12 /20 255.255.240 |
| 8K 13 /19 255.255.224 |
| 16K 14 /18 255.255.192 |
| 32K 15 /17 255.255.128 |
| 64K 16 /16 255.255 |
| 128K 17 /15 255.254 |
| 256K 18 /14 255.252 |
| 512K 19 /13 255.248 |
| 1M 20 /12 255.240 |
| 2M 21 /11 255.224 |
| 4M 22 /10 255.192 |
| 8M 23 /9 255.128 |
| 16M 24 /8 255 |
| 32M 25 /7 254 |
| 64M 26 /6 252 |
| 128M 27 /5 248 |
| 256M 28 /4 240 |
| 512M 29 /3 224 |
|1024M 30 /2 192 |