packet capture – HackerTarget.com

tshark tutorial and filter examples

the admin — Wed, 22 Apr 2015 13:56:25 +0000

tshark is a packet capture tool that also has powerful reading and parsing features for pcap analysis.

Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, this tutorial will provide practical examples to get started using tshark and begin carving valuable information from the wire.

Tshark examples

Use these as the basis for starting to build extraction commands.The syntax for capturing and reading a pcap is very similar to tcpdump.

Capture Packets with Tshark

tshark -i wlan0 -w capture-output.pcap

Read a Pcap with Tshark

tshark -r capture-output.pcap

HTTP Analysis with Tshark

The following example extracts data from any HTTP requests that are seen. Using the -T specifies we want to extract fields. The -e option identifies which fields to extract.

tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent

searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
ads.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

The default separator for the fields in the output above is TAB. We could also use the parameter -E seperator=, to change the delimiter to a comma.

Parse User Agents and Frequency with Standard Shell Commands

Using the previous command to extract http.user_agent, this time extracting from a pcap rather than off the live interface. Note in this example, combining with standard shell commands allows us to sort and count the occurrences of the http.user_agent.

tshark -r example.pcap -Y http.request -T fields -e http.host -e http.user_agent | sort | uniq -c | sort -n

Using this, we can quickly parse a pcap, even if it is very large and get a summary of all the user agents seen. This can be used to detect malware, old browsers on your network and scripts.

Using additional HTTP filters in Analysis

We could perform a similar analysis with the request URL in place of the user agent -e http.request.full_uri. Other fields we could include in the output are -e ip.dst and -e http.request.method. By combing different filters and output fields, it is possible to create very complex data extraction commands for tshark that can be used to find interesting things within a capture.

tshark -r example.pcap -Y http.request -T fields -e http.host -e ip.dst -e http.request.full_uri

DNS Analysis with Tshark

Here is an example that extracts both the DNS query and the response address.

tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr

68 campus-map.stanford.edu	171.64.144.142
www.google.com	
itunes.apple.com	104.74.40.29
71 itunes.apple.com	
campus-map.stanford.edu	
admission.stanford.edu	171.67.215.200
74 financialaid.stanford.edu	171.67.215.200
admission.stanford.edu

Add time and source / destination IP addresses -e frame.time -e ip.src -e ip.dst to your output.

tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr

Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com	198.74.56.127
1 Apr 22, 2015 23:20:17.314244000 8.8.8.8 192.168.1.7 wprecon.com	
2 Apr 22, 2015 23:20:18.090110000 8.8.8.8 192.168.1.7 code.jquery.com

One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output.

Let's get passwords.... in a HTTP post. By not specifying the fields option as above we receive the full TCP stream of the HTTP Post. If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.

tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password

csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123

For our Next Trick

The latest version of Tshark 2.4 includes a number of useful new features. To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository.

sudo add-apt-repository ppa:dreibh/ppa
sudo apt-get update && sudo apt-get install wireshark tshark

Extract Files from PCAP using Tshark

An excellent feature of tshark is the ability to export objects (files) from pcaps using the command line.

The export objects feature has been available in wireshark for a long time now. Having this ability available on the command line is an excellent addition to tshark.

You will need version 2.3.0 or higher for the export objects parameter to be available to tshark.

This command will extract files from an SMB stream and extract them to the location tmpfolder.

tshark -nr test.pcap --export-objects smb,tmpfolder

This command will do the same except from HTTP, extracting all the files seen in the pcap.

tshark -nr test.pcap --export-objects http,tmpfolder

It is a quick and easy way to get all the images, html, js and other HTTP objects from a pcap containing HTTP traffic.

Hopefully this tutorial has given you a quick taste of the useful features that are available to you when using tshark for extracting data from the wire or from pcaps.

Grab packets off the wire and master network analysis.

Wireshark Tutorial and Cheat Sheet.

Wireshark Tutorial

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post tshark tutorial and filter examples appeared first on HackerTarget.com.

ngrep and tcpflow – packet capture on a shoestring

the admin — Wed, 08 May 2013 14:38:55 +0000

Ngrep and TCPflow packet capture tools are useful for fast access to packets on the wire. As you will see in the examples they make grabbing text out of the network stream a piece of cake.

You may have heard of Wireshark (formerly Ethereal), a powerful network packet capture tool that enables a user to grab packets off the wire, load pcaps and analyse the data all in one GUI. While Wireshark is a must-have tool for many IT pro's there are times when a simple command line tool can get the job done faster.

Ngrep - or Network Grep Installation

On your Ubuntu (or Debian based) system install with apt-get. Under Fedora, Centos or RHEL if the package is not available in the repos, grab a copy of the rpm and install with a simple rpm -ivh (no dependencies required).

testbox:~#apt-get install ngrep
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ngrep
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 29.1 kB of archives.
After this operation, 92.2 kB of additional disk space will be used.

Wow, take a look at that - 29.1kB had to be downloaded and 92.2 kB of disk space has been used by this tool. Maybe I should get a bigger hard drive!!

Ngrep Examples

A couple of basic examples to get you started.

testbox:~#ngrep -d wlan0 '^POST'
interface: wlan0 (192.168.1.0/255.255.255.0)
match: ^POST

The syntax is -d wlan0 for the device you wish to capture from, followed by the expression to match. This example will match packets with POST at the start of the line, or HTTP POST requests in a simple text output format. The '#' marks indicate packets that did not match the expression. Further filtering can be done on ports and ip addresses.

Here is a more telling example to give you an idea of the possibilities.

testbox:~#ngrep -t -d wlan0 'pwd'
interface: wlan0 (192.168.1.0/255.255.255.0)
match: pwd
#############
T 2013/05/08 23:30:46.559360 192.168.1.100:48187 -> 173.255.232.18:80 [AP]
  POST /wp-login.php HTTP/1.1..Host: hackertarget.com..User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Language: en-US,en;q=0.5..Accept-Encoding: gzip, deflate..Referer: http://hackertarget.com/wp-login.php..Connection: keep-alive..Content-Type: application/x-www-form-urlencoded..Content-Length: 106....log=admin&pwd=testpassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fhackertarget.com%2Fwp-adminF&testcookie=1                                                                                                          
###############################################################################################################^Cexit
124 received, 0 dropped

The addition of the -t will put a timestamp on the matching results. Notice what I have done here, a simple grep for the string 'pwd' has shown the HTTP POST request with my login and password for the https://hackertarget.com/ login page. A quick example that demonstrates the importance of using the SSL version of the site (https://hackertarget.com/).

tcpflow - logging all the data

With tcpflow the installation is similar to that of ngrep, at least under Ubuntu.

apt-get install tcpflow

tcpflow will log all the tcpflows - or TCP sessions into text files in the current directory where it runs. Use tcpdump command line switches for determining what to capture.

tcpflow -i wlan0 'port 80'

This example will capture all HTTP flows over port 80 and store them as text files. A great way to troubleshoot web applications, or network protocols.

Tshark - another worthy command line packet capture tool

tshark is part of the Wireshark package, and is basically a text or console based version of Wireshark. It has many options and can be used to perform much of what ngrep and tcpflow do. However, the advantage of ngrep and tcpflow is their simplicity and ease of use. It will often come down to what tools you have available on the system.

These examples just touch the surface whether troubleshooting or performing security analysis; any plain text protocol can be inspected, POP3, SMTP, IRC, DNS and HTTP are just a few possibilities. On a related note the excellent bro (now known as Zeek Network Security Monitor) performs excellent flow analysis and is a tool worth investigating if you are performing security related packet captures.

Keep in mind that as with any packet capture tool, when using ngrep, tcpflow, tshark or wireshark ensure you have permission from management or legal that you are allowed to be looking closely at those packets, especially if there are other peoples traffic traversing the system you are on.

Practical examples for carving valuable information from the wire.

tshark tutorial and cheat sheet.

tshark Tutorial

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post ngrep and tcpflow – packet capture on a shoestring appeared first on HackerTarget.com.