Packet filtering and analysis instance tshark tcpdump

Posted by proctk on Fri, 07 Jun 2019 03:23:45 +0200

Blog Links: http://codeshold.me/2017/08/tcpdump_tshark_notes.html

Usually we need to analyze and count the data packages. Although it is very convenient to use python scapy library to develop, it will be more convenient if we are familiar with tshark (wireshark command line), tcpdump and other tools, including editcap, mergecap and so on, to write a simple shell analysis script.

brief introduction

  1. tcpdump

    • man tcpdump
  2. tshark

    • Tshark reads the entire data package into memory at one time, and then unifies the output after analysis. Therefore, for the analysis of super-large files, we need to pay attention to it! But compared with wireshark, the files that tshark can analyze are very large, which is related to system configuration.
    • Together with tshark, there are other tools, such as editcap, mergecap, capinfos.
    • man tshark, man wireshark-filter, man editcap, man mergecap
    • A great one. Webpage I keep it all the time.
      • This is a place for scripts and tools related to Wireshark / TShark that users may like to share, and for links to related NetworkTroubleshooting tools.

Common examples

tshark (editcap, capinfos)

  • Filter out data packets for a specific period of time
# Filter out the data packets between 2017-06-17 10:40:00 and 2017-06-17 10:50:00 in src.pcap, where the-F parameter represents the file format of the output capture file! Pay attention to pcapng format data packages

editcap -A "2017-06-17 10:40:00" -B "2017-06-17 10:50:00" src.pcap -F pcap dst.pcap
  • Statistical number of retransmitted packets
# - n Domain name resolution, other parameters mean man tshark
tshark -n -r src.pcap -Y "tcp.analysis.retransmission" -T fields -e tcp.stream | wc -l
echo -e "The number of retransmission packets"

# Pass through - z parameter
tshark -z io,stat,0,"tcp.analysis.retransmission" -n -q -r src.pcap
  • View the information of the package capture file
# - c Display the number of packets in the file
capinfos -c -M src.pcap

content=$(capinfos -c -M src.pcap)
total=$(echo $content | grep packet | cut -d : -f 3) # Get the number of packets in the file
  • In 5 seconds, the number of packets in different directions is counted.
tshark -z io,stat,5,"ip.addr==180.153.15.118","ip.src==180.153.15.118","ip.dst==180.153.15.118" -n -q -r 1030_1038_8300.pcap > five_second.csv
  • In 5 seconds, the number of retransmitted packets in different directions, including the number of bytes (note: there can be no spaces after)
tshark -z io,stat,5,"ip.addr==180.153.15.118 && tcp.analysis.retransmission",\
"ip.src==180.153.15.118 && tcp.analysis.retransmission",\
"ip.dst==180.153.15.118 && tcp.analysis.retransmission" \
-n -q -r src.pcap > dst.csv
  • In 5 seconds, the number of packets with SYN, FIN, RST tags in different directions is counted (note: no spaces are allowed after that).
tshark -z io,stat,5,\
"FRAMES()ip.src==${SERVERIP} && tcp.flags.syn==1 && !(tcp.flags.ack==1)",\
"FRAMES()ip.dst==${SERVERIP} && tcp.flags.syn==1 && !(tcp.flags.ack==1)",\
"FRAMES()ip.src==${SERVERIP} && tcp.flags.fin==1",\
"FRAMES()ip.dst==${SERVERIP} && tcp.flags.fin==1",\
"FRAMES()ip.src==${SERVERIP} && tcp.flags.reset==1",\
"FRAMES()ip.dst==${SERVERIP} && tcp.flags.reset==1",\
"FRAMES()ip.src==${SERVERIP} && tcp.flags.syn==1 && !(tcp.flags.ack==1) && (!tcp.analysis.retransmission)",\
"FRAMES()ip.dst==${SERVERIP} && tcp.flags.syn==1 && !(tcp.flags.ack==1) && (!tcp.analysis.retransmission)",\
"FRAMES()ip.src==${SERVERIP} && tcp.flags.fin==1 && (!tcp.analysis.retransmission)",\
"FRAMES()ip.dst==${SERVERIP} && tcp.flags.fin==1 && (!tcp.analysis.retransmission)",\
"FRAMES()ip.src==${SERVERIP} && tcp.flags.reset==1 && (!tcp.analysis.retransmission)",\
"FRAMES()ip.dst==${SERVERIP} && tcp.flags.reset==1 && (!tcp.analysis.retransmission)" \
-n -q -r src.pcap > dst.csv

tcpdump

The filtering speed is the fastest, and it is real-time output!

  • Simplest - Filter out packets with port number 22 in src.pcap
tcpdump -Z root -r src.pcap "tcp port 22" -w dst.pcap
  • Packets with FIN tags and 22 filtered out ports
tcpdump -Z root -r src.pcap "tcp port 22 and (tcp[tcpflags] & tcp-fin != 0)" -w dst.pcap
  • According to the application layer data filtering, such as HTTP GET request path, note that the maximum offset in tcp[xx:offset] is 4
## Example: GET/bidimg/hello
# tcp[24:4]==0x2f626964 matching/bid; tcp[28:4]==696d67ef matching img/field; as for the matching of GET field, you can try it yourself!
tcpdump -Z root -r src.pcap "((tcp[24:4]==0x2f626964 and tcp[28:4]==696d67ef) and dst port 80)" -w dst.pcap

Ref

  1. Some simple scripts
  2. Great reference

Topics: Python shell