So by default when you open a pcap in wireshark it looks something like this.
enter image description here
But I want to view the name of the websites, so I have to find the host (HTTP) or :authority (HTTP2) header then apply it as a column so that I have the name of the website in my display. Once that is done I can export the pcap as a CSV with the name of the websites include CSV.
enter image description here
My question is how do I do this in tshark? Especially for HTTP2. There's lot's of information on how to do this for HTTP.
From the tshark man page:
-T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
...
fields The values of fields specified with the -e option, in a form
specified by the -E option. For example,
tshark -T fields -E separator=, -E quote=d
So in your case, you might use something like:
tshark -r Wednesday.pcap -Y http2 -T fields -E separator=, -E quote=d -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e _ws.col.Protocol -e frame.len -e http2.headers.authority -e _ws.col.Info > Wednesday.csv
Related
I have a github action set up to deploy to an Amazon Lightsail server via ssh. It was working fine until it suddenly started failing with an i/o error. It has consistently failed now for 24 hours (I have tried it many times). I commented out everything in the script part and still get the error, so I know it isn't anything in the script. I think it's pretty clear that it is failing to reach the server and not even getting as far as attempting to run the script.
Here is the output:
Run appleboy/ssh-action#master
/usr/bin/docker run --name ea425b117d14f49c9448e1ae86bb8e0dfd290d_f25ed1 --label ea425b --workdir /github/workspace --rm -e "INPUT_HOST" -e "INPUT_USERNAME" -e "INPUT_KEY" -e "INPUT_PORT" -e "INPUT_SCRIPT" -e "INPUT_PASSPHRASE" -e "INPUT_PASSWORD" -e "INPUT_SYNC" -e "INPUT_USE_INSECURE_CIPHER" -e "INPUT_CIPHER" -e "INPUT_TIMEOUT" -e "INPUT_COMMAND_TIMEOUT" -e "INPUT_KEY_PATH" -e "INPUT_FINGERPRINT" -e "INPUT_PROXY_HOST" -e "INPUT_PROXY_PORT" -e "INPUT_PROXY_USERNAME" -e "INPUT_PROXY_PASSWORD" -e "INPUT_PROXY_PASSPHRASE" -e "INPUT_PROXY_TIMEOUT" -e "INPUT_PROXY_KEY" -e "INPUT_PROXY_KEY_PATH" -e "INPUT_PROXY_FINGERPRINT" -e "INPUT_PROXY_CIPHER" -e "INPUT_PROXY_USE_INSECURE_CIPHER" -e "INPUT_SCRIPT_STOP" -e "INPUT_ENVS" -e "INPUT_DEBUG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/carboncalc/carboncalc":"/github/workspace" ea425b:117d14f49c9448e1ae86bb8e0dfd290d
======CMD======
# cd /opt/bitnami/drupal
# git pull origin main
# composer -n install
# if [ $? -ne 0 ]; then
# exit 1
# fi
# drush updb
# drush cr
======END======
372023/01/18 11:24:51 dial tcp 104.21.26.173:22: i/o timeout
Someone has reported a similar issue here for MacOS runners but I am using ubuntu-latest. I've also tried with ubuntu-20.04 and had same issue.
I can't see any way to increase the timeout so if you know of a way please let me know.
Various people have raised issues on https://github.com/appleboy/ssh-action with the same issue but the answers are things like the SSH key being incorrect, the port being closed or the IP changing. But I have no problem ssh'ing from my machine, and the key that is stored in secrets is the same one that was working a few days ago.
There is plenty of disk space on the target machine.
OP here. Turns out the problem was that I was using the hostname in the ssh command, rather than the IP. For some AWS-magicky reason, the hostname was resolving to an internal IP. It was different from the IP which I use when successfully SSH'ing from my local machine. So I replaced the hostname with this IP, and it started working again.
I need a tshark command so i can create a txt file containing Ipsource>Ipdestination:Info in this order ! i tried this command
tshark -T fields -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -E separator=, -e ip.src -e ip.dst > "C:\Users\dell\Desktop\walima22.txt"*
but i can't change the separator and show the infos
There are generally 2 solutions for printing specific column data, one using column-specifiers and the other using fields, similar to what you have.
Using column-specifiers:
Standard specifiers as described by tshark.exe -G column-formats:
tshark.exe -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -o "gui.column.format:\"Source\",\"%s\",\"Destination\",\"%d\",\"Info\",\"%i\""
... or using custom columns for those fields that are supported:
tshark.exe -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -o "gui.column.format:\"Source\",\"%Cus:ip.src\",\"Destination\",\"%Cus:ip.dst\",\"Info\",\"%i\""
Using Fields:
tshark.exe -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -T fields -E separator=, -e ip.src -e ip.dst -e _ws.col.Info
but i can't change the separator
You should be able to change it using the -E option. Refer to the tshark man page for more help with this option.
i'm currently trying to setup a grafana/influxdb2 interaction for IoT purposes.
Both are running insides dockers and they are equally reachable via host machine browser on the respective port
docker run -d -p 3000:3000 `
--name=grafana `
-v ${PWD}:/var/lib/grafana `
-e "GF_SECURITY_ADMIN_PASSWORD=test" `
-e "GF_INSTALL_PLUGINS=grafana-clock-panel,grafana-simple-json-datasource" `
-e "GF_SECURITY_ALLOW_EMBEDDING=true" `
-e "GF_USERS_ALLOW_SIGN_UP=false" `
-e "GF_AUTH_ANONYMOUS_ENABLED=true" `
-e "GF_AUTH_BASIC_ENABLED=false" `
-e "GF_SERVER_PROTOCOL=https" `
-e "GF_SERVER_CERT_FILE=/var/lib/grafana/ssl/grafana.crt" `
-e "GF_SERVER_CERT_KEY=/var/lib/grafana/ssl/grafana.key" `
grafana/grafana
docker run -d -p 8086:8086 `
--name=influxdb2 `
-v ${PWD}/influxdb2:/var/lib/influxdb2 `
-e DOCKER_INFLUXDB_INIT_MODE=setup `
-e DOCKER_INFLUXDB_INIT_USERNAME=admin`
-e DOCKER_INFLUXDB_INIT_PASSWORD=test`
-e DOCKER_INFLUXDB_INIT_ORG=my `
-e DOCKER_INFLUXDB_INIT_BUCKET=PVdb `
-e INFLUXDB_HTTP_HTTPS_ENABLED=true `
-e INFLUXDB_HTTP_HTTPS_CERTIFICATE=/var/lib/ssl/influxdb2.crt`
-e INFLUXDB_HTTP_HTTPS_PRIVATE_KEY=/var/lib/ssl/influxdb2.key `
influxdb:2.0
I'll start listing the issues im facing:
Influxdb is not running under HTTPS even though i'm passing those -e commands, i guess i'm missing something for sure since the docker log isn't reporting anything. --> Solved, see below
I browsed through a lot of videos and all the tutorials are showing how you can do
docker exec -it influxdb2 sh
and then
influx
show database
to see the current status but in my case when i type "influx" i'm instead receiving
Influx Client
Usage:
influx [command]
Available Commands:
...
and "show" is not recognized as command.
--> See below
What i'm currently missing is a "basic" way to write/read to get confident with the tool
I've also tried using POST commands
curl --request POST "http://localhost:8086/api/v2/write?org=my&bucket=PVdb&precision=s" --header "Authorization: Token myTOKEN" --data-raw "mem,host=host1 used_percent=23.43234543 1556896326"
but curl is not returning anything and i have yet no way to check if the data is present.
As last issue in grafana when i add the influxdb (Query Language Flux, URL: http://localhost:8086 (Server)) with Organization, Token and Bucket by pressing Save & Test i receive
Error reading InfluxDB
--> Solved, see below
Answer:
Add this (even though http is still available)
-e INFLUXD_TLS_CERT=/var/lib/influxdb2/ssl/influxdb2.crt `
-e INFLUXD_TLS_KEY=/var/lib/influxdb2/ssl/influxdb2.key `
I guess all the tutorials are about influxdb 1.8, now the client uses
influx query
altough you can try and use
influx v1 dbrp
I had to change "localhost" with the "machine local ip" in the URL (e.g. https://192.x.x.x:8086)
Regards
The filters -Y, -2 and -R in tshark confusing in Wireshark version 2.XX.
In version 1.8, we were able to apply multiple filters and save the filtered packets in csv file using command below:
tshark.exe -r src.pcap -T fields -e frame.number -e frame.time -e frame.len -e ip.src -e ip.dst -e udp.srcport -e udp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f -R (ip.src==x.x.x.x)&&(ip.dst==y.y.y.y) > filtered.csv
But this command does not work in versions 2.x. Please help if someone applied multi-filter in new Wireshark versions.
You should be able to achieve what you want by replacing -R (ip.src==x.x.x.x)&&(ip.dst==y.y.y.y) with -Y "(ip.src==x.x.x.x)&&(ip.dst==y.y.y.y)".
On windows 7, I had this working with wireshark 2.2.1, adding -2 and quoting the string that follow -R option, like this:
tshark.exe -r mypcap.pcapng -T fields -2 -e frame.number -e frame.time -e frame.len -E header=y -E separator=, -E quote=d -E occurrence=f -R "(ip.src==192.168.1.20)&&(ip.dst==20.1.168.192)"
Not quoting the expression after "-R" results in printing fields and evaluate expression. If the expression results TRUE, the filter is recognized and the result is given. Otherwise the filter (e.g. ip.src) will be evalued as a command by the system, resulting in "command not recognized"
I would like to add a Tshark column that tells me which type of ICMP-packet has been captured. This would be the following: icmp.type
While I still need the default columns, how can I make Tshark also show this one?
I've already seen the option to work with -T fields and -e but then all the default columns are left out.
You can add the default columns and use for instance:
tshark -i 1 -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info -e icmp.type -E header=y > output.csv
See tshark -h or the man-page for more information.
If you want to add something to the default summary output, you can also use:
-z proto,colinfo,filter,field
For example something like:
-z proto,colinfo,tcp.seq,tcp.seq
Will show this:
1 2018-10-10 10:39:54 192.168.0.10 -> 192.168.0.1 SSH 198 Encrypted response packet len=132 tcp.seq == 1