How can i use the tshark utility to download a list of protocols from a .pcap file? Only protocols are needed.
I am not sure if this is the fastest way but should output what you need.
The following line will output a CSV file
tshark -r file.pcap -E header=y -E separator=, -T fields -e frame.protocols > file.csv
And then you can use the following Python code
import pandas as pd
df = pd.read_csv('file.csv')
new = df["frame.protocols"].str.split(":",expand = True)
pd.value_counts(new.values.ravel())
You can see the number of occurrences of each protocol.
P.S. Ignore eth and ethertype
Related
is there any lvm.conf editor?
I'm trying to set global_filter, use_lvmtad and some other options, currently using sed:
sed -i /etc/lvm/lvm.conf \
-e "s/use_lvmetad = 1/use_lvmetad = 0/" \
-e "/^ *[^#] *global_filter/d" \
-e "/^devices {/a\ global_filter = [ \"r|/dev/drbd.*|\", \"r|/dev/dm-.*|\", \"r|/dev/zd.*|\" ]"
but I don't like this too much, is there any better way?
I found only lvmconfig tool, but it can only display certain configuration sections, and can't edit them.
If you using Ubuntu variant then you can use the LVM GUI to configure and manage the LVM. Refer this link
It seems that augtool is exactly what I was looking for.
These two packages should be enough to proper processing lvm.conf file:
apt install augeas-tools augeas-lenses
Example usage:
augtool print /files/etc/lvm/lvm.conf
And you should get the whole parse tree on stdout.
If the parser fails you won’t get any output, print the error message using:
augtool print /files/etc/lvm/lvm.conf/error
The augtool equivalent for the sed command from the original question:
augtool -s <<EOT
set /files/etc/lvm/lvm.conf/global/dict/use_lvmetad/int "0"
rm /files/etc/lvm/lvm.conf/devices/dict/global_filter
set /files/etc/lvm/lvm.conf/devices/dict/global_filter/list/0/str "r|^/dev/drbd.*|"
set /files/etc/lvm/lvm.conf/devices/dict/global_filter/list/1/str "r|/dev/dm-.*|"
set /files/etc/lvm/lvm.conf/devices/dict/global_filter/list/2/str "r|/dev/zd.*|"
EOT
For some automation purpose I have below requirements for the Wireshark log file(.pcap).
1-Conversion of Wireshark logs(.pcap file ) to text file with detail of packets.
2-Conversion of Wireshark logs (.pcap file) to text file with some filter (eg: bssgp.pdu_type == 0x00) with detail of packets.
I know how to convert the wireshark files to text file through GUI,
But I need the cli commands for the same to automate the procedure.
Thanks in advance
To convert a .pcap file to text output, you can run:
tshark -V -r file.pcap > file.txt
If you only want to convert certain packets that match a Wireshark display filter, then using your filter, you can run:
tshark -Y "bssgp.pdu_type == 0x00" -V -r file.pcap > file.txt
If the -V option provides too much detail, you can limit the detail to specific protocol(s) by using the -O option instead. For example, to provide details for bssgp only and a summary for all other protocols, try:
tshark -Y "bssgp.pdu_type == 0x00" -O bssgp -r file.pcap > file.txt
Refer to the tshark man page for more details about these options.
I am new to network traffic analysis.
I have used the following Tshark command, but no luck.
C:\Program Files\Wireshark>tshark -r C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\small_00057_20100613213752.pcap separator=, -R "tcp.dat
a" -T fields frame.number -e appName -e totalSourceBytes > C:\Users\Ravi\Desktop\IDS-augustdocuments\iscxdataset\testbed13jun.pcapCopy\split\18oct.csv
tshark: "=" was unexpected in this context.
Any suggestions to extract features like Direction ( for the flows), totalSourceBytes, totalDestinationBytes, totalDestinationPackets, totalSourcePackets, sourceTCPFlagsDescription etc.
Yes. Bro IDS or Argus (Auditing Network Activit).
Argus example:
racluster -L0 -m proto -r filepcap.arg -s proto saddr daddr spkts dpkts sbytes dbytes
Proto SrcAddr DstAddr SrcPkts DstPkts SrcBytes DstBytes
udp 84.125.xxx.xxx 0.0.0.0 2634 2580 205131 317889
tcp 84.125.xxx.xxx 0.0.0.0 34143 42585 6078099 48276978
arp 84.125.xxx.xxx 84.xxx.xxx.x 3 3 126 180
Best Regards,
You have to use quotes:
separator=","
I used Bro IDS to get the required fields from the conn.log file.
1) Configure the Bro IDS
(Follow this link to install Bro IDS)
https://www.digitalocean.com/community/tutorials/how-to-install-bro-ids-2-2-on-ubuntu-12-04
2) Start the Bro IDs
3) use the command "bro -r your pcap file.pcap" and this will generate a .log files in the current directory.
4) Inspect the logs like conn.log, dns.log, http.log, etc. for different information from the pcap log file.
I try to get Read all HTTP URLs from PCAp file using this command line command:
tshark -R -e http.request.uri -r C:file.pcap
And got the message
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
What's wrong with my filter ?
Using the filter as single pass, like suggested, does it for me:
tshark -Y http.request.uri -r capturefile
Trying to convert pcap to txt and showing specific fields.
On thsark 1.12.4 this works:
tshark -nr "input_file.pcap" -E header=y -e frame.number -e frame.time
-e ip.src -e ip.dst -e _ws.col.Protocol -e _ws.col.Info -e data -T fields -V "tcp or udp" > "output_file.txt"
Sadly, on tshark 1.6.7 (which is kind of mendatory) the protocol and info cols don't show.
I've tried all the combinations I could find online: _ws.col.Info, _ws.col.info, col.Info, col.info, Info, info.
Couldn't find anything else.
Any suggestions how to make those cols to show in the ouptput txt file?
Best.
Any suggestions how to make those cols to show in the ouptput txt file?
Talk to whoever is in charge of making 1.6.7 mandatory, convince them not to make it mandatory, and then upgrade to a newer version of Wireshark. That feature - the ability to show columns with -T fields - didn't exist in 1.6.x; it was added later, in the 1.10 release, as the Bugzilla entry for the enhancement request for it indicates.