Filter specific API using Tshark - wireshark

I run
tshark -i eth0 -f "port 80" -w example.pcap
to capture the HTTP traffic. And then I run tshark -r example.pcap -Y xml.tag to filter the xml. Is this the correct way of filtering the API (SOAP/REST)? Are there any other ways of doing it?

Related

how to only print Lua output with tshark

I am using a Lua script with tshark and when I run it with -V I get the protocol decode output. When I try anything else to limit output to just the Lua decoded data I am not having any luck. i.e.
tshark -X lua_script:my.lua -r input.pcap.gz -w output.pcap -O "my lua protocol" or tshark -X lua_script:my.lua -r input.pcap.gz -w output.pcap -O "my lua protocol" -V
even when I try -O udp -V I do not get the protocol output.
Any ideas?

How to capture MQTT data locally in SSH remote server using Wireshark?

I want to capture MQTT packets on the SSH Linux-based remote server using Wireshark from my home. I can capture data go out through the Internet, such as when I use this command line mosquitto_pub -h test.mosquitto.org -t topic -m "Hello", I can see the packets in Wireshark. But, When I publish data in localhost, such as using this command mosquitto_pub -d -h localhost -t hello/world -m "75" I can't see any packets in Wireshark. I want to make a client/server in the same remote server.
I use this command to open Wireshark:
sudo ssh user#x.x.x.x tcpdump -U -s0 -w - | wireshark -k -i -
I know only a basic thing in Wireshark, so please how I solve this?
You didn't specify the interface that tcpdump should capture on. Try adding the -i lo option, as in:
sudo ssh user#x.x.x.x tcpdump -i lo -U -s0 -w - | wireshark -k -i -

How to hide data displayed on the terminal while executing tshark?

I need to hide data that is displayed while executing tshark command line for wireshark:
tshark -i tun0 -T ek -w /home/PCAP_Folder/Sim_Run1st.pcap
I am running two program simultaneously
The following will send the output to /dev/null:
tshark -i tun0 -T ek -w /home/PCAP_Folder/Sim_Run1st.pcap > /dev/null
If you also want to hide any error message:
tshark -i tun0 -T ek -w /home/PCAP_Folder/Sim_Run1st.pcap &> /dev/null
Note that if you also hide the error messages, the -T ek option becomes pointless.

Docker : sharing /dev/snd on multiple containers leads to "device or resource busy"

When adding host device (--device /dev/snd) to a Docker container, I sometimes encounter Device or resource busy errors.
Example
I have reproduced the issue with a minimal example involving audio (alsa). Here's my Dockerfile (producing an image docker-device-example) :
FROM debian:buster
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
alsa-utils \
&& rm -rf /var/lib/apt/lists/*
I am running the following command (speaker-test is a tool to generate a tone that can be used to test the speakers), with /dev/snd shared :
docker run --rm \
-i -t \
--device /dev/snd \
docker-device-example \
speaker-test
Issue
When running the previous command, a pink noise is played, but only under some conditions :
if I am not playing any sound on my host : for example, if I'm playing a video, and that even if the video is paused, the command fails
if I am not running another container accessing the /dev/snd device
It looks like the /dev/snd is "locked" when used, and if that is the case, I got the following output (the error is represented by the last 2 lines) :
speaker-test 1.1.6
Playback device is default
Stream parameters are 48000Hz, S16_LE, 1 channels
Using 16 octaves of pink noise
ALSA lib pcm_dmix.c:1099:(snd_pcm_dmix_open) unable to open slave
Playback open error: -16,Device or resource busy
And, vice versa, if the pink noise is played (on the container), then I cannot play any sound on my host (Ubuntu). But commands on my host does not fail with the same message. Instead, the command on the host (like aplay test.wav to play a simple sound) is blocked indefinitely (even when the container is shutdown afterwards).
I tried to debug by running strace aplay test.way, and the command seems to be blocked on the poll system call :
poll([{fd=3, events=POLLIN|POLLERR|POLLNVAL}], 1, 4294967295
Question
How can I play sounds from 2 (or more) different containers, or from my host and a container, at the same time?
Additional info
I've reproduced the issue with /dev/snd, but I don't know if similar things happen when using other devices, or if it's just related to sound devices or to alsa.
Note also that when running multiple speaker-test or aplay commands simultaneously and all on my host (no containers involved), then all sounds are played.
I can't tell how to solve this with ALSA, but can provide 2 possible ways with pulseaudio. If these setups fail, install pulseaudio in image to make sure dependencies are fullfilled.
ALSA directly accesses sound hardware and blocks access to it for other clients. But it is possible to set up ALSA to serve multiple clients. That has to be answered by someone else. Probably some ALSA dmix plugin setup is the way to go.
Pulseaudio with shared socket:
Create pulseaudio socket:
pactl load-module module-native-protocol-unix socket=/tmp/pulseaudio.socket
Create /tmp/pulseaudio.client.conf for pulseaudio clients:
default-server = unix:/tmp/pulseaudio.socket
# Prevent a server running in the container
autospawn = no
daemon-binary = /bin/true
# Prevent the use of shared memory
enable-shm = false
Share socket and config file with docker and set environment variables PULSE_SERVER and PULSE_COOKIE. Container user must be same as on host:
docker run --rm \
--env PULSE_SERVER=unix:/tmp/pulseaudio.socket \
--env PULSE_COOKIE=/tmp/pulseaudio.cookie \
--volume /tmp/pulseaudio.socket:/tmp/pulseaudio.socket \
--volume /tmp/pulseaudio.client.conf:/etc/pulse/client.conf \
--user $(id -u):$(id -g) \
imagename
The cookie will be created by pulseaudio itself.
Pulseaudio over TCP:
Get IP address from host:
# either an arbitrary IPv4 address
Hostip="$(ip -4 -o a | awk '{print $4}' | cut -d/ -f1 | grep -v 127.0.0.1 | head -n1)"
# or especially IP from docker daemon
Hostip="$(ip -4 -o a| grep docker0 | awk '{print $4}' | cut -d/ -f1)"
Run docker image. You need a free TCP port, here 34567 is used.
(TCP port number must be in range of cat /proc/sys/net/ipv4/ip_local_port_range and must not be in use. Check with ss -nlp | grep 34567.)
docker run --rm \
--name pulsecontainer \
--env PULSE_SERVER=tcp:$Hostip:34567 \
imagename
After docker run get IP of container with:
Containerip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' pulsecontainer)"
Load pulseaudio TCP module authenticated with container IP:
pactl load-module module-native-protocol-tcp port=34567 auth-ip-acl=$Containerip
Be aware that the TCP module is loaded after container is up and running. It takes a moment until pulseaudio server is available for container applications.
If TCP connection fails, check iptables and ufw settings.
A How-To summarizing these setups: https://github.com/mviereck/x11docker/wiki/Container-sound:-ALSA-or-Pulseaudio

tshark follow TCP stream upon condition

I want to dump in a one-liner all TCP traffic of a stream after a specific condition. In other words, I want to do something like:
tshark -i wlan0 -s 0 -z follow,tcp,raw,x
x=`tshark -i wlan0 -s 0 -Y 'http.request.full_uri contains "blah-blah" and http.request.method == GET' -n -Tfields -e tcp.stream`
How can I do that?
A solution with further information is given at: https://ask.wireshark.org/questions/49283/tshark-follow-tcp-stream-upon-condition

Resources