Multiple filter in tshark - wireshark

The filters -Y, -2 and -R in tshark confusing in Wireshark version 2.XX.
In version 1.8, we were able to apply multiple filters and save the filtered packets in csv file using command below:
tshark.exe -r src.pcap -T fields -e frame.number -e frame.time -e frame.len -e ip.src -e ip.dst -e udp.srcport -e udp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f -R (ip.src==x.x.x.x)&&(ip.dst==y.y.y.y) > filtered.csv
But this command does not work in versions 2.x. Please help if someone applied multi-filter in new Wireshark versions.

You should be able to achieve what you want by replacing -R (ip.src==x.x.x.x)&&(ip.dst==y.y.y.y) with -Y "(ip.src==x.x.x.x)&&(ip.dst==y.y.y.y)".

On windows 7, I had this working with wireshark 2.2.1, adding -2 and quoting the string that follow -R option, like this:
tshark.exe -r mypcap.pcapng -T fields -2 -e frame.number -e frame.time -e frame.len -E header=y -E separator=, -E quote=d -E occurrence=f -R "(ip.src==192.168.1.20)&&(ip.dst==20.1.168.192)"
Not quoting the expression after "-R" results in printing fields and evaluate expression. If the expression results TRUE, the filter is recognized and the result is given. Otherwise the filter (e.g. ip.src) will be evalued as a command by the system, resulting in "command not recognized"

Related

Github action deploying to lightsail has suddenly started failing with dial tcp i/o timeout

I have a github action set up to deploy to an Amazon Lightsail server via ssh. It was working fine until it suddenly started failing with an i/o error. It has consistently failed now for 24 hours (I have tried it many times). I commented out everything in the script part and still get the error, so I know it isn't anything in the script. I think it's pretty clear that it is failing to reach the server and not even getting as far as attempting to run the script.
Here is the output:
Run appleboy/ssh-action#master
/usr/bin/docker run --name ea425b117d14f49c9448e1ae86bb8e0dfd290d_f25ed1 --label ea425b --workdir /github/workspace --rm -e "INPUT_HOST" -e "INPUT_USERNAME" -e "INPUT_KEY" -e "INPUT_PORT" -e "INPUT_SCRIPT" -e "INPUT_PASSPHRASE" -e "INPUT_PASSWORD" -e "INPUT_SYNC" -e "INPUT_USE_INSECURE_CIPHER" -e "INPUT_CIPHER" -e "INPUT_TIMEOUT" -e "INPUT_COMMAND_TIMEOUT" -e "INPUT_KEY_PATH" -e "INPUT_FINGERPRINT" -e "INPUT_PROXY_HOST" -e "INPUT_PROXY_PORT" -e "INPUT_PROXY_USERNAME" -e "INPUT_PROXY_PASSWORD" -e "INPUT_PROXY_PASSPHRASE" -e "INPUT_PROXY_TIMEOUT" -e "INPUT_PROXY_KEY" -e "INPUT_PROXY_KEY_PATH" -e "INPUT_PROXY_FINGERPRINT" -e "INPUT_PROXY_CIPHER" -e "INPUT_PROXY_USE_INSECURE_CIPHER" -e "INPUT_SCRIPT_STOP" -e "INPUT_ENVS" -e "INPUT_DEBUG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/carboncalc/carboncalc":"/github/workspace" ea425b:117d14f49c9448e1ae86bb8e0dfd290d
======CMD======
# cd /opt/bitnami/drupal
# git pull origin main
# composer -n install
# if [ $? -ne 0 ]; then
# exit 1
# fi
# drush updb
# drush cr
======END======
372023/01/18 11:24:51 dial tcp 104.21.26.173:22: i/o timeout
Someone has reported a similar issue here for MacOS runners but I am using ubuntu-latest. I've also tried with ubuntu-20.04 and had same issue.
I can't see any way to increase the timeout so if you know of a way please let me know.
Various people have raised issues on https://github.com/appleboy/ssh-action with the same issue but the answers are things like the SSH key being incorrect, the port being closed or the IP changing. But I have no problem ssh'ing from my machine, and the key that is stored in secrets is the same one that was working a few days ago.
There is plenty of disk space on the target machine.
OP here. Turns out the problem was that I was using the hostname in the ssh command, rather than the IP. For some AWS-magicky reason, the hostname was resolving to an internal IP. It was different from the IP which I use when successfully SSH'ing from my local machine. So I replaced the hostname with this IP, and it started working again.

How To Extract The Name of the Level 7 HTTP2 Application in Tshark

So by default when you open a pcap in wireshark it looks something like this.
enter image description here
But I want to view the name of the websites, so I have to find the host (HTTP) or :authority (HTTP2) header then apply it as a column so that I have the name of the website in my display. Once that is done I can export the pcap as a CSV with the name of the websites include CSV.
enter image description here
My question is how do I do this in tshark? Especially for HTTP2. There's lot's of information on how to do this for HTTP.
From the tshark man page:
-T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
...
fields The values of fields specified with the -e option, in a form
specified by the -E option. For example,
tshark -T fields -E separator=, -E quote=d
So in your case, you might use something like:
tshark -r Wednesday.pcap -Y http2 -T fields -E separator=, -E quote=d -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e _ws.col.Protocol -e frame.len -e http2.headers.authority -e _ws.col.Info > Wednesday.csv

Filter a PCAP file using tshark : show ip source>ip destination:info in a txt file

I need a tshark command so i can create a txt file containing Ipsource>Ipdestination:Info in this order ! i tried this command
tshark -T fields -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -E separator=, -e ip.src -e ip.dst > "C:\Users\dell\Desktop\walima22.txt"*
but i can't change the separator and show the infos
There are generally 2 solutions for printing specific column data, one using column-specifiers and the other using fields, similar to what you have.
Using column-specifiers:
Standard specifiers as described by tshark.exe -G column-formats:
tshark.exe -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -o "gui.column.format:\"Source\",\"%s\",\"Destination\",\"%d\",\"Info\",\"%i\""
... or using custom columns for those fields that are supported:
tshark.exe -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -o "gui.column.format:\"Source\",\"%Cus:ip.src\",\"Destination\",\"%Cus:ip.dst\",\"Info\",\"%i\""
Using Fields:
tshark.exe -n -r "C:\Users\dell\Desktop\tracecomplete.pcap" -T fields -E separator=, -e ip.src -e ip.dst -e _ws.col.Info
but i can't change the separator
You should be able to change it using the -E option. Refer to the tshark man page for more help with this option.

How to add an extra column to Tshark's output (while keeping the default ones)?

I would like to add a Tshark column that tells me which type of ICMP-packet has been captured. This would be the following: icmp.type
While I still need the default columns, how can I make Tshark also show this one?
I've already seen the option to work with -T fields and -e but then all the default columns are left out.
You can add the default columns and use for instance:
tshark -i 1 -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info -e icmp.type -E header=y > output.csv
See tshark -h or the man-page for more information.
If you want to add something to the default summary output, you can also use:
-z proto,colinfo,filter,field
For example something like:
-z proto,colinfo,tcp.seq,tcp.seq
Will show this:
1 2018-10-10 10:39:54 192.168.0.10 -> 192.168.0.1 SSH 198 Encrypted response packet len=132 tcp.seq == 1

Grep with color and multiple excludes

I would like to do a grep to dig through my code hierarchy and look for the term "x", but color the results and exclude annoying terms. Right now I do:
grep -Rn --color x * | grep -v -e html -e svn -e test -e doc -e y
The problem is that this loses the matching color because of the pipe. Is there anyway to make this one statement so that the coloring isn't lost?
Specify --color=always to preserve color formatting through pipes:
grep --color=always x * | grep -v -e html -e svn -e test -e doc -e y
And later on if you happen to need to pipe the result into a file and need to remove the escape characters that format color, here's a nifty sed script you can pipe your results through to remove the escape charaters:
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g"
(Note that you need -E option instead of -r for OS X)
You can try repeating the color search:
grep -Rn --color x * | grep -v -e html -e svn -e test -e doc -e y | grep --color x

Resources