I am trying to do this: set Wireshark filter to "http contains site.do" in tshark. I'm not sure how to do this using just the command line version. How do I do that?
Try
tshark -Y "http contains site.do"
This is because the display filters are different of capture filters. For example you can do it to save http traffic of one host.
tshark -f "host www.site.do and (port 80 or port 443)" -w example.pcap
You can get more info about the capture filters here
Related
After googling for hours and trying not to get lost in the different tshark versions I still can't figure out what command line options to tshark I should use to get the full (reassembled) JSON requests and responses (the JSON data structrues).
tshark 2.2.2 used on a live eth0 interface, not to parse pcap.files.
The requests and responses are gziped and need to be decoded.
All the related wireshark issues that seemed related are marked as "fixed" so I think in the 2.2.2 it should be possible.
I found a working solution. It doesn't work on a live interface and requires to first save a pcap file but it is the best I managed to do with tshark.
Step1 (capture network trafic):
tshark -i eth0 -f "port 9088" -w capture.pcap
Step2 (list captured tcp streams):
tshark -r capture.pcap -T fields -e tcp.stream | sort -u
Step3 (dump the content of one particular tcp stream):
tshark -nr capture.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number
Noice the "-d tcp.port==9088,http" option to force http decoding on this port as in my case it is a socks5 proxy running on that port.
Most importantly "-z follow,http,ascii,_your_stream_number" where the "follow,http" feature decodes gziped http body content and is undocumented and only available from version 2.2.0 of wireshark/tshark.
http://pktgen.readthedocs.org/en/latest/running.html
This is the pktgen dpdk application. The screenshot in that link shows how ports are configured. But For me it doesnt configure at all. I am looking for help as a beginner
First, as you may know, pktgen is an application that use the DPKD framework, thus, you should have bind at least one NIC to DPDK. Check the documentation about DPDK: DPDK building instructions. You should see your NIC correctly bound with this command:
# path/to/DPDK/tools/dpdk_nic_bind.py --status
Then, you can run pktgen. The ports you want to use are specified with the -p option (It's a specific pktgen option so it's after the --). It's a port mask, so for instance, if you want only the first port (port 0) you can use -p 0x1.
Then, the -m option permit you to choose which core will handle which DPDK port. The syntax is not really obvious, I suggest you to read the doc of pktgen about this option: pktgen command line options.
For example, to be short, the option -m "[1:3].0" says you want that CPU core 1 handle "RX port 0", and CPU core 3 handle "TX port 0".
A simple command line for pktgen, if you use only one port running on two cores could be:
./app/pktgen -c 0x7 -n 3 -- -p 0x1 -P -m "[1:2].0"
In that case CPU core 1 and 2 (possible because of the "-c 0x7 option") will be used to handle respectively RX and TX of port 0 (configured with "-p 0x1"). Note that -P is for promiscuous mode.
I am using the below code to get tcpdump output of a URL in iOS, but it is printing in console, how can i get the response to NSString object?
system("tcpdump -i en1 -A -vvv host www.facebook.com");
I think tcpdump have output file param, or you can use output redirect, and then read all from saved file
tcpdump -l -i en0 -A -vvv host www.facebook.com > /tmp/facebook_packets.txt
tmp path just for example, use any you like
edit:
and alternative way, redirect output to NSPipe, see answer here How to get the log from system();?
Using tshark, how would I get it to just decode and display the application layer?
For example, I can capture and decode snmp traffic using:
sudo tshark -V -i lo -d udp.port==161,snmp
This will decode all layers, from the physical layer up to the application layer (output snipped):
Frame 120: 134 bytes on wire (1072 bits), ...
Interface id: 0
....
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00...
Destination: 00:00:00_00:00:00 ...
....
Internet Protocol Version 4, Src: 127.0.0.1...
Version: 4
....
User Datagram Protocol, Src Port: snmp (161), ....
Source port: snmp (161)
....
Simple Network Management Protocol
version: v2c (1)
community: public
....
(I just want the decode from "Simple Network Management Protocol" onwards).
Other things I've considered
I'm aware of using fields output (eg -e snmp.community). Specifying all the fields for snmp would take forever...
I could use pdml output, and transform the results using XSLT. But pdml output is slow and using XSLT seems like overkill:
sudo tshark -V -T pdml -i lo -d udp.port==161,snmp
<proto name="udp" showname="User Datagram Protocol...
<field name="udp.srcport"...
<proto name="snmp" showname="Simple...
<field name="snmp.version" showname="version: v2c...
You can use the -O option, as indicated by the help output:
-O <protocols> Only show packet details of these protocols, comma separated
$ tshark -i 4 -O snmp -q -V > snmp.txt
See also the TShark man-page:
-O Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols specified, rather than a detailed view of all protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.
I have installed wireshark on Ubuntu, When I run it:
/usr/bin/wireshark
I get an error:
(wireshark:27945): Gtk-WARNING **: cannot open display:
I want to run wireshark on the command prompt.
I don't want to use the UI. I'm not sure why it is complaining about a display, I want to run it on a port.
You can try tshark - which is a "console based wireshark" which is part of wireshark project.
You should read Read man tshark.
For example to capture http packet on 80 port run:
tshark -f 'tcp port 80 and http'
P.S. Example was fixed to use capture filter instead of display filter.
On Ubuntu, running wireshark complains about display:
el#apollo:~$ wireshark
(wireshark:20619): Gtk-WARNING **: cannot open display:
Set the DISPLAY environment variable:
export DISPLAY=:0.0
/usr/bin/wireshark
Then it works:
el#apollo:~$ wireshark -Y
wireshark: option requires an argument -- 'Y'
Usage: wireshark [options] ... [ <infile> ]
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
wireshark is an X application, so it needs to know where to send the X11 display output.