I need to make tcpdump using wireshark or tcpdump
For some tcp streams in log I need full packet info.
But for tcp streams in log I need to remove all info except full uri info.
For this I'am going to use regular expressions.
If URI, http.request or http.response match some of regular expressions
then I need to store full tcp stream info.
If doesn't match --- then I need to remove all tcp stream info except full uri info.
I need it to reduce log size.
What tool do you advise for this ?
Or may be some php/python library will be helpful to create script that will filter log ?
tcpick and tcpxtract are two tools available to filter and extract information from a tcpdump file. They are both open-source and available at sourceforge.net. You will have to write your own routine for how and what information you would like to extract. tcpick is fairly flexible regarding what parts of a packet you can view/extract.
I use TraceWrangler in my projects, which despite being beta, works very well. It allows, in addition to editing the L2/L3 headers, to sanitize the packets.
Related
I am trying to debug an LWM2M protocol issue. I need to know what messages are transferred between the COAP server and the COAP client. As the traffic is encrypted using DTLS, I need to give the pre-shared key in wireshark to see the payload. Wireshark is successfully decrypting the payload, but I am not able to see the underlying COAP protocol messages. I am seeing just the raw data("Application data"):
But when I try sniffing unencrypted COAP traffic on a dummy setup, I could see the COAP messages properly:
How can I view the COAP protocol traffic using wireshark when it is encrypted?
The problem is that you're using a non-standard port number for COAPS instead of the IANA-registered port of 5684, and the Wireshark COAP dissector's proto_reg_handoff_coap() function only registers to the DTLS dissector with that fixed, non-configurable port (DEFAULT_COAPS_PORT). There are some possible ways to fix this and/or work-around it.
If possible, change your application to use the standard port, 5684.
Modify the Wireshark COAP dissector to also register to the DTLS dissector with your desired port, or better yet to allow the port to be configurable, perhaps even with a port range preference to allow multiple ports to be registered. You can reference the Wireshark Developer's Guide for information about compiling and developing for Wireshark on your particular platform.
Submit a Wireshark Issue, asking for an enhancement to the COAP dissector to allow the DTLS-registered port to be configurable. Again, a range preference would probably be even better, as it would allow more than just 1 port to be registered.
Assuming the first option isn't possible and the other options would take longer and not solve the immediate problem of dissecting the payload as COAP for your existing capture file, you could use a program such as TraceWrangler (or other such Capture file editors and/or anonymizers tools) to rewrite the UDP port value of 57845 to 5684 for all packets. That should allow the payload to be passed to the COAP dissector without requiring any other changes. If you do use TraceWrangler, then the basic steps would be:
Add Files: Choose your file, i.e., file.pcapng.
Taskname: Anonymize Files.
Payload: Deselect "Remove all unknown layers..." as you want to keep everything.
PCAPng: Action=Passthrough, as there's no need to replace original comments here.
Layer 4, UDP: Action=Replace. Select "Replace UDP ports by list", then choose Add. Enter 57845 for the Original port number and 5684 for the Replacement port number, then click Add.
Select Okay.
Select Run.
When the Status indicates, "Task complete", you should be able to open the newly created packet capture file, named file_anon.pcapng, in Wireshark and Wireshark should now recognize the payload as COAP.
DISCLAIMER: I have not tested this myself, but it should work.
I sometimes need to use Wireshark to analyze communication issues with a particular protocol that my application uses. Wireshark already comes with a dissector for the protocol, and displays the communication in the best possible way I can imagine.
But I also need to view the actual communication together with events happening inside my application. The application is capable of generating various logs and traces. The information in them is actually more structured, but for the simplicity, let's say it is just a sequence of entries where each entry has a timestamp and a textual message.
Currently, I have to place the Wireshark and the logs alongside on the screen, and painfully correlate the timestamps in order to figure out how they belong together. In order to make my analysis much easier, I would like to view the information from my logs merged together with the communication protocol messages in Wireshark, properly sorted by their timestamps.
I found that Wireshark has a Merge capability, so this is where I am directing my investigation. I think that with some effort, I might be able to do the following:
1) Design my own "protocol", and generate PCAPNG file from my application, with the event timestamps and messages, and
2) Developer a Wireshark dissector for the above, so that I can view the events in Wireshark.
The first part of my question is whether my approach is the right one.
But I also wonder whether I cannot achieve what I want in some simpler way. Ideally, I would like to reuse something that already exists, and specifically, avoid developing a specialized dissector. Isn't there a protocol with identical features (just timestamps and textual messages), with a dissector that Wireshark already has, that I can use?
Maybe you could make use of syslog along with syslogd or rsyslogd?
One way to inject arbitrary messages into trace files without even having a syslog server is to make use of nc (netcat). For example:
echo -n "Hello World" | nc -w 0 -u 1.1.1.1 514
Wireshark will also dissect this message as syslog traffic. This can be useful when trying to insert "markers" into capture files near where an event of interest occurs.
In any case, making use of syslog facilities would save you from having to write your protocol.
I have a packet capture and I'm trying to find out which program a download was made with, where would I go in the packet to find this information?
Thanks all!
Instead of looking for answers within the packet, you may want to look at which port the download was done through. That could give you more information, and faster
I assume you know the destination ip address from where the file is downloaded. If it's something that you can catch while it's happening or you can trigger it then you could use netstat to determine the PID of the program that is handling that socket after filtering the netstat output based on the destination ip address.
Then you could use ps on Linux or TaskManager on Windows to know which program has that PID.
On windows: How to determine which program uses or blocks specific transmission control protocol ports in Windows
Alternative if the packet capture it's all you got and it's not a recurring event then if the download was done via HTTP you could check the headers of the HTTP request for info about the client in the User-Agent header.
Hope it helps.
I am looking for a way to detect "port unreachable" errors for outgoing UDP packets in Erlang, so I can eagerly report transport layer errors to the application. I.e, I want to capture ICMP type 3 packets to report to the higher layers that packet have not reached the destination.
Currently I know about two approaches:
Use undocumented gen_udp:connect/3. However, it seems like this requires opening a new socket for every new destination pair address:port. The advantage is that this does not require any privileges.
Use gen_icmp which requires either setuid helper or capabilities to open raw sockets.
Are there any other variants I am missing?
procket might be what you're looking for, but I've never used it myself. It's a binding to the low-level socket API, therefore it allows you to use all the protocols the underlying API supports. I'm just quoting its README, so please take it with a pinch of salt.
Is there any option to capture a packet eg(Http) , modify certains aspects of it (Checksum-validate False to True ) and resend it using Wireshark ?
Ettercap NG filters can do such a job properly, here is example on link
I don't think that is possible using wireshark. Wireshark is a packet analyzer.
Perhaps iptables could help you there.
No, WireShark doesn't do this. What you are looking for is Fiddler which allows you to monitor HTTP traffic and "fiddle" with incoming or outgoing traffic. So you can capture HTTP traffic, modify it and resend.
Find it here: http://fiddler2.com/fiddler2/
Check out the demonstration videos for more info, especially:
Using the Fiddler AutoResponder
Replaying Modified Responses with AutoResponder
try the free version of Colasoft ( http://www.colasoft.com/download/products/download_packet_builder.php ). the only hitch is you'll have to save the capture stream into a "xxx.cap" format but no worries wirshark can handle it...