I have installed wireshark on Ubuntu, When I run it:
/usr/bin/wireshark
I get an error:
(wireshark:27945): Gtk-WARNING **: cannot open display:
I want to run wireshark on the command prompt.
I don't want to use the UI. I'm not sure why it is complaining about a display, I want to run it on a port.
You can try tshark - which is a "console based wireshark" which is part of wireshark project.
You should read Read man tshark.
For example to capture http packet on 80 port run:
tshark -f 'tcp port 80 and http'
P.S. Example was fixed to use capture filter instead of display filter.
On Ubuntu, running wireshark complains about display:
el#apollo:~$ wireshark
(wireshark:20619): Gtk-WARNING **: cannot open display:
Set the DISPLAY environment variable:
export DISPLAY=:0.0
/usr/bin/wireshark
Then it works:
el#apollo:~$ wireshark -Y
wireshark: option requires an argument -- 'Y'
Usage: wireshark [options] ... [ <infile> ]
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-k start capturing immediately (def: do nothing)
-S update packet display when new packets are captured
-l turn on automatic scrolling while -S is in use
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 2MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
wireshark is an X application, so it needs to know where to send the X11 display output.
Related
After googling for hours and trying not to get lost in the different tshark versions I still can't figure out what command line options to tshark I should use to get the full (reassembled) JSON requests and responses (the JSON data structrues).
tshark 2.2.2 used on a live eth0 interface, not to parse pcap.files.
The requests and responses are gziped and need to be decoded.
All the related wireshark issues that seemed related are marked as "fixed" so I think in the 2.2.2 it should be possible.
I found a working solution. It doesn't work on a live interface and requires to first save a pcap file but it is the best I managed to do with tshark.
Step1 (capture network trafic):
tshark -i eth0 -f "port 9088" -w capture.pcap
Step2 (list captured tcp streams):
tshark -r capture.pcap -T fields -e tcp.stream | sort -u
Step3 (dump the content of one particular tcp stream):
tshark -nr capture.pcap -q -d tcp.port==9088,http -z follow,http,ascii,_your_stream_number
Noice the "-d tcp.port==9088,http" option to force http decoding on this port as in my case it is a socks5 proxy running on that port.
Most importantly "-z follow,http,ascii,_your_stream_number" where the "follow,http" feature decodes gziped http body content and is undocumented and only available from version 2.2.0 of wireshark/tshark.
I am trying to do this: set Wireshark filter to "http contains site.do" in tshark. I'm not sure how to do this using just the command line version. How do I do that?
Try
tshark -Y "http contains site.do"
This is because the display filters are different of capture filters. For example you can do it to save http traffic of one host.
tshark -f "host www.site.do and (port 80 or port 443)" -w example.pcap
You can get more info about the capture filters here
I'm using iperf3 that is supposedly a rewritten version of iperf. Reason why Im using this is because I love iperf when it comes to TCP and UDP throughput and I now want to test SCTP throughput between my end-points.
However when I'm trying to use the --sctp command that I've seen people been using it says command not recognizable. Is it the implementation I'm using that have not implemented this command?
https://github.com/esnet/iperf
This is the implementation I'm using, can't find any obvious documentation of the SCTP commands related to this. Most SCTP iperf implementations are added manually in the tests and the source code is often not provided.
Any help would be appreciated!
Get a copy of iperf which supports lksctp module of linux kernel. Install it using the standard process. (If it fails, please inform with the error message and the operating system and kernel details). Now to use SCTP in iperf these are the proper syntaxes.
For creating an SCTP server,
iperf -z -s
(-z is for selecting the SCTP protocol and -s is for server.)
For creating an SCTP client,
iperf -z -c <host address> -t <time duration for the connection in second>s -i <interval of the time to print the bandwidth in terminal in second>s
(-z for SCTP, -c is for client. Host address should be the ip address of the server where iperf -z -s is already running. -t is to specify the communication time duration. -i is to specify the interval to show the bandwidth.)
Example:
iperf -z -c 0.0.0.0 -t 10s -i 2s
Here the communication time is 10 seconds and it'll report the bandwidth for each 2 seconds interval.
P.S.
(1) To use iperf for SCTP, you must enable the SCTP module in the kernel and recompile it. The kernel version must be 2.6 or above. Check it using uname -a or uname -r. If you have a lower one, then download a new kernel from The Linux Kernel Archives. And compile it by enabling SCTP.
First check if it is already enabled or not by running these two commands in the terminal.
modprobe sctp
lsmod | grep sctp If you get any output then SCTP is already enabled.
(2) If still iperf with -z fails. Try the following solution. If the two machines are 'A' and 'B'.
First make 'A' the server and 'B' the client. It won't succeed. So
exit by using `ctrl + z` and kill iperf
using `pkill -9 iperf`.
Then make 'B' the server and 'A' the client. It may succeed. If it fails again, kill iperf using the above command and repeat step 1 again. it might get succeeded.
(The 2nd solution works for me with fedora 20 and kernel 2.6 and above.)
Couldn't find any recent answers through googling so I though I would leave an answer here for those looking to installing Iperf3 to use SCTP on RHEL / CentOS.
You'll need to install lksctp-tools-devel first and build from source to enable the SCTP support. Yum Install Iperf3 3.17 with lksctp-tools-devel did not enable SCTP for me.
Using tshark, how would I get it to just decode and display the application layer?
For example, I can capture and decode snmp traffic using:
sudo tshark -V -i lo -d udp.port==161,snmp
This will decode all layers, from the physical layer up to the application layer (output snipped):
Frame 120: 134 bytes on wire (1072 bits), ...
Interface id: 0
....
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00...
Destination: 00:00:00_00:00:00 ...
....
Internet Protocol Version 4, Src: 127.0.0.1...
Version: 4
....
User Datagram Protocol, Src Port: snmp (161), ....
Source port: snmp (161)
....
Simple Network Management Protocol
version: v2c (1)
community: public
....
(I just want the decode from "Simple Network Management Protocol" onwards).
Other things I've considered
I'm aware of using fields output (eg -e snmp.community). Specifying all the fields for snmp would take forever...
I could use pdml output, and transform the results using XSLT. But pdml output is slow and using XSLT seems like overkill:
sudo tshark -V -T pdml -i lo -d udp.port==161,snmp
<proto name="udp" showname="User Datagram Protocol...
<field name="udp.srcport"...
<proto name="snmp" showname="Simple...
<field name="snmp.version" showname="version: v2c...
You can use the -O option, as indicated by the help output:
-O <protocols> Only show packet details of these protocols, comma separated
$ tshark -i 4 -O snmp -q -V > snmp.txt
See also the TShark man-page:
-O Similar to the -V option, but causes TShark to only show a detailed view of the comma-separated list of protocols specified, rather than a detailed view of all protocols. Use the output of "tshark -G protocols" to find the abbreviations of the protocols you can specify.
When I ping one site it returns "Request timed out". I want to make little program that will inform me (sound beep or something like that) when this server is online again. No matter in which language. I think it should be very simple script with a several lines of code. So how to write it?
Some implementations of ping allow you to specify conditions for exiting after receipt of packets:
On Mac OS X, use ping -a -o $the_host
ping will keep trying (by default)
-a means beep when a packet is received
-o means exit when a packet is received
On Linux (Ubuntu at least), use ping -a -c 1 -w inf $the_host
-a means beep when a packet is received
-c 1 specifies the number of packets to send before exit (in this case 1)
-w inf specifies the deadline for when ping exits no matter what (in this case Infinite)
when -c and -w are used together, -c becomes number of packets received before exit
Either can be chained to perform your next command, e.g. to ssh into the server as soon as it comes up (with a gap between to allow sshd to actually start up):
# ping -a -o $the_host && sleep 3 && ssh $the_host
Don't forget the notify sound like echo"^G"! Just to be different - here's Windows batch:
C:\> more pingnotify.bat
:AGAIN
ping -n 1 %1%
IF ERRORLEVEL 1 GOTO AGAIN
sndrec32 /play /close "C:\Windows\Media\Notify.wav"
C:\> pingnotify.bat localhost
:)
One way is to run ping is a loop, e.g.
while ! ping -c 1 host; do sleep 1; done
(You can redirect the output to /dev/null if you want to keep it quiet.)
On some systems, such as Mac OS X, ping may also have the options -a -o (as per another answer) available which will cause it to keep pinging until a response is received. However, the ping on many (most?) Linux systems does not have the -o option and the kind of equivalent -c 1 -w 0 still exits if the network returns an error.
Edit: If the host does not respond to ping or you need to check the availability of service on a certain port, you can use netcat in the zero I/O mode:
while ! nc -w 5 -z host port; do sleep 1; done
The -w 5 specifies a 5 second timeout for each individual attempt. Note that with netcat you can even list multiple ports (or port ranges) to scan when some of them becomes available.
Edit 2: The loops shown above keep trying until the host (or port) is reached. Add your alert command after them, e.g. beep or pop-up a window.