TShark: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:MySQL]]
[[Category:MySQL]]
[[Kategorie:Security]]
[[Category:Security]]


=TShark=
=TShark=
Line 6: Line 6:


The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!
The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!
==DNS Traffic==
<syntaxhighlight lang=bash>
# tshark -n -T fields -e frame.time -e dns.id -e ip.src -e ip.dst -e dns.qry.name  -f 'port 53'
</syntaxhighlight>


==MySQL traffic==
==MySQL traffic==
To look on an application server for MySQL traffic you can use this line:
To look on an application server for MySQL traffic you can use this line:
<source lang=bash>
<syntaxhighlight lang=bash>
# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'
# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'
</source>
</syntaxhighlight>
newer versions of tshark:
<syntaxhighlight lang=bash>
# IFACE=ens192 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -Y "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.auth_plugin -e mysql.client_auth_plugin -e mysql.error_code -e mysql.error.message -e mysql.message -e mysql.user -e mysql.passwd -e mysql.command 'port 3306'
</syntaxhighlight>
 
The little awk magic selects only pakets which are from our ethernet address on interface ''IFACE''.
The little awk magic selects only pakets which are from our ethernet address on interface ''IFACE''.


Line 17: Line 26:


Find client with macaddress fc-18-3c-4a-c1-fa :  
Find client with macaddress fc-18-3c-4a-c1-fa :  
<source lang=bash>
<syntaxhighlight lang=bash>
# tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V
# tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V
Running as user "root" and group "root". This could be dangerous.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens192'
Capturing on 'ens192'
785    10.155.1.23            fc-18-3c-4a-c1-fa
785    10.155.1.23            fc-18-3c-4a-c1-fa
788    10.155.1.23    0x00000303      fc-18-3c-4a-c1-fa    <-- TLS 1.2 , see table below  
788    10.155.1.23    0x00000303      fc-18-3c-4a-c1-fa    <-- 0x00000303 is TLS handshake version 1.2 , see table below  
790    10.155.1.23            fc-18-3c-4a-c1-fa
790    10.155.1.23            fc-18-3c-4a-c1-fa
792    10.155.1.23            fc-18-3c-4a-c1-fa
792    10.155.1.23            fc-18-3c-4a-c1-fa
794    10.155.1.23            fc-18-3c-4a-c1-fa
794    10.155.1.23            fc-18-3c-4a-c1-fa
</source>
</syntaxhighlight>
With older tshark versions try:
<syntaxhighlight lang=bash>
# tshark -Y "ssl.handshake.type == 1" -T fields -e frame.number -e ip.src -e ssl.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="8c-85-90-1f-03-ff"' -f "udp port 1812"
</syntaxhighlight>


==Duplicate ACKs==
==Duplicate ACKs==


<source lang=bash>
<syntaxhighlight lang=bash>
# tshark -i eth1 -Y tcp.analysis.duplicate_ack
# tshark -i eth1 -Y tcp.analysis.duplicate_ack
</source>
</syntaxhighlight>


==Finding TCP problems==
==Finding TCP problems==


<source lang=bash>
<syntaxhighlight lang=bash>
# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'
# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'
</source>
</syntaxhighlight>


==Decode SSL Connections==
==Decode SSL Connections==
Line 48: Line 61:
                 Supported Version: TLS 1.0 (0x0301)
                 Supported Version: TLS 1.0 (0x0301)
</pre>
</pre>
<source lang=bash>
<syntaxhighlight lang=bash>
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport  -e ssl.handshake.version
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport  -e ssl.handshake.version
192.168.1.87 192.168.1.140 2083 0x00000301
192.168.1.87 192.168.1.140 2083 0x00000301
Line 54: Line 67:
192.168.1.85 192.168.1.140 2083 0x00000301
192.168.1.85 192.168.1.140 2083 0x00000301
...
...
</source>
</syntaxhighlight>
or for https:
or for https:
<source lang=bash>
<syntaxhighlight lang=bash>
$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport  -e ssl.handshake.version
$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport  -e ssl.handshake.version
</source>
</syntaxhighlight>

Latest revision as of 13:55, 20 February 2024


TShark

TShark is the terminal based wireshark.

The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!

DNS Traffic

# tshark -n -T fields -e frame.time -e dns.id -e ip.src -e ip.dst -e dns.qry.name  -f 'port 53'

MySQL traffic

To look on an application server for MySQL traffic you can use this line:

# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'

newer versions of tshark:

# IFACE=ens192 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -Y "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.auth_plugin -e mysql.client_auth_plugin -e mysql.error_code -e mysql.error.message -e mysql.message -e mysql.user -e mysql.passwd -e mysql.command 'port 3306'

The little awk magic selects only pakets which are from our ethernet address on interface IFACE.

Radius traffic

Find client with macaddress fc-18-3c-4a-c1-fa :

# tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens192'
785     10.155.1.23             fc-18-3c-4a-c1-fa
788     10.155.1.23     0x00000303      fc-18-3c-4a-c1-fa     <-- 0x00000303 is TLS handshake version 1.2 , see table below 
790     10.155.1.23             fc-18-3c-4a-c1-fa
792     10.155.1.23             fc-18-3c-4a-c1-fa
794     10.155.1.23             fc-18-3c-4a-c1-fa

With older tshark versions try:

# tshark -Y "ssl.handshake.type == 1" -T fields -e frame.number -e ip.src -e ssl.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="8c-85-90-1f-03-ff"' -f "udp port 1812"

Duplicate ACKs

# tshark -i eth1 -Y tcp.analysis.duplicate_ack

Finding TCP problems

# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'

Decode SSL Connections

For example show the used TLS-Versions lower than 1.2.

                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport  -e ssl.handshake.version
192.168.1.87	192.168.1.140	2083				0x00000301
10.155.4.97	192.168.1.141		1812			0x00000301
192.168.1.85	192.168.1.140	2083				0x00000301
...

or for https:

$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport  -e ssl.handshake.version