TShark: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 24: Line 24:
<source lang=bash>
<source lang=bash>
# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'
# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'
</source>
==Decode SSL Connections==
For example show thje used TLS-Versions.
<pre>
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
</pre>
<source lang=bash>
# tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<=0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.quic.negotiated_version -e ssl.pct.client_version -e ssl.handshake.version
192.168.1.87 192.168.1.140 2083 0x00000303
10.155.4.97 192.168.1.141 1812 0x00000303
192.168.1.85 192.168.1.140 2083 0x00000303
...
</source>
</source>

Revision as of 15:56, 10 May 2019

Kategorie:MySQL Kategorie:Security

TShark

TShark is the terminal based wireshark.

The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!

MySQL traffic

To look on an application server for MySQL traffic you can use this line:

# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'

The little awk magic selects only pakets which are from our ethernet address on interface IFACE.

Duplicate ACKs

# tshark -i eth1 -Y tcp.analysis.duplicate_ack

Finding TCP problems

# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'

Decode SSL Connections

For example show thje used TLS-Versions.

                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
# tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<=0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.quic.negotiated_version -e ssl.pct.client_version -e ssl.handshake.version
192.168.1.87	192.168.1.140	2083				0x00000303
10.155.4.97	192.168.1.141		1812			0x00000303
192.168.1.85	192.168.1.140	2083				0x00000303
...