TShark: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
Line 35: | Line 35: | ||
</pre> | </pre> | ||
<source lang=bash> | <source lang=bash> | ||
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.handshake.version | |||
192.168.1.87 192.168.1.140 2083 0x00000301 | 192.168.1.87 192.168.1.140 2083 0x00000301 | ||
10.155.4.97 192.168.1.141 1812 0x00000301 | 10.155.4.97 192.168.1.141 1812 0x00000301 | ||
192.168.1.85 192.168.1.140 2083 0x00000301 | 192.168.1.85 192.168.1.140 2083 0x00000301 | ||
... | ... | ||
</source> | |||
or for https: | |||
<source lang=bash> | |||
$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e ssl.handshake.version | |||
</source> | </source> |
Revision as of 16:06, 10 May 2019
Kategorie:MySQL Kategorie:Security
TShark
TShark is the terminal based wireshark.
The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!
MySQL traffic
To look on an application server for MySQL traffic you can use this line:
# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'
The little awk magic selects only pakets which are from our ethernet address on interface IFACE.
Duplicate ACKs
# tshark -i eth1 -Y tcp.analysis.duplicate_ack
Finding TCP problems
# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'
Decode SSL Connections
For example show the used TLS-Versions lower than 1.2.
Supported Version: TLS 1.3 (0x0304) Supported Version: TLS 1.2 (0x0303) Supported Version: TLS 1.1 (0x0302) Supported Version: TLS 1.0 (0x0301)
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.handshake.version
192.168.1.87 192.168.1.140 2083 0x00000301
10.155.4.97 192.168.1.141 1812 0x00000301
192.168.1.85 192.168.1.140 2083 0x00000301
...
or for https:
$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e ssl.handshake.version