TShark: Difference between revisions
m (Text replacement - "<source" to "<syntaxhighlight") |
|||
| Line 9: | Line 9: | ||
==MySQL traffic== | ==MySQL traffic== | ||
To look on an application server for MySQL traffic you can use this line: | To look on an application server for MySQL traffic you can use this line: | ||
< | <syntaxhighlight lang=bash> | ||
# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306' | # IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306' | ||
</source> | </source> | ||
< | <syntaxhighlight lang=bash> | ||
# IFACE=ens192 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -Y "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.auth_plugin -e mysql.client_auth_plugin -e mysql.error_code -e mysql.error.message -e mysql.message -e mysql.user -e mysql.passwd -e mysql.command 'port 3306' | # IFACE=ens192 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -Y "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.auth_plugin -e mysql.client_auth_plugin -e mysql.error_code -e mysql.error.message -e mysql.message -e mysql.user -e mysql.passwd -e mysql.command 'port 3306' | ||
</source> | </source> | ||
| Line 22: | Line 22: | ||
Find client with macaddress fc-18-3c-4a-c1-fa : | Find client with macaddress fc-18-3c-4a-c1-fa : | ||
< | <syntaxhighlight lang=bash> | ||
# tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V | # tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V | ||
Running as user "root" and group "root". This could be dangerous. | Running as user "root" and group "root". This could be dangerous. | ||
| Line 33: | Line 33: | ||
</source> | </source> | ||
With older tshark versions try: | With older tshark versions try: | ||
< | <syntaxhighlight lang=bash> | ||
# tshark -Y "ssl.handshake.type == 1" -T fields -e frame.number -e ip.src -e ssl.handshake.version -e radius.Calling_Station_Id -Y 'radius.Calling_Station_Id=="8c-85-90-1f-03-ff"' -f "udp port 1812" | # tshark -Y "ssl.handshake.type == 1" -T fields -e frame.number -e ip.src -e ssl.handshake.version -e radius.Calling_Station_Id -Y 'radius.Calling_Station_Id=="8c-85-90-1f-03-ff"' -f "udp port 1812" | ||
</source> | </source> | ||
| Line 39: | Line 39: | ||
==Duplicate ACKs== | ==Duplicate ACKs== | ||
< | <syntaxhighlight lang=bash> | ||
# tshark -i eth1 -Y tcp.analysis.duplicate_ack | # tshark -i eth1 -Y tcp.analysis.duplicate_ack | ||
</source> | </source> | ||
| Line 45: | Line 45: | ||
==Finding TCP problems== | ==Finding TCP problems== | ||
< | <syntaxhighlight lang=bash> | ||
# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"' | # tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"' | ||
</source> | </source> | ||
| Line 57: | Line 57: | ||
Supported Version: TLS 1.0 (0x0301) | Supported Version: TLS 1.0 (0x0301) | ||
</pre> | </pre> | ||
< | <syntaxhighlight lang=bash> | ||
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.handshake.version | $ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.handshake.version | ||
192.168.1.87 192.168.1.140 2083 0x00000301 | 192.168.1.87 192.168.1.140 2083 0x00000301 | ||
| Line 65: | Line 65: | ||
</source> | </source> | ||
or for https: | or for https: | ||
< | <syntaxhighlight lang=bash> | ||
$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e ssl.handshake.version | $ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e ssl.handshake.version | ||
</source> | </source> | ||
Revision as of 17:44, 25 November 2021
Kategorie:MySQL Kategorie:Security
TShark
TShark is the terminal based wireshark.
The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!
MySQL traffic
To look on an application server for MySQL traffic you can use this line: <syntaxhighlight lang=bash>
- IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'
</source>
<syntaxhighlight lang=bash>
- IFACE=ens192 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -Y "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.auth_plugin -e mysql.client_auth_plugin -e mysql.error_code -e mysql.error.message -e mysql.message -e mysql.user -e mysql.passwd -e mysql.command 'port 3306'
</source>
The little awk magic selects only pakets which are from our ethernet address on interface IFACE.
Radius traffic
Find client with macaddress fc-18-3c-4a-c1-fa : <syntaxhighlight lang=bash>
- tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V
Running as user "root" and group "root". This could be dangerous. Capturing on 'ens192' 785 10.155.1.23 fc-18-3c-4a-c1-fa 788 10.155.1.23 0x00000303 fc-18-3c-4a-c1-fa <-- 0x00000303 is TLS handshake version 1.2 , see table below 790 10.155.1.23 fc-18-3c-4a-c1-fa 792 10.155.1.23 fc-18-3c-4a-c1-fa 794 10.155.1.23 fc-18-3c-4a-c1-fa </source> With older tshark versions try: <syntaxhighlight lang=bash>
- tshark -Y "ssl.handshake.type == 1" -T fields -e frame.number -e ip.src -e ssl.handshake.version -e radius.Calling_Station_Id -Y 'radius.Calling_Station_Id=="8c-85-90-1f-03-ff"' -f "udp port 1812"
</source>
Duplicate ACKs
<syntaxhighlight lang=bash>
- tshark -i eth1 -Y tcp.analysis.duplicate_ack
</source>
Finding TCP problems
<syntaxhighlight lang=bash>
- tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'
</source>
Decode SSL Connections
For example show the used TLS-Versions lower than 1.2.
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
Supported Version: TLS 1.1 (0x0302)
Supported Version: TLS 1.0 (0x0301)
<syntaxhighlight lang=bash> $ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport -e ssl.handshake.version 192.168.1.87 192.168.1.140 2083 0x00000301 10.155.4.97 192.168.1.141 1812 0x00000301 192.168.1.85 192.168.1.140 2083 0x00000301 ... </source> or for https: <syntaxhighlight lang=bash> $ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e ssl.handshake.version </source>
