From Lolly's Wiki
Revision as of 14:55, 20 February 2024 by Lollypop (talk | contribs) (→‎MySQL traffic)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


TShark is the terminal based wireshark.

The ultimate tool to sniff network traffic when you have no X. It analyzes the traffic as wireshark does. Great tool!

DNS Traffic

# tshark -n -T fields -e frame.time -e dns.id -e ip.src -e ip.dst -e dns.qry.name  -f 'port 53'

MySQL traffic

To look on an application server for MySQL traffic you can use this line:

# IFACE=eth0 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -R "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.query 'port 3306'

newer versions of tshark:

# IFACE=ens192 ; tshark -i ${IFACE} -d tcp.port==3306,mysql -Y "eth.addr eq $(ip link show ${IFACE} | awk '$1 ~ /link\/ether/{print $2}')" -T fields -e mysql.auth_plugin -e mysql.client_auth_plugin -e mysql.error_code -e mysql.error.message -e mysql.message -e mysql.user -e mysql.passwd -e mysql.command 'port 3306'

The little awk magic selects only pakets which are from our ethernet address on interface IFACE.

Radius traffic

Find client with macaddress fc-18-3c-4a-c1-fa :

# tshark -Y "tls.handshake.type == 1" -T fields -e frame.number -e ip.src -e tls.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="fc-18-3c-4a-c1-fa"' -f "udp port 1812" -V
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens192'
785             fc-18-3c-4a-c1-fa
788     0x00000303      fc-18-3c-4a-c1-fa     <-- 0x00000303 is TLS handshake version 1.2 , see table below 
790             fc-18-3c-4a-c1-fa
792             fc-18-3c-4a-c1-fa
794             fc-18-3c-4a-c1-fa

With older tshark versions try:

# tshark -Y "ssl.handshake.type == 1" -T fields -e frame.number -e ip.src -e ssl.handshake.version -e radius.Calling_Station_Id  -Y 'radius.Calling_Station_Id=="8c-85-90-1f-03-ff"' -f "udp port 1812"

Duplicate ACKs

# tshark -i eth1 -Y tcp.analysis.duplicate_ack

Finding TCP problems

# tshark -i eth1 -Y 'expert.message == "Retransmission (suspected)" || expert.message == "Duplicate ACK (#1)" || expert.message == "Out-Of-Order segment"'

Decode SSL Connections

For example show the used TLS-Versions lower than 1.2.

                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
$ tshark -n -f 'dst port 1812 or dst port 2083' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport -e udp.dstport  -e ssl.handshake.version	2083				0x00000301		1812			0x00000301	2083				0x00000301

or for https:

$ tshark -i eth0 -n -f 'dst port 443' -Y "ssl.handshake.version<0x00000303" -T fields -e ip.src_host -e ip.dst_host -e tcp.dstport  -e ssl.handshake.version