How to read pcap file using tshark with filter expressions - tshark

I am trying to read network capture file using tshark in the command prompt(using itest tool)
I want to filter the file with sip contains both "INIVITE" and "REGISTER" messages. I have tried following codes.
tshark -r filename.pcap -R "sip.Cseq.method contains INVITE || sip.Cseq.method contains REGISTER" -V
tshark -r filename.pcap -Y "sip.Cseq.method contains INVITE || sip.cSeq.method contains REGISTER" -V
may be they are wrong would you give any other ways to solve this proble thank you

Related

Determining throughput from pcap containing flow records

I have a single packet capture (acquired via tcpdump) that contains flow records between an exporter and a collector.
I want to determine throughput across a given interface using the bytes (octets) field in the v9 record. I have filtered down to the network that I want like so:
tshark -r input.pcap -Y "ip.src == X.X.X.X" -F pcap -w filtered.pcap
I further filtered to the interface that I needed like so:
tshark -r filtered.pcap -Y "cflow.inputint == Y" -F pcap -w filtered2.pcap
I'm lost after that. Is there a better tool to aggregate across the flows to get throughput?
Any help would be greatly appreciated!
You may try to print netflow fields and then process the results.
For example:
tshark -T fields -e cflow.version -e cflow.srcaddr -e cflow.dstaddr -e cflow.octets -e cflow.timedelta -e cflow.abstimestart
Field names are visible in wireshark status bar when you select packet details.
Better option:
install or compile https://github.com/phaag/nfdump with --enable-readpcap flag.
process your pcap nfcapd -f <path to your pcap file> -l <path to output directory> -T all
count statistics nfdump -o extended -r <path to output directory>

tshark packet capture filter by request url

I am trying to only capture packets that contain requests to a certain API endpoint so tried to filter using the following:
tshark -i 2 -f 'port 80' -T pdml http.request.uri contains "/google/"
However I keep getting the following error:
tshark: A capture filter was specified both with "-f" and with additional
command-line arguments.
Tried removing the -f, but that did not help either. Any suggestions?
eg url: https://testAPI.com/termsearch/google/application
Your tshark command is incorrect. To specify a Wireshark display filter, you need to use the -Y option.
Windows:
tshark -i 2 -T pdml -Y "http.request.uri contains \"/google/\""
*nix:
tshark -i 2 -T pdml -Y 'http.request.uri contains "/google/"'

Searching through many pcap files with tcpdump

I have a bunch of pcap files that I got with tcpdump. I need to search through all of them for specific keywords and record which files contain these strings. Is there a way to automate the search for these keywords using a tcpdump command perhaps?
Probably the most generic solution using tshark would be to run something like:
tshark -r file.pcap -Y "frame contains foo"
... where foo is the string you're searching for. Refer to the wireshark-filter man page for more information on filtering using the contains and other operators, such as the matches operator which supports Perl compatible regular expressions.
Using that command, the output you'll see will be a 1-line summary of each packet matching the filter. You could tailor the output using a number of methods, but for example, suppose you only wanted to know the frame number of the matching packet, you could run:
tshark -r file.pcap -Y "frame contains foo" -T fields -e frame.number
Refer to the tshark man page for more information on the -T and -e options, as well as other options which may be of use to you.
There is more powerful version of tcpdump, tshark (it is the command line tool from wireshark package). You could use tshark -T fields|pdml|ps|psml|text to dump packets in format you like, and just grep it. tshark could read tcpdump dumps.

Extract file using sftp based from a masterlist

Is it possible to extract certain files based from a master list via sftp.
Example:
directory containts ff files.
aa.txt
bb.txt
cc.txt
masterlist.txt containts:
aa.txt
bb.txt
Files that should be extracted
aa.txt
bb.txt
Edit:
Thanks #shellter for your feedback.
I did try to write my own code but wasn't able to find samples that I could work on(I'm not a unix person btw).
Anyhow, as for your suggestion regarding using while-read-line, I've tried it but I am getting Invalid command error.
#!/bin/ksh
file=MasterList.txt
while IFS= read -r line
do
echo "fetching $line"
sftp user#192.168.1.101
cd /data/EP_files/balex
get "$line"
bye
done <"$file"
Lastly, if my masterfile containts 10k list of files, is this kind of approach ok performance wise?
Thank you
You need to create the entire sequence of SFTP commands - including the individual get commands for all files in the input list up front, and then invoke sftp only once, passing the command list via stdin (standard input):
#!/usr/bin/env ksh
file=MasterList.txt
sftp -b - user#192.168.1.101 <<EOF
cd /data/EP_files/balex
$(sed -n 's/^file_.*/get "&"/p' "$file")
bye
EOF
The <<EOF ... EOF block is a a so-called here-document, which allows passing multiline strings (optionally with embedded variable references and commands) via stdin.
sed -n 's/^file_.*/get "&"/p' "$file" embeds a get command for each filename in $file that starts with file_, ignoring any other lines (as requested by the OP in a comment).
The above assumes that your sftp utility accepts a list of commands in "batch" mode via the -b option via stdin (-).

Filtering VoIP calls with tshark

I'm analyzing VoIP calls on my network
For now i'm using a generated .pcap file, but later i'll be listening for this at real time.
I'm using tshark, and i can filter some important data pretty easily from the .pcap (like "source ip address and port", "destination ip addr and Port", payload pckt lost, Max Delta(ms),Max Jitter(ms),Mean Jitter(ms)) with
tshark -r myfile -q -z rtp,streams
What i want to know is: how can i get the sip addrs of a call? (client and server)
I can retrieve some sip addrs (only client) by filtering all sip INVITE like this:
tshark -r myFile -R "sip.Request-Line contains INVITE"
But i can't get the address of the server.
To clarify a bit, my idea was to get this "statistic" in tshark, like wireshark gives me when i access "Telephony>VoIP Calls" (the same way that tshark -r myfile -q -z rtp,streamsreturns me statistics just like wireshark's Telephony>RTP>Show All Streams), is there a way to do this? If not with "statistics" (-z) how can i create a filter (-R) to do something similar of the "VoIPCall" function of wireshark
I'm using tshark as i want to work with this data, and not just analyze it on my screen
Thanks
try:
tshark -r myFile -R "sip.CSeq.method eq INVITE"
That will filter for the request sent from the client and the corresponding reply from the server.
I was in a similar situation and ended up going through tshark man pages.
Command: tshark -r input_file.pcap -q -z sip,stat
Explanation:
-r <infile> : Read packet data from infile
-q : When reading a capture file, don't print packet information; this is useful if you're using a -z option to calculate statistics and don't want the packet information printed, just the statistics.
-z <statistics> : Get TShark to collect various types of statistics and display the result after finishing reading the capture file.
You can additionally add filters to the filtering as well, so for example you want to summarize all packets which had only SIP 480 Status Code, you can do so by:
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480
-z sip,stat[,filter] : This option will activate a counter for SIP messages. You will get the number of occurrences of each SIP Method and of each SIP Status-Code
In case you want multiple filters, you can add them one by one
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480 -z sip,stat,sip.Status-Code==500
If you want to summarize by sip address, you can filter by that:
tshark -r input_file.pcap -q -z sip,stat,sip.to.host==sip-to-host.com
Refer:
TShark Man Page: https://www.wireshark.org/docs/man-pages/tshark.html
SIP Filters: https://www.wireshark.org/docs/dfref/s/sip.html

Resources