{"id":15544,"date":"2014-03-10T12:51:03","date_gmt":"2014-03-10T12:51:03","guid":{"rendered":"http:\/\/www.beautifulwork.org\/?p=15544"},"modified":"2014-03-10T12:51:03","modified_gmt":"2014-03-10T12:51:03","slug":"tshark-dump-and-analyze-network-traffic","status":"publish","type":"post","link":"https:\/\/www.trueangle.org\/index.php\/2014\/03\/10\/tshark-dump-and-analyze-network-traffic\/","title":{"rendered":"tshark – Dump and analyze network traffic"},"content":{"rendered":"

ABOUT tshark<\/u><\/p>\n

\nTShark is a command-line network traffic analyzer that enables you to capture packet data from a live network or read packets from a previously saved capture file by either printing a decoded form of those packets to the standard output or by writing the packets to a file. Without any options, TShark works similarly to the tcpdump command and also uses the same live capture file format, libpcap. In addition, TShark is capable of detecting, reading, and writing the same capture files as those that are supported by Wireshark.\n\n<\/pre>\n
RELATED SHELL EXPOSURE<\/u>
\nsmall part of content formatted
\n[bash light=”true”]
\n$sudo tshark -c 2  -O tcp
\nsudo: \/var\/lib\/sudo writable by non-owner (040777), should be mode 0700<\/p>\n
We trust you have received the usual lecture from the local System
\nAdministrator. It usually boils down to these three things:<\/p>\n
    #1) Respect the privacy of others.
\n    #2) Think before you type.
\n    #3) With great power comes great responsibility.<\/p>\n
[sudo] password for jeffrin:
\ntshark: Lua: Error during loading:
\n [string "\/usr\/share\/wireshark\/init.lua"]:46: dofile has been disabled due to running Wireshark as
\nsuperuser. See http:\/\/wiki.wireshark.org\/CaptureSetup\/CapturePrivileges for help in running Wireshark as
\nan unprivileged user.
\nRunning as user "root" and group "root". This could be dangerous.
\nCapturing on ‘eth0’
\nFrame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
\nEthernet II, Src: AsustekC_59:c2:7d (60:a4:4c:59:c2:7d), Dst: D-Link_5c:01:1a (5c:d9:98:5c:01:1a)
\nInternet Protocol Version 4, Src: 192.168.0.102 (192.168.0.102), Dst: 74.125.236.160 (74.125.236.160)
\nTransmission Control Protocol, Src Port: 46926 (46926), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0
\n    Source port: 46926 (46926)
\n    Destination port: https (443)
\n    [Stream index: 0]
\n    Sequence number: 1    (relative sequence number)
\n    Acknowledgment number: 1    (relative ack number)
\n    Header length: 32 bytes
\n    Flags: 0x010 (ACK)
\n        000. …. …. = Reserved: Not set
\n        …0 …. …. = Nonce: Not set
\n        …. 0… …. = Congestion Window Reduced (CWR): Not set
\n        …. .0.. …. = ECN-Echo: Not set
\n        …. ..0. …. = Urgent: Not set
\n        …. …1 …. = Acknowledgment: Set
\n        …. …. 0… = Push: Not set
\n        …. …. .0.. = Reset: Not set
\n        …. …. ..0. = Syn: Not set
\n        …. …. …0 = Fin: Not set
\n    Window size value: 353
\n    [Calculated window size: 353]
\n    [Window size scaling factor: -1 (unknown)]
\n    Checksum: 0xa100a [validation disabled]
\n        [Good Checksum: False]
\n        [Bad Checksum: False]
\n    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
\n        No-Operation (NOP)
\n            Type: 1
\n                0… …. = Copy on fragmentation: No
\n                .00. …. = Class: Control (0)
\n                …0 0001 = Number: No-Operation (NOP) (1)
\n        No-Operation (NOP)
\n            Type: 1
\n                0… …. = Copy on fragmentation: No
\n                .00. …. = Class: Control (0)
\n                …0 0001 = Number: No-Operation (NOP) (1)
\n        Timestamps: TSval 300928, TSecr 2174612263
\n            Kind: Timestamp (8)
\n            Length: 10
\n            Timestamp value: 300928
\n            Timestamp echo reply: 2174612263<\/p>\n
Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
\nEthernet II, Src: D-Link_5c:01:1a (5c:d9:98:5c:01:1a), Dst: AsustekC_59:c2:7d (60:a4:4c:59:c2:7d)
\nInternet Protocol Version 4, Src: 74.125.236.160 (74.125.236.160), Dst: 192.168.0.102 (192.168.0.102)
\nTransmission Control Protocol, Src Port: https (443), Dst Port: 46926 (46926), Seq: 1, Ack: 2, Len: 0
\n    Source port: https (443)
\n    Destination port: 46926 (46926)
\n    [Stream index: 0]
\n    Sequence number: 1    (relative sequence number)
\n    Acknowledgment number: 2    (relative ack number)
\n    Header length: 32 bytes
\n    Flags: 0x010 (ACK)
\n        000. …. …. = Reserved: Not set
\n        …0 …. …. = Nonce: Not set
\n        …. 0… …. = Congestion Window Reduced (CWR): Not set
\n        …. .0.. …. = ECN-Echo: Not set
\n        …. ..0. …. = Urgent: Not set
\n        …. …1 …. = Acknowledgment: Set
\n        …. …. 0… = Push: Not set
\n        …. …. .0.. = Reset: Not set
\n        …. …. ..0. = Syn: Not set
\n        …. …. …0 = Fin: Not set
\n    Window size value: 661
\n    [Calculated window size: 661]
\n    [Window size scaling factor: -1 (unknown)]
\n    Checksum: 0xa521 [validation disabled]
\n        [Good Checksum: False]
\n        [Bad Checksum: False]
\n    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
\n        No-Operation (NOP)
\n            Type: 1
\n                0… …. = Copy on fragmentation: No
\n                .00. …. = Class: Control (0)
\n                …0 0001 = Number: No-Operation (NOP) (1)
\n        No-Operation (NOP)
\n            Type: 1
\n                0… …. = Copy on fragmentation: No
\n                .00. …. = Class: Control (0)
\n                …0 0001 = Number: No-Operation (NOP) (1)
\n        Timestamps: TSval 21741007319, TSecr 255876
\n            Kind: Timestamp (8)
\n            Length: 10
\n            Timestamp value: 21741007319
\n            Timestamp echo reply: 255876
\n    [SEQ\/ACK analysis]
\n        [TCP Analysis Flags]
\n            [This frame ACKs a segment we have not seen]
\n                [Expert Info (Warn\/Sequence): ACKed segment that wasn’t captured (common at capture start)]
\n                    [Message: ACKed segment that wasn’t captured (common at capture start)]
\n                    [Severity level: Warn]
\n                    [Group: Sequence]<\/p>\n
2
\n$<\/p>\n
[\/bash]<\/p>\n
RELATED SOURCE CODE EXPOSURE<\/u>
\n[c light=”true”]
\n\/*
\n * Default one-shot callback; overridden for capture types where the
\n * packet data cannot be guaranteed to be available after the callback
\n * returns, so that a copy must be made.
\n *\/
\nvoid
\npcap_oneshot(u_char *user, const struct pcap_pkthdr *h, const u_char *pkt)
\n{
\n\tstruct oneshot_userdata *sp = (struct oneshot_userdata *)user;<\/p>\n
\t*sp->hdr = *h;
\n\t*sp->pkt = pkt;
\n}<\/p>\n
const u_char *
\npcap_next(pcap_t *p, struct pcap_pkthdr *h)
\n{
\n\tstruct oneshot_userdata s;
\n\tconst u_char *pkt;<\/p>\n
\ts.hdr = h;
\n\ts.pkt = &pkt;
\n\ts.pd = p;
\n\tif (pcap_dispatch(p, 1, p->oneshot_callback, (u_char *)&s) <= 0)
\n\t\treturn (0);
\n\treturn (pkt);
\n}<\/p>\n
int
\npcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
\n    const u_char **pkt_data)
\n{
\n\tstruct oneshot_userdata s;<\/p>\n
\ts.hdr = &p->pcap_header;
\n\ts.pkt = pkt_data;
\n\ts.pd = p;<\/p>\n
\t\/* Saves a pointer to the packet headers *\/
\n\t*pkt_header= &p->pcap_header;<\/p>\n
\tif (p->rfile != NULL) {
\n\t\tint status;<\/p>\n
\t\t\/* We are on an offline capture *\/
\n\t\tstatus = pcap_offline_read(p, 1, p->oneshot_callback,
\n\t\t    (u_char *)&s);<\/p>\n
\t\t\/*
\n\t\t * Return codes for pcap_offline_read() are:
\n\t\t *   –  0: EOF
\n\t\t *   – -1: error
\n\t\t *   – >1: OK
\n\t\t * The first one (‘0’) conflicts with the return code of
\n\t\t * 0 from pcap_read() meaning "no packets arrived before
\n\t\t * the timeout expired", so we map it to -2 so you can
\n\t\t * distinguish between an EOF from a savefile and a
\n\t\t * "no packets arrived before the timeout expired, try
\n\t\t * again" from a live capture.
\n\t\t *\/
\n\t\tif (status == 0)
\n\t\t\treturn (-2);
\n\t\telse
\n\t\t\treturn (status);
\n\t}<\/p>\n
\t\/*
\n\t * Return codes for pcap_read() are:
\n\t *   –  0: timeout
\n\t *   – -1: error
\n\t *   – -2: loop was broken out of with pcap_breakloop()
\n\t *   – >1: OK
\n\t * The first one (‘0’) conflicts with the return code of 0 from
\n\t * pcap_offline_read() meaning "end of file".
\n\t*\/
\n\treturn (p->read_op(p, 1, p->oneshot_callback, (u_char *)&s));
\n}
\n[\/c]
\nSOURCE CODE TAKEN FROM DEBIAN SOURCE PACKAGE libpcap<\/p>\n
SOURCE AND OTHER LINK(S)
\nhttps:\/\/docs.oracle.com\/cd\/E53394_01\/html\/E54741\/gncns.html<\/a>
\nhttps:\/\/hackertarget.com\/tshark-tutorial-and-filter-examples\/<\/a>
\nhttps:\/\/www.linuxjournal.com\/content\/using-tshark-watch-and-inspect-network-traffic<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
ABOUT tshark TShark is a command-line network traffic analyzer that enables you to capture packet data from a live network or read packets from a previously saved capture file by either printing a decoded form of those packets to the standard output or by writing the packets to a file. Without any options, TShark works … <\/p>\n
Continue reading “tshark – Dump and analyze network traffic”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[19],"tags":[692,1166,1551,1694],"_links":{"self":[{"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/posts\/15544"}],"collection":[{"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/comments?post=15544"}],"version-history":[{"count":0,"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/posts\/15544\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/media?parent=15544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/categories?post=15544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.trueangle.org\/index.php\/wp-json\/wp\/v2\/tags?post=15544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}