320 likes | 494 Views
Packets and Protocols. Chapter Nine Other Programs Packaged with Wireshark. Packets and Protocols Chapter 9. TShark editcap mergecap text2pcap capinfos Dumpcap All are useful “niche” utilities packaged with Wireshark. Packets and Protocols Chapter 9. TShark
E N D
Packets and Protocols Chapter Nine Other Programs Packaged with Wireshark
Packets and ProtocolsChapter 9 TShark editcap mergecap text2pcap capinfos Dumpcap • All are useful “niche” utilities packaged with Wireshark
Packets and ProtocolsChapter 9 • TShark • TShark is the command-line version of Wireshark • Virtually all the functionality of GUI version
Packets and ProtocolsChapter 9 Capture Start Options • –i interface Specifies the interface you want to use to capture data. The –D option can be used to find out the names of your network interfaces. You can use the number or the name as a parameter to the –I option. If you run TShark without the –i option, it will search the list of interfaces and choose the first non-loopback interface it finds. If it doesn’t find any non-loopback interfaces, it will use the first loopback interface. If this doesn’t exist, TShark will exit with an error. • –f capture filter expression Allows you to set the filter expression to use when capturing data. For example, tshark -f tcp port 80 will only capture incoming and outgoing HTTP packets. • –s snaplen Allows you to set the default snapshot length to use when capturing data.The parameter snaplen specifies the length, in bytes, of each network packet that will be read or saved to disk.The default snaplen is 65535 bytes, which should be large enough to capture the entire frame contents for all data link types. • –p Tells TShark to not put the interface in promiscuous mode. This will cause TShark to only read traffic sent to and from the system on which TShark is running, broadcast traffic, and multicast traffic. • –y type Allows you to set the data link type to use while capturing packets. You can use the –L option to lists the data link types that are supported by an interface. • –D Instructs TShark to print a list of available interfaces on the system. It will print the interface number, name, and description and then return to the command prompt. You can then supply the number or the name to the –i flag to specify an interface on which to capture data. Specifying this option causes TShark to open and attempt to capture on each interface it finds. It will only display theinterfaces on which this was successful. Also, if you need to be logged in as root to run TShark but are not, this option will not display any available interfaces. • –L Lists the data link types that are supported by an interface and then exits.You can specify an interface to use, or TShark will choose the first one it finds as stated in the –i option information.
Packets and ProtocolsChapter 9 Capture Stop Options • –c count Sets the default number of packets to read when capturing data. For example, if you only want to capture 100 packets you would specify –c 100. • –a test:value Used when capturing to a file. It specifies to TShark when to stop writing to the file. The criterion is in the form test: value, where test is either duration or file size. Duration will stop writing to a file when the specified number of seconds have elapsed, and file size will stop writing to a file after a size of value kilobytes has been reached. Capture Output Option • –b number of ring buffer files [:duration] Used with the –a option, and causes TShark to continue capturing data to successive files. This is known as ring buffer mode and will keep saving files up to the number specified within the option. When the first file reaches the maximum size, as specified with the –a option, Shark will begin writing to the next file. When all files are full, it will continue to write new files as it removes the older ones. However, if the number of files is specified as 0, the number of files TShark writes to will be unlimited, and will only be restricted to the size of the hard disk. An optional duration parameter can also be specified so TShark will switch to the next file when the instructed number of seconds has elapsed. This will happen even if the current file is not yet full. The filenames created are based on the number of the file and the creation date and time. You can only save files in the libpcap format when this option is used. ■ Capture Input Option • –r file Reads and processes a saved capture file.
Packets and ProtocolsChapter 9 • TShark output C:\Program Files\Wireshark>tshark -V -x Capturing on \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F} Frame 1 (114 bytes on wire, 114 bytes captured) Arrival Time: Nov 28, 2003 22:14:16.221349000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 114 bytes Capture Length: 114 bytes IEEE 802.3 Ethernet Destination: ff:ff:ff:ff:ff:ff (Broadcast) Source: 00:05:5d:ee:7e:53 (D-Link_ee:7e:53) Length: 100 Logical-Link Control DSAP: NetWare (0xe0) IG Bit: Individual SSAP: NetWare (0xe0) CR Bit: Command Control field: U, func = UI (0x03) 000. 00.. = Unnumbered Information .... ..11 = Unnumbered frame …cont Socket: Unknown (0x4000) Intermediate Networks: 1 0000 ff ff ff ff ff ff 00 05 5d ee 7e 53 00 64 e0 e0 ........].~S.d.. 0010 03 ff ff 00 60 00 04 00 00 00 00 ff ff ff ff ff ....`........... 0020 ff 04 52 00 00 00 00 00 05 5d ee 7e 53 40 08 00 ..R......].~S@.. 0030 02 06 4e 54 41 52 47 45 54 31 21 21 21 21 21 21 ..NTARGET1!!!!!! 0040 21 21 41 35 35 36 39 42 32 30 41 42 45 35 31 31 !!A5569B20ABE511 0050 43 45 39 43 41 34 30 30 30 30 34 43 37 36 32 38 CE9CA400004C7628 0060 33 32 00 00 00 00 00 00 05 5d ee 7e 53 40 00 00 32.......].~S@.. 0070 01 01
Packets and ProtocolsChapter 9 • TShark will also summarize statistics • Protocol Hierarchy Statistics -z major name, minor name, option(s), filter C:\Program Files\Wireshark>tshark –nqz io,phs <cntrl-c> =================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:560 bytes:115233 eth frames:560 bytes:115233 ip frames:558 bytes:115005 udp frames:53 bytes:10383 dns frames:21 bytes:3215 data frames:8 bytes:496 isakmp frames:24 bytes:6672 tcp frames:505 bytes:104622 http frames:107 bytes:81798 llc frames:2 bytes:228 ipx frames:2 bytes:228 ipxsap frames:2 bytes:228 ===================================================================
Packets and ProtocolsChapter 9 • Protocol Statistics by Interval -z io,stat,interval[,filter][,filter][,filter] ========================================== IO Statistics Interval: 300.000 secs Column #0: frame Column #1: ip.addr eq 10.18.129.130 | Column #0 | Column #1 Time |frames | bytes |frames | bytes 000.000-300.000 82 5874 0 0 300.000-600.000 248 18104 8 928 600.000-900.000 1171 86793 9 1044 900.000-1200.000 1247 93774 10 1160 1200.000-1500.000 1377 102314 6 696 1500.000-1800.000 2128 819636 4 464 1800.000-2100.000 1357 102840 8 928 2100.000-2400.000 1587 116295 10 1160 2400.000-2700.000 1565 179061 2 232 2700.000-3000.000 1450 98959 7 812 3000.000-3300.000 1436 101291 4 464 3300.000-3600.000 1826 218948 7 812 3600.000-3900.000 517 48140 0 0 ==========================================
Packets and ProtocolsChapter 9 • Conversation Statistics $ tshark -r defcon.dump -nqz conv,ip,"ip.addr eq 216.250.64.68" ============================================================================ IPv4 Conversations Filter:ip.addr eq 216.250.64.68 | <- | | -> | | Total | |Frames Bytes| |Frames Bytes| 216.250.64.68 <-> 192.168.2.215 85 8887 98 19007 27894 216.250.64.68 <-> 192.168.2.237 69 7076 42 8555 15631 216.250.64.68 <-> 192.168.2.23 60 6064 4 795 64 6859 216.250.64.68 <-> 192.168.2.212 51 4687 2 453 5140 216.250.64.68 <-> 192.168.0.173 35 3859 16 3099 6958 216.250.64.68 <-> 192.168.2.149 19 1791 26 4493 6284 216.250.64.68 <-> 192.168.2.102 18 2933 20 3852 6785 216.250.64.68 <-> 192.168.1.120 29 2657 9 1257 3914 216.250.64.68 <-> 192.168.2.72 9 864 22 5472 31 6336 216.250.64.68 <-> 192.168.0.153 20 1871 9 3658 5529 216.250.64.68 <-> 192.168.41.150 25 2348 3 348 2696 216.250.64.68 <-> 192.168.2.248 12 2370 15 3459 5829 216.250.64.68 <-> 192.168.2.192 14 1454 13 2460 3914 216.250.64.68 <-> 192.168.2.185 10 1087 17 5907 6994 216.250.64.68 <-> 192.168.2.103 16 1690 10 1759 3449 216.250.64.68 <-> 192.168.3.2 19 1735 6 1973 25 3708 216.250.64.68 <-> 192.168.2.7 13 1208 11 4155 24 5363 216.250.64.68 <-> 192.168.0.127 11 1123 12 2094 3217 216.250.64.68 <-> 192.168.2.121 18 1752 5 1150 2902
Packets and ProtocolsChapter 9 • Packet Length Distribution C:\>tshark -r dc11.dump -nqz plen,tree ==================================================== Packet Length value rate percent ------------------------------------------------------------------- Packet Length 664070 0.001293 0-19 0 0.000000 0.00% 20-39 0 0.000000 0.00% 40-79 494456 0.000962 74.46% 80-159 114463 0.000223 17.24% 160-319 16117 0.000031 2.43% 320-639 13583 0.000026 2.05% 640-1279 3597 0.000007 0.54% 1280-2559 21854 0.000043 3.29% 2560-5119 0 0.000000 0.00% 5120- 0 0.000000 0.00% ====================================================
Packets and ProtocolsChapter 9 • Destinations Tree C:\>tshark -r http.cap -nqz dests,tree =========================================================== Destinations value rate percent ------------------------------------------------------------------- Destinations 43 0.001415 145.254.160.237 20 0.000658 46.51% TCP 19 0.000625 95.00% 80 19 0.000625 100.00% UDP 1 0.000033 5.00% 53 1 0.000033 100.00% 65.208.228.223 18 0.000592 41.86% TCP 18 0.000592 100.00% 3372 18 0.000592 100.00% 145.253.2.203 1 0.000033 2.33% UDP 1 0.000033 100.00% 3009 1 0.000033 100.00% 216.239.59.99 4 0.000132 9.30% TCP 4 0.000132 100.00% 3371 4 0.000132 100.00% ===========================================================
Packets and ProtocolsChapter 9 • Packet Summary Columns • Example: The following example reads from the http.cap capture file and reports the standard summary output. C:\>tshark -r http.cap -n 1 0.000000 145.254.160.237 -> 65.208.228.223 3372 > 80 [SYN] Seq=0 Len=0 MSS=1460 2 0.911310 65.208.228.223 -> 145.254.160.237 80 > 3372 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 3 0.911310 145.254.160.237 -> 65.208.228.223 3372 > 80 [ACK] Seq=1 Ack=1 Win=9660 Len=0
Packets and ProtocolsChapter 9 • SIP Statistics C:\>tshark -r sip1.dump -nqz sip,stat ================================================ SIP Statistics Number of SIP messages: 37 Number of resent SIP messages: 0 * SIP Status Codes in reply packets SIP 407 Proxy Authentication Required : 1 Packets SIP 200 OK : 10 Packets SIP 100 Trying : 4 Packets SIP 180 Ringing : 2 Packets * List of SIP Request methods INVITE : 9 Packets BYE : 2 Packets ACK : 9 Packets
Packets and ProtocolsChapter 9 • H.225 Counters C:\>tshark -r rtp_example.raw.gz -nqz h225,counter ================== H225 Message and Reason Counter ================== RAS-Messages: Call Signalling: setup : 1 callProceeding : 1 connect : 1 alerting : 1 ======================================
Packets and ProtocolsChapter 9 • H.225 Service Response Time Syntax: -z h225,srt[,filter] • Another H.225 statistics reporting mechanism, the H.225 Service Response Time (SRT) statistics option reports the RAS message type; minimum, maximum, and average SRT metrics; the number of open requests (that have not yet received a response); discarded requests; and duplicate messages. Each of these statistics can be useful for analyzing activity on VoIP networks to identify traffic patterns and metrics that could negatively influence VoIP service.
Packets and ProtocolsChapter 9 • Media Gateway Control Protocol Round Trip Delay Syntax: -z mgcp,rtd[,filter] • The Media Gateway Control Protocol (MGCP) is used in VoIP networks as an intermediary between traditional telephone circuits and data packets. Using this statistics reporting option, you can identify the response time delay (RTD) between stations and the MGCP server, and duplicate requests and responses, requests to unresponsive servers, and responses that do not match any requests.
Packets and ProtocolsChapter 9 • SMB Round Trip Data $ tshark -r rtl-fileshare.dump -nqz smb,rtt =========================================================== SMB RTT Statistics: Filter: Commands Calls Min RTT Max RTT Avg RTT Open 1 0.00186 0.00186 0.00186 Close 4 0.00023 0.00176 0.00066 Trans 5 0.00190 13.69178 2.76430 Open AndX 1 0.00450 0.00450 0.00450 Read AndX 309 0.00025 0.01865 0.00412 Tree Disconnect 7 0.00117 0.14601 0.02324 Negotiate Protocol 8 0.00026 0.07451 0.02226 Session Setup AndX 16 0.00028 0.01928 0.00578 Logoff AndX 12 0.00074 0.00872 0.00258 Tree Connect AndX 7 0.00081 0.00399 0.00190 NT Create AndX 4 0.00029 0.00270 0.00132 Transaction2 Commands Calls Min RTT Max RTT Avg RTT FIND_FIRST2 1 0.19993 0.19993 0.19993 QUERY_FS_INFO 2 0.00023 0.00248 0.00135 QUERY_FILE_INFO 2 0.00040 0.00551 0.00296 NT Transaction Commands Calls Min RTT Max RTT Avg RTT ===========================================================
Packets and ProtocolsChapter 9 • SMB Security Identifier Name Snooping • Syntax: -z smb,sids • Another SMB analysis feature is the capability to use security identifier (SID) snooping techniques to identify potentially sensitive SIDs and their associated account names. This feature can be useful when performing a security audit of traffic captured from a Windows network, representing information that is valuable to an attacker for impersonating a legitimate user.
Packets and ProtocolsChapter 9 • BOOTP Statistics • Syntax: -z bootp,stat,[filter] $ tshark -nqr rtl-fileshare.dump -z bootp,stat, ============================================== BOOTP Statistics with filter BOOTP Option 53: DHCP Messages Types: DHCP Message Type Packets nb Inform 74 ACK 275 Release 10 NAK 82 Decline 25 Request 1255 Discover 1811 Offer 279 ==============================================
Packets and ProtocolsChapter 9 • HTTP Statistics • Syntax: -z http,stat,[filter] ==================================================== HTTP Statistics * HTTP Status Codes in reply packets HTTP 408 Request Time-out HTTP 301 Moved Permanently HTTP 302 Moved Temporarily HTTP 304 Not Modified HTTP 200 OK HTTP 206 Partial Content HTTP 100 Continue HTTP 403 Forbidden HTTP 404 Not Found * List of HTTP Request methods SEARCH 336 GET 1447 POST 8 HEAD 2 ====================================================
Packets and ProtocolsChapter 9 • HTTP Tree Statistics C:\>tshark -r Kismet-Aug-01-2002-2.dump -nqz http,tree ====================================================== HTTP/Packet Counter value rate percent ------------------------------------------------------------------- Total HTTP Packets 8067 0.001504 HTTP Request Packets 1793 0.000334 22.23% SEARCH 336 0.000063 18.74% GET 1447 0.000270 80.70% POST 8 0.000001 0.45% HEAD 2 0.000000 0.11% HTTP Response Packets 1296 0.000242 16.07% ???: broken 0 0.000000 0.00% 1xx: Informational 121 0.000023 9.34% 100 Continue 121 0.000023 100.00% 2xx: Success 689 0.000128 53.16% 200 OK 685 0.000128 99.42% 206 Partial Content 4 0.000001 0.58% 3xx: Redirection 479 0.000089 36.96% 304 Not Modified 452 0.000084 94.36% 302 Found 24 0.000004 5.01% 301 Moved Perm 3 0.000001 0.63% 4xx: Client Error 7 0.000001 0.54% 408 Request Time 4 0.000001 57.14% 404 Not Found 1 0.000000 14.29% 403 Forbidden 2 0.000000 28.57% 5xx: Server Error 0 0.000000 0.00% Other HTTP Packets 4978 0.000928 61.71% ======================================================
Packets and ProtocolsChapter 9 • HTTP Request Statistics C:\>tshark -r Kismet-Aug-01-2002-2.dump –nqz http_req,tree,"ip.addr eq 66.207.60.150“ ================================================ HTTP/Requests value rate percent ----------------------------------------------------------- HTTP Requests by HTTP Host 35 0.000757 www.megatokyo.com 35 0.000757 100.00% /parts/mt2-head-top.gif 3 0.000065 8.57% /parts/mt2-merchandise.gif 2 0.000043 5.71% /parts/mt-shadow-right.gif 8 0.000173 22.86% /parts/mt-glow-top.gif 4 0.000087 11.43% /parts/mt-blk_bar-credits.gif 14 0.000303 40.00% /parts/pix-dark.gif 1 0.000022 2.86% /parts/mt-bottom-prev.gif 2 0.000043 5.71% /parts/mt-glow-bottom.gif 1 0.000022 2.86% ===============================================
Packets and ProtocolsChapter 9 • Editcap • “editcap is a program used to remove or select packets from a file and to translate the format of captured files. It doesn’t capture live traffic; it only reads data from a saved capture file and then saves some or all of the packets to a new capture file.” • Review Pages 502-507 for options
Packets and ProtocolsChapter 9 • Mergecap • Used to combine multiple captures into one file • Mergecap can also write the output capture file to standard and modified versions of libpcap, Sun snoop, Novel LANalyzer, NAI Sniffer, Microsoft Network Monitor, Visual Network traffic capture, Accellent 5Views capture, and Network Instruments Observer version 9 captures.
Packets and ProtocolsChapter 9 • –a Ignores the timestamps in the input capture files and merges the capture files one after the other. When this option is omitted, the packets in the input files are merged in chronological order based on the packet timestamps. • –F type Used to set the format of the output capture file. For example, if you want to merge capture files and save them in the Sun snoop format so snoop can read the output file, you would use the –F snoop option. • –h Prints the help options of mergecap, and then exits. • –s snaplen Sets the snapshot length to use when writing the data to the output capture file. Packets larger than the snaplen will be truncated. • –T type Sets the packet encapsulation type of the output capture file. The default type is the same encapsulation type as the input files, if they are all the same. • –v Verbose - causes mergecap to print various messages to the screen while it is processing files. • –w file Writes the packets to the filename specified following the option. This option is required for mergecap to merge files.
Packets and ProtocolsChapter 9 • Text2pcap • Generates capture files by reading ASCII hexadecimal dump captures and writing the data to a libpcap output file. It is capable of reading a hexdump of single or multiple packets, and building capture files from it. • See options on page 513-515
Packets and ProtocolsChapter 9 • Capinfos • examines a stored capture file and reports statistics related to the number of packets, packet sizes, and timing information. Unlike other statistics reporting mechanisms in other Wireshark tools, capinfos does not report on the contents of traffic, instead giving a quick summary of the capture file contents.
Packets and ProtocolsChapter 9 • –h Prints the help options of capinfos, and then exits. • –t Displays the capture file type as one of the supported Wireshark capture file formats, regardless of the filename extension. • –c Displays the number of packets in the capture file. • –d Displays the total length of all the packets in the file as a number of bytes. • –u Displays the capture file duration in seconds. • –a Displays the capture start time. • –e Displays the capture end time. • –y Displays the average data rate in bytes per second. • –i Displays the average data rate in bits per second. • –h Displays the average packet size in bytes.
Packets and ProtocolsChapter 9 • Dumpcap • used to capture traffic from a live interface and save to a libpcap file. This utility includes a subset of the functions available in TShark, but does not include the vast library of protocol decoders. This gives dumpcap a significantly smaller footprint, which can be beneficial on low-memory systems capturing traffic with multiple processes.
Packets and ProtocolsChapter 9 • –a test:value Instructs dumpcap to stop writing to a file when it meets the specified test condition and value.This option mirrors the functionality of –a in TShark. • –b number of ring buffer files [:duration] Used with the –a option, causes dumpcap to continue capturing data to successive files.This option mirrors the functionality of –b in TShark. • –B buffer size Available only on Windows systems, causes dumpcap to allocate a buffer for storing packet data during a capture before writing to the disk.This option mirrors the functionality of –B in TShark. • –c count Sets the default number of packets to read when capturing data. This option mirrors the functionality of –c in TShark. • –D Instructs dumpcap to print a list of available interfaces on the system, mirroring the functionality of –D in TShark. • –f capture filter expression Allows you to set the filter expression to use when capturing data, mirroring the functionality of –f in TShark. • –h Prints the version of dumpcap and the help options, and then exits. • –i interface Specifies the interface you want to use to capture data, mirroring the functionality of –i in TShark. • –L Lists the data link types that are supported by an interface and then exits, mirroring the functionality of –L in TShark. • –p Tells dumpcap to not put the interface in promiscuous mode, mirroring the functionality of –p in TShark. • –s snaplen Allows you to set the default snapshot length to use when capturing data, mirroring the functionality of –s in TShark. • –v Prints the dumpcap version information and exits. • –w file Writes the packets to the filename specified following the option, mirroring the functionality of –w in TShark. • –y type Allows you to set the data link type to use while capturing packets, mirroring the functionality of –y in TShark.
Packets and ProtocolsChapter 9 • Summary • Wireshark is more than the GUI; it is a suite of programs that provide command-line capturing, formatting, and manipulating capabilities.