wireshark

Describe wireshark here.

Merge pcap files

This works for 10's of files, but cant do hundreds.

%PROGRAMFILES%\Wireshark\mergecap.exe -w [output.pcap] [file1] [file2] ...

The following vbscript adds one file at at time together, the advantage being there is no limit.. great when you have 10k+


' pcap_merge - wrapper to merge a whole directory of pcap files.
' really hacky - no error checking, use with caution.


Set objArgs = WScript.Arguments
Set WshShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")


Function SelectFolder( myStartFolder )
' This function opens a "Select Folder" dialog and will
' return the fully qualified path of the selected folder
'
' Argument:
'     myStartFolder    [string]    the root folder where you can start browsing;
'                                  if an empty string is used, browsing starts
'                                  on the local computer
'
' Returns:
' A string containing the fully qualified path of the selected folder
'
' Written by Rob van der Woude
' http://www.robvanderwoude.com

    ' Standard housekeeping
    Dim objFolder, objItem, objShell

    ' Custom error handling
    On Error Resume Next
    SelectFolder = vbNull

    ' Create a dialog object
    Set objShell  = CreateObject( "Shell.Application" )
    Set objFolder = objShell.BrowseForFolder( 0, "Select Folder", 0, myStartFolder )

    ' Return the path of the selected folder
    If IsObject( objfolder ) Then SelectFolder = objFolder.Self.Path

    ' Standard housekeeping
    Set objFolder = Nothing
    Set objshell  = Nothing
    On Error Goto 0
End Function




Dim export_folder, export_file, import_file
dim strPath
strPath = Wscript.ScriptFullName
Set objFile = objFSO.GetFile(strPath)
export_folder = objFSO.GetParentFolderName(objFile)
export_file = export_folder & "\merged.pcap"
import_file = export_folder & "\pre_merged.pcap"


strPath = SelectFolder( "" )
If strPath = vbNull Then
    'WScript.Echo "Cancelled"
    WScript.quit
Else
    WScript.Echo "Selected Folder: """ & strPath & """"

    '####### FOLDER SELECTED .. WORK WITH FILES

    ' Work with the files in the source directory
if(objFSO.FolderExists(strPath)) Then
  Set objFolder = objFSO.GetFolder(strPath)
  Set colFiles = objFolder.Files

  ' ## GET A SORTED LIST OF FILES
  Set list = CreateObject("ADOR.Recordset")
  list.Fields.Append "name", 200, 255
  list.Fields.Append "date", 7
  list.Open

  For Each objFile1 in colFiles
    list.AddNew
    list("name").Value = objFile1.Path
    list("date").Value = objFile1.DateLastModified
    list.Update
  Next

  list.Sort = "date ASC"
  list.MoveFirst

  Dim last_file

  Do Until list.EOF
    '  WScript.Echo list("date").Value & vbTab & list("name").Value
    set objFile = objFSO.GetFile(list("name").Value)
  ' Wscript.echo "merging " & objFile.Name

  if (last_file = Empty) Then
                ' Wscript.Echo "Merging our first file, how cute"
      mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & objFile.Path


  Else


        ' copy the old merged file to make it an input
                objFSO.CopyFile export_file ,  import_file
      mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & import_file & " " & objFile.Path

   End If
        'Wscript.echo "command is -- " & mergecommand
          strErrorCode = WshShell.Run(mergecommand ,0,True)
        if( strErrorCode = 0) Then
                        'do nothing
                        if (last_file = Empty) Then
                                 ' nothing to be removed...
                        Else

                                objFSO.DeleteFile(import_file)
                        End If
        Else
              Wscript.echo mergecommand & "     ERROR: " & strErrorCode
        End If

    last_file = objFile.Name
    list.MoveNext
  Loop
      list.Close

End If


End If


Wscript.echo "Completed : export_file"

Filter pcap files outside of wireshark

tshark -r [input.pcap] -w [output.pcap] "ip.src == [ipaddress] || ip.dst == [ipaddress]"

aka

tshark -r [input.pcap] -w [output.pcap] "filter"

Windows localhost listen

use rawcap. http://www.netresec.com/?page=Blog&month=2011-04&post=RawCap-sniffer-for-Windows-released

TCP DUMP

use the following to get a non-truncated file out of tcpdump that you can use in wireshark

tcpdump -i <interface> -s 65535 -w <some-file>

Snoop

/usr/sbin/snoop -d bge2 -o /tmp/meta_capture_staging2ing2.cap host metaeft

Replay a capture

Need to change the destination IP and MAC Address of the capture

tcpreplay -i eth0 10.111.64.135_warmStart.pcap

sending out eth0
processing file: 10.111.64.135_warmStart.pcap
Actual: 1 packets (122 bytes) sent in 0.02 seconds
Rated: 6100.0 bps, 0.05 Mbps, 50.00 pps
Statistics for network device: eth0
   Attempted packets:         1
   Successful packets:        1
   Failed packets:            0
   Retried packets (ENOBUFS): 0
   Retried packets (EAGAIN):  0

tcpdump -i eth0 -n -e "udp port 162"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:18:59.543555 00:23:5a:3f:f5:66 > 00:03:ba:04:0b:65, ethertype IPv4 (0x0800), length 122: 172.20.221.112.58528 > 10.111.64.135.162:  C=netcooltrapuser V2Trap(56)  .1.3.6.1.2.1.1.3.0=8027664 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.2
snmptranslate -Ln -M ./JuniperMibs/:./StandardMibs/ -Td .1.3.6.1.4.1.2636.4.5.0.1
JUNIPER-CFGMGMT-MIB::jnxCmCfgChange
jnxCmCfgChange NOTIFICATION-TYPE
  -- FROM JUNIPER-CFGMGMT-MIB
  OBJECTS { jnxCmCfgChgEventTime, jnxCmCfgChgEventDate, jnxCmCfgChgEventSource, jnxCmCfgChgEventUser, jnxCmCfgChgEventLog }
  DESCRIPTION    "Notification of a configuration management event as
          recorded in jnxCmCfgChgEventTable."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) juniperMIB(2636) jnxTraps(4) jnxCmNotifications(5) jnxCmNotificationsPrefix(0) 1 }

You can change the period between packets with switchs '0p 1 -L 3'

SNMP

Remember to enable 'Enable OID resolution' in Edit --> Preferences --> Name Resolution

Place MIB files in C:\Program Files\Wireshark\snmp\mibs

MIB / OID lookup websites:

http://www.oidview.com/mibs/detail.html http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en

-- following is unconfirmed --

Usefull snmp OIDs for CPU, Memory, Disk usage.

CPU Statistics

Load 1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1 5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2 15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3

CPU percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0 raw user cpu time: .1.3.6.1.4.1.2021.11.50.0 percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0 raw system cpu time: .1.3.6.1.4.1.2021.11.52.0 percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0 raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0 raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

Memory Statistics

Total Swap Size: .1.3.6.1.4.1.2021.4.3.0 Available Swap Space: .1.3.6.1.4.1.2021.4.4.0 Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0 Total RAM used: .1.3.6.1.4.1.2021.4.6.0 Total RAM Free: .1.3.6.1.4.1.2021.4.11.0 Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0 Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0 Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0

Disk Statistics

The snmpd.conf needs to be edited. Add the following (assuming a machine with a single ‘/’ partition):

disk / 100000 (or)

includeAllDisks 10% for all partitions and disks

The OIDs are as follows

Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1 Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1 Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1 Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1 Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1 Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1 Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

System Uptime: .1.3.6.1.2.1.1.3.0

Toolbox
Favorite Categories