Difference between revisions of "Wireshark"
(Created page with "Describe wireshark here. ===Dissectors=== * jmirror Juniper Jmirror ===Merge pcap files=== This works for 10's of files, but cant do hundreds. <pre> %PROGRAMFILES%...") |
m |
||
Line 3: | Line 3: | ||
===Dissectors=== | ===Dissectors=== | ||
− | * [[jmirror Juniper Jmirror]] | + | * [[jmirror|Juniper Jmirror]] |
Revision as of 07:40, 12 August 2019
Describe wireshark here.
Contents
Dissectors
Merge pcap files
This works for 10's of files, but cant do hundreds.
%PROGRAMFILES%\Wireshark\mergecap.exe -w [output.pcap] [file1] [file2] ...
The following vbscript adds one file at at time together, the advantage being there is no limit.. great when you have 10k+
' pcap_merge - wrapper to merge a whole directory of pcap files. ' really hacky - no error checking, use with caution. Set objArgs = WScript.Arguments Set WshShell = WScript.CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Function SelectFolder( myStartFolder ) ' This function opens a "Select Folder" dialog and will ' return the fully qualified path of the selected folder ' ' Argument: ' myStartFolder [string] the root folder where you can start browsing; ' if an empty string is used, browsing starts ' on the local computer ' ' Returns: ' A string containing the fully qualified path of the selected folder ' ' Written by Rob van der Woude ' http://www.robvanderwoude.com ' Standard housekeeping Dim objFolder, objItem, objShell ' Custom error handling On Error Resume Next SelectFolder = vbNull ' Create a dialog object Set objShell = CreateObject( "Shell.Application" ) Set objFolder = objShell.BrowseForFolder( 0, "Select Folder", 0, myStartFolder ) ' Return the path of the selected folder If IsObject( objfolder ) Then SelectFolder = objFolder.Self.Path ' Standard housekeeping Set objFolder = Nothing Set objshell = Nothing On Error Goto 0 End Function Dim export_folder, export_file, import_file dim strPath strPath = Wscript.ScriptFullName Set objFile = objFSO.GetFile(strPath) export_folder = objFSO.GetParentFolderName(objFile) export_file = export_folder & "\merged.pcap" import_file = export_folder & "\pre_merged.pcap" strPath = SelectFolder( "" ) If strPath = vbNull Then 'WScript.Echo "Cancelled" WScript.quit Else WScript.Echo "Selected Folder: """ & strPath & """" '####### FOLDER SELECTED .. WORK WITH FILES ' Work with the files in the source directory if(objFSO.FolderExists(strPath)) Then Set objFolder = objFSO.GetFolder(strPath) Set colFiles = objFolder.Files ' ## GET A SORTED LIST OF FILES Set list = CreateObject("ADOR.Recordset") list.Fields.Append "name", 200, 255 list.Fields.Append "date", 7 list.Open For Each objFile1 in colFiles list.AddNew list("name").Value = objFile1.Path list("date").Value = objFile1.DateLastModified list.Update Next list.Sort = "date ASC" list.MoveFirst Dim last_file Do Until list.EOF ' WScript.Echo list("date").Value & vbTab & list("name").Value set objFile = objFSO.GetFile(list("name").Value) ' Wscript.echo "merging " & objFile.Name if (last_file = Empty) Then ' Wscript.Echo "Merging our first file, how cute" mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & objFile.Path Else ' copy the old merged file to make it an input objFSO.CopyFile export_file , import_file mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & import_file & " " & objFile.Path End If 'Wscript.echo "command is -- " & mergecommand strErrorCode = WshShell.Run(mergecommand ,0,True) if( strErrorCode = 0) Then 'do nothing if (last_file = Empty) Then ' nothing to be removed... Else objFSO.DeleteFile(import_file) End If Else Wscript.echo mergecommand & " ERROR: " & strErrorCode End If last_file = objFile.Name list.MoveNext Loop list.Close End If End If Wscript.echo "Completed : export_file"
Filter pcap files outside of wireshark
tshark -r [input.pcap] -w [output.pcap] "ip.src == [ipaddress] || ip.dst == [ipaddress]" aka tshark -r [input.pcap] -w [output.pcap] "filter"
Windows localhost listen
use rawcap. [www.netresec.com/?page=Blog&month=2011-04&post=Raw Cap-sniffer-for-Windows-released]
TCP DUMP
use the following to get a non-truncated file out of tcpdump that you can use in wireshark
tcpdump -i <interface> -s 65535 -w <some-file>
Snoop
/usr/sbin/snoop -d bge2 -o /tmp/meta''capture''staging2ing2.cap host metaeft
Replay a capture
Need to change the destination IP and MAC Address of the capture
tcpreplay -i eth0 10.111.64.135_warmStart.pcap
sending out eth0 processing file: 10.111.64.135_warmStart.pcap Actual: 1 packets (122 bytes) sent in 0.02 seconds Rated: 6100.0 bps, 0.05 Mbps, 50.00 pps Statistics for network device: eth0 : Attempted packets: 1 : Successful packets: 1 : Failed packets: 0 : Retried packets (ENOBUFS): 0 : Retried packets (EAGAIN): 0
tcpdump -i eth0 -n -e "udp port 162"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:18:59.543555 00:23:5a:3f:f5:66 > 00:03:ba:04:0b:65, ethertype IPv4 (0x0800), length 122: 172.20.221.112.58528 > 10.111.64.135.162: C=netcooltrapuser V2Trap(56) .1.3.6.1.2.1.1.3.0=8027664 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.2
snmptranslate -Ln -M ./[[Juniper Mibs]]/:./[[Standard Mibs]]/ -Td .1.3.6.1.4.1.2636.4.5.0.1 JUNIPER-CFGMGMT-MIB::jnxCmCfgChange jnxCmCfgChange NOTIFICATION-TYPE : -- FROM JUNIPER-CFGMGMT-MIB : OBJECTS { jnxCmCfgChgEventTime, jnxCmCfgChgEventDate, jnxCmCfgChgEventSource, jnxCmCfgChgEventUser, jnxCmCfgChgEventLog } : DESCRIPTION "Notification of a configuration management event as : recorded in jnxCmCfgChgEventTable." ::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) juniperMIB(2636) jnxTraps(4) jnxCmNotifications(5) jnxCmNotificationsPrefix(0) 1 }
You can change the period between packets with switchs '0p 1 -L 3'
SNMP
Remember to enable 'Enable OID resolution' in Edit --> Preferences --> Name Resolution
Place MIB files in C:\Program Files\Wireshark\snmp\mibs
- MIB / OID lookup websites
- www.oidview.com/mibs/detail.html
[tools.cisco.com/Support/SNMP/do/Browse OID.do?local=en]
-- following is unconfirmed --
Usefull snmp OIDs for CPU, Memory, Disk usage.
CPU Statistics
Load 1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1 5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2 15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3
CPU percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0 raw user cpu time: .1.3.6.1.4.1.2021.11.50.0 percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0 raw system cpu time: .1.3.6.1.4.1.2021.11.52.0 percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0 raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0 raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0
Memory Statistics
Total Swap Size: .1.3.6.1.4.1.2021.4.3.0 Available Swap Space: .1.3.6.1.4.1.2021.4.4.0 Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0 Total RAM used: .1.3.6.1.4.1.2021.4.6.0 Total RAM Free: .1.3.6.1.4.1.2021.4.11.0 Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0 Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0 Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0
Disk Statistics
- The snmpd.conf needs to be edited. Add the following (assuming a machine with a single ‘/’ partition)
- disk / 100000 (or)
includeAllDisks 10% for all partitions and disks
The OIDs are as follows
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1 Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1 Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1 Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1 Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1 Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1 Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1
System Uptime: .1.3.6.1.2.1.1.3.0