Difference between revisions of "Wireshark"
m |
m |
||
Line 2: | Line 2: | ||
− | ===Dissectors | + | =Native capture on windows= |
+ | netsh trace start capture=yes report=no traceFile=C:\temp\mytrace.etl | ||
+ | netsh trace stop | ||
+ | |||
+ | Convert to pcap using https://github.com/microsoft/etl2pcapng or this python script https://github.com/aaptel/etl2pcap | ||
+ | |||
+ | ==pcap diff== | ||
+ | https://github.com/aaptel/qtwirediff | ||
+ | |||
+ | =Wireshark= | ||
+ | |||
+ | ==Dissectors== | ||
* [[jmirror|Juniper Jmirror]] | * [[jmirror|Juniper Jmirror]] | ||
* LUA Guide https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html | * LUA Guide https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html | ||
− | + | ==Merge pcap files== | |
This works for 10's of files, but cant do hundreds. | This works for 10's of files, but cant do hundreds. | ||
<pre> | <pre> |
Revision as of 00:10, 3 July 2020
Describe wireshark here.
Contents
Native capture on windows
netsh trace start capture=yes report=no traceFile=C:\temp\mytrace.etl netsh trace stop
Convert to pcap using https://github.com/microsoft/etl2pcapng or this python script https://github.com/aaptel/etl2pcap
pcap diff
https://github.com/aaptel/qtwirediff
Wireshark
Dissectors
- Juniper Jmirror
- LUA Guide https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html
Merge pcap files
This works for 10's of files, but cant do hundreds.
%PROGRAMFILES%\Wireshark\mergecap.exe -w [output.pcap] [file1] [file2] ...
The following vbscript adds one file at at time together, the advantage being there is no limit.. great when you have 10k+
' pcap_merge - wrapper to merge a whole directory of pcap files. ' really hacky - no error checking, use with caution. Set objArgs = WScript.Arguments Set WshShell = WScript.CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Function SelectFolder( myStartFolder ) ' This function opens a "Select Folder" dialog and will ' return the fully qualified path of the selected folder ' ' Argument: ' myStartFolder [string] the root folder where you can start browsing; ' if an empty string is used, browsing starts ' on the local computer ' ' Returns: ' A string containing the fully qualified path of the selected folder ' ' Written by Rob van der Woude ' http://www.robvanderwoude.com ' Standard housekeeping Dim objFolder, objItem, objShell ' Custom error handling On Error Resume Next SelectFolder = vbNull ' Create a dialog object Set objShell = CreateObject( "Shell.Application" ) Set objFolder = objShell.BrowseForFolder( 0, "Select Folder", 0, myStartFolder ) ' Return the path of the selected folder If IsObject( objfolder ) Then SelectFolder = objFolder.Self.Path ' Standard housekeeping Set objFolder = Nothing Set objshell = Nothing On Error Goto 0 End Function Dim export_folder, export_file, import_file dim strPath strPath = Wscript.ScriptFullName Set objFile = objFSO.GetFile(strPath) export_folder = objFSO.GetParentFolderName(objFile) export_file = export_folder & "\merged.pcap" import_file = export_folder & "\pre_merged.pcap" strPath = SelectFolder( "" ) If strPath = vbNull Then 'WScript.Echo "Cancelled" WScript.quit Else WScript.Echo "Selected Folder: """ & strPath & """" '####### FOLDER SELECTED .. WORK WITH FILES ' Work with the files in the source directory if(objFSO.FolderExists(strPath)) Then Set objFolder = objFSO.GetFolder(strPath) Set colFiles = objFolder.Files ' ## GET A SORTED LIST OF FILES Set list = CreateObject("ADOR.Recordset") list.Fields.Append "name", 200, 255 list.Fields.Append "date", 7 list.Open For Each objFile1 in colFiles list.AddNew list("name").Value = objFile1.Path list("date").Value = objFile1.DateLastModified list.Update Next list.Sort = "date ASC" list.MoveFirst Dim last_file Do Until list.EOF ' WScript.Echo list("date").Value & vbTab & list("name").Value set objFile = objFSO.GetFile(list("name").Value) ' Wscript.echo "merging " & objFile.Name if (last_file = Empty) Then ' Wscript.Echo "Merging our first file, how cute" mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & objFile.Path Else ' copy the old merged file to make it an input objFSO.CopyFile export_file , import_file mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & import_file & " " & objFile.Path End If 'Wscript.echo "command is -- " & mergecommand strErrorCode = WshShell.Run(mergecommand ,0,True) if( strErrorCode = 0) Then 'do nothing if (last_file = Empty) Then ' nothing to be removed... Else objFSO.DeleteFile(import_file) End If Else Wscript.echo mergecommand & " ERROR: " & strErrorCode End If last_file = objFile.Name list.MoveNext Loop list.Close End If End If Wscript.echo "Completed : export_file"
Filter pcap files outside of wireshark
tshark -r [input.pcap] -w [output.pcap] "ip.src == [ipaddress] || ip.dst == [ipaddress]" aka tshark -r [input.pcap] -w [output.pcap] "filter"
Windows localhost listen
use rawcap. [www.netresec.com/?page=Blog&month=2011-04&post=Raw Cap-sniffer-for-Windows-released]
TCP DUMP
use the following to get a non-truncated file out of tcpdump that you can use in wireshark
tcpdump -i <interface> -s 65535 -w <some-file>
Snoop
/usr/sbin/snoop -d bge2 -o /tmp/meta''capture''staging2ing2.cap host metaeft
Replay a capture
Need to change the destination IP and MAC Address of the capture
tcpreplay -i eth0 10.111.64.135_warmStart.pcap
sending out eth0 processing file: 10.111.64.135_warmStart.pcap Actual: 1 packets (122 bytes) sent in 0.02 seconds Rated: 6100.0 bps, 0.05 Mbps, 50.00 pps Statistics for network device: eth0 : Attempted packets: 1 : Successful packets: 1 : Failed packets: 0 : Retried packets (ENOBUFS): 0 : Retried packets (EAGAIN): 0
tcpdump -i eth0 -n -e "udp port 162"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:18:59.543555 00:23:5a:3f:f5:66 > 00:03:ba:04:0b:65, ethertype IPv4 (0x0800), length 122: 172.20.221.112.58528 > 10.111.64.135.162: C=netcooltrapuser V2Trap(56) .1.3.6.1.2.1.1.3.0=8027664 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.2
snmptranslate -Ln -M ./[[Juniper Mibs]]/:./[[Standard Mibs]]/ -Td .1.3.6.1.4.1.2636.4.5.0.1 JUNIPER-CFGMGMT-MIB::jnxCmCfgChange jnxCmCfgChange NOTIFICATION-TYPE : -- FROM JUNIPER-CFGMGMT-MIB : OBJECTS { jnxCmCfgChgEventTime, jnxCmCfgChgEventDate, jnxCmCfgChgEventSource, jnxCmCfgChgEventUser, jnxCmCfgChgEventLog } : DESCRIPTION "Notification of a configuration management event as : recorded in jnxCmCfgChgEventTable." ::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) juniperMIB(2636) jnxTraps(4) jnxCmNotifications(5) jnxCmNotificationsPrefix(0) 1 }
You can change the period between packets with switchs '0p 1 -L 3'
SNMP
Remember to enable 'Enable OID resolution' in Edit --> Preferences --> Name Resolution
Place MIB files in C:\Program Files\Wireshark\snmp\mibs
- MIB / OID lookup websites
- www.oidview.com/mibs/detail.html
[tools.cisco.com/Support/SNMP/do/Browse OID.do?local=en]
-- following is unconfirmed --
Usefull snmp OIDs for CPU, Memory, Disk usage.
CPU Statistics
Load 1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1 5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2 15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3
CPU percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0 raw user cpu time: .1.3.6.1.4.1.2021.11.50.0 percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0 raw system cpu time: .1.3.6.1.4.1.2021.11.52.0 percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0 raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0 raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0
Memory Statistics
Total Swap Size: .1.3.6.1.4.1.2021.4.3.0 Available Swap Space: .1.3.6.1.4.1.2021.4.4.0 Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0 Total RAM used: .1.3.6.1.4.1.2021.4.6.0 Total RAM Free: .1.3.6.1.4.1.2021.4.11.0 Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0 Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0 Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0
Disk Statistics
- The snmpd.conf needs to be edited. Add the following (assuming a machine with a single ‘/’ partition)
- disk / 100000 (or)
includeAllDisks 10% for all partitions and disks
The OIDs are as follows
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1 Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1 Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1 Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1 Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1 Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1 Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1
System Uptime: .1.3.6.1.2.1.1.3.0
Tshark and filters
Display ipv4 and ipv6 addresses
"c:\Program Files\Wireshark\tshark.exe" -r merged.pcap -T fields -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol
Find all dns queries
<code"c:\Program Files\Wireshark\tshark.exe" -r merged.pcap -2 -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0"
"c:\Program Files\Wireshark\tshark.exe" -r merged.pcap -2 -T fields -e _ws.col.Source -e _ws.col.Destination -e dns.qry.name -R "dns.flags.response eq 0"
116.121.200.21 102.74.33.0 www.google.net 116.121.200.21 102.74.33.0 www.google.com 2201:5a00:2::d1 2201:5a00:0:1:: www.google.net 2201:5a00:2::d1 2201:5a00:0:1:: www.google.com 116.121.200.21 102.74.33.0 www.google.net 116.121.200.21 102.74.33.0 www.google.com 2201:5a00:2::d1 2201:5a00:0:1:: www.google.com 2201:5a00:2::d1 2201:5a00:0:1:: www.google.org 116.121.200.21 102.74.33.0 www.google.org 116.121.200.21 102.74.33.0 www.google.net 2201:5a00:2::d1 2201:5a00:0:1:: www.gstatic.com 2201:5a00:2::d1 2201:5a00:0:1:: www.google.org
HTTP
/mnt/c/Program\ Files/Wireshark/tshark.exe -r merged.pcap -2 -R 'http.response || http.request'
607 2020-02-24 01:22:48.320399 2201:5a00:2::d1 36714 2404:6800:4006:806::2004 80 HTTP 137 GET /generate_204 HTTP/1.1 608 2020-02-24 01:22:48.320416 2201:5a00:2::d1 39350 2001:4860:4802:32::1b 80 HTTP 137 GET /generate_204 HTTP/1.1 609 2020-02-24 01:22:48.320431 2404:6800:4006:806::2004 80 2201:5a00:2::d1 36714 HTTP 155 HTTP/1.1 204 No Content 610 2020-02-24 01:22:48.320455 2001:4860:4802:32::1b 80 2201:5a00:2::d1 39350 HTTP 155 HTTP/1.1 204 No Content 611 2020-02-24 01:23:07.322271 116.121.200.21 45971 216.239.32.27 80 HTTP 117 GET /generate_204 HTTP/1.1 612 2020-02-24 01:23:07.322288 116.121.200.21 56210 216.58.199.68 80 HTTP 117 GET /generate_204 HTTP/1.1 613 2020-02-24 01:23:08.321836 216.239.32.27 80 116.121.200.21 45971 HTTP 135 HTTP/1.1 204 No Content 614 2020-02-24 01:23:08.321853 216.58.199.68 80 116.121.200.21 56210 HTTP 135 HTTP/1.1 204 No Content
Geolocation
https://www.chappell-university.com/post/geoip-mapping-in-wireshark
Step 1: Download the GeoIP Database Files Visit https://dev.maxmind.com/geoip/geoip2/geolite2/ to get the latest GeoLite2 free database files.
- GeoLite2-City_[date].tar.gz
- GeoLite2-Country_[date].tar.gz
- GeoLite2-ASN_[date].tar.gz
tar -xvf to get .mmdb files
In Wireshark, select Edit | Preferences | Name Resolution. Next to MaxMind database - specify the directory the .mmdb files are in
Now comes the cool stuff! Load a trace file in Wireshark and select Statistics | Endpoints. Click on either the IPv4 or IPv6 tabs to see if you have some City, Country, AS Number, and AS Organization information availabl
ip.geoip.dst_country == "Ireland"