Difference between revisions of "Wireshark"

From neil.tappsville.com
Jump to navigationJump to search
m
m
 
Line 17: Line 17:
 
* LUA Guide https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html
 
* LUA Guide https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html
  
 +
==HTTPS/SSL Keys==
 +
https://www.trickster.dev/post/decrypting-your-own-https-traffic-with-wireshark/
  
 
==Merge pcap files==
 
==Merge pcap files==

Latest revision as of 19:45, 23 March 2022

Describe wireshark here.


Native capture on windows

netsh trace start capture=yes report=no traceFile=C:\temp\mytrace.etl
netsh trace stop

Convert to pcap using https://github.com/microsoft/etl2pcapng or this python script https://github.com/aaptel/etl2pcap

pcap diff

https://github.com/aaptel/qtwirediff

Wireshark

Dissectors

HTTPS/SSL Keys

https://www.trickster.dev/post/decrypting-your-own-https-traffic-with-wireshark/

Merge pcap files

This works for 10's of files, but cant do hundreds.

%PROGRAMFILES%\Wireshark\mergecap.exe -w [output.pcap] [file1] [file2] ...

The following vbscript adds one file at at time together, the advantage being there is no limit.. great when you have 10k+


' pcap_merge - wrapper to merge a whole directory of pcap files.
' really hacky - no error checking, use with caution.


Set objArgs = WScript.Arguments
Set WshShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")


Function SelectFolder( myStartFolder )
' This function opens a "Select Folder" dialog and will
' return the fully qualified path of the selected folder
'
' Argument:
'     myStartFolder    [string]    the root folder where you can start browsing;
'                                  if an empty string is used, browsing starts
'                                  on the local computer
'
' Returns:
' A string containing the fully qualified path of the selected folder
'
' Written by Rob van der Woude
' http://www.robvanderwoude.com

    ' Standard housekeeping
    Dim objFolder, objItem, objShell

    ' Custom error handling
    On Error Resume Next
    SelectFolder = vbNull

    ' Create a dialog object
    Set objShell  = CreateObject( "Shell.Application" )
    Set objFolder = objShell.BrowseForFolder( 0, "Select Folder", 0, myStartFolder )

    ' Return the path of the selected folder
    If IsObject( objfolder ) Then SelectFolder = objFolder.Self.Path

    ' Standard housekeeping
    Set objFolder = Nothing
    Set objshell  = Nothing
    On Error Goto 0
End Function




Dim export_folder, export_file, import_file
dim strPath
strPath = Wscript.ScriptFullName
Set objFile = objFSO.GetFile(strPath)
export_folder = objFSO.GetParentFolderName(objFile)
export_file = export_folder & "\merged.pcap"
import_file = export_folder & "\pre_merged.pcap"


strPath = SelectFolder( "" )
If strPath = vbNull Then
    'WScript.Echo "Cancelled"
    WScript.quit
Else
    WScript.Echo "Selected Folder: """ & strPath & """"

    '####### FOLDER SELECTED .. WORK WITH FILES

    ' Work with the files in the source directory
if(objFSO.FolderExists(strPath)) Then
  Set objFolder = objFSO.GetFolder(strPath)
  Set colFiles = objFolder.Files

  ' ## GET A SORTED LIST OF FILES
  Set list = CreateObject("ADOR.Recordset")
  list.Fields.Append "name", 200, 255
  list.Fields.Append "date", 7
  list.Open

  For Each objFile1 in colFiles
    list.AddNew
    list("name").Value = objFile1.Path
    list("date").Value = objFile1.DateLastModified
    list.Update
  Next

  list.Sort = "date ASC"
  list.MoveFirst

  Dim last_file

  Do Until list.EOF
    '  WScript.Echo list("date").Value & vbTab & list("name").Value
    set objFile = objFSO.GetFile(list("name").Value)
  ' Wscript.echo "merging " & objFile.Name

  if (last_file = Empty) Then
                ' Wscript.Echo "Merging our first file, how cute"
      mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & objFile.Path


  Else


        ' copy the old merged file to make it an input
                objFSO.CopyFile export_file ,  import_file
      mergecommand = """%PROGRAMFILES%\Wireshark\mergecap.exe"" -F pcap -w " & export_file & " " & import_file & " " & objFile.Path

   End If
        'Wscript.echo "command is -- " & mergecommand
          strErrorCode = WshShell.Run(mergecommand ,0,True)
        if( strErrorCode = 0) Then
                        'do nothing
                        if (last_file = Empty) Then
                                 ' nothing to be removed...
                        Else

                                objFSO.DeleteFile(import_file)
                        End If
        Else
              Wscript.echo mergecommand & "     ERROR: " & strErrorCode
        End If

    last_file = objFile.Name
    list.MoveNext
  Loop
      list.Close

End If


End If


Wscript.echo "Completed : export_file"




Filter pcap files outside of wireshark

tshark -r [input.pcap] -w [output.pcap] "ip.src == [ipaddress] || ip.dst == [ipaddress]"

aka

tshark -r [input.pcap] -w [output.pcap] "filter"


Windows localhost listen

use rawcap. [www.netresec.com/?page=Blog&month=2011-04&post=Raw Cap-sniffer-for-Windows-released]



TCP DUMP

use the following to get a non-truncated file out of tcpdump that you can use in wireshark

tcpdump -i <interface> -s 65535 -w <some-file>


Snoop

/usr/sbin/snoop -d bge2 -o /tmp/meta''capture''staging2ing2.cap host metaeft



Replay a capture

Need to change the destination IP and MAC Address of the capture

tcpreplay -i eth0 10.111.64.135_warmStart.pcap

sending out eth0
processing file: 10.111.64.135_warmStart.pcap
Actual: 1 packets (122 bytes) sent in 0.02 seconds
Rated: 6100.0 bps, 0.05 Mbps, 50.00 pps
Statistics for network device: eth0
: Attempted packets:         1
: Successful packets:        1
: Failed packets:            0
: Retried packets (ENOBUFS): 0
: Retried packets (EAGAIN):  0


tcpdump -i eth0 -n -e "udp port 162"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:18:59.543555 00:23:5a:3f:f5:66 > 00:03:ba:04:0b:65, ethertype IPv4 (0x0800), length 122: 172.20.221.112.58528 > 10.111.64.135.162:  C=netcooltrapuser V2Trap(56)  .1.3.6.1.2.1.1.3.0=8027664 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.2

snmptranslate -Ln -M ./[[Juniper Mibs]]/:./[[Standard Mibs]]/ -Td .1.3.6.1.4.1.2636.4.5.0.1
JUNIPER-CFGMGMT-MIB::jnxCmCfgChange
jnxCmCfgChange NOTIFICATION-TYPE
: -- FROM JUNIPER-CFGMGMT-MIB
: OBJECTS { jnxCmCfgChgEventTime, jnxCmCfgChgEventDate, jnxCmCfgChgEventSource, jnxCmCfgChgEventUser, jnxCmCfgChgEventLog }
: DESCRIPTION    "Notification of a configuration management event as
: recorded in jnxCmCfgChgEventTable."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) juniperMIB(2636) jnxTraps(4) jnxCmNotifications(5) jnxCmNotificationsPrefix(0) 1 }


You can change the period between packets with switchs '0p 1 -L 3'


SNMP

Remember to enable 'Enable OID resolution' in Edit --> Preferences --> Name Resolution


Place MIB files in C:\Program Files\Wireshark\snmp\mibs

MIB / OID lookup websites 
www.oidview.com/mibs/detail.html

[tools.cisco.com/Support/SNMP/do/Browse OID.do?local=en]


-- following is unconfirmed --

Usefull snmp OIDs for CPU, Memory, Disk usage.

CPU Statistics

Load 1 minute Load: .1.3.6.1.4.1.2021.10.1.3.1 5 minute Load: .1.3.6.1.4.1.2021.10.1.3.2 15 minute Load: .1.3.6.1.4.1.2021.10.1.3.3

CPU percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0 raw user cpu time: .1.3.6.1.4.1.2021.11.50.0 percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0 raw system cpu time: .1.3.6.1.4.1.2021.11.52.0 percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0 raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0 raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

Memory Statistics

Total Swap Size: .1.3.6.1.4.1.2021.4.3.0 Available Swap Space: .1.3.6.1.4.1.2021.4.4.0 Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0 Total RAM used: .1.3.6.1.4.1.2021.4.6.0 Total RAM Free: .1.3.6.1.4.1.2021.4.11.0 Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0 Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0 Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0

Disk Statistics

The snmpd.conf needs to be edited. Add the following (assuming a machine with a single ‘/’ partition) 
disk / 100000 (or)

includeAllDisks 10% for all partitions and disks

The OIDs are as follows

Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1 Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1 Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1 Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1 Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1 Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1 Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

System Uptime: .1.3.6.1.2.1.1.3.0

Tshark and filters

Display ipv4 and ipv6 addresses "c:\Program Files\Wireshark\tshark.exe" -r merged.pcap -T fields -e _ws.col.Source -e _ws.col.Destination -e _ws.col.Protocol


Find all dns queries <code"c:\Program Files\Wireshark\tshark.exe" -r merged.pcap -2 -T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0" "c:\Program Files\Wireshark\tshark.exe" -r merged.pcap -2 -T fields -e _ws.col.Source -e _ws.col.Destination -e dns.qry.name -R "dns.flags.response eq 0"

116.121.200.21  102.74.33.0     www.google.net
116.121.200.21  102.74.33.0     www.google.com
2201:5a00:2::d1 2201:5a00:0:1:: www.google.net
2201:5a00:2::d1 2201:5a00:0:1:: www.google.com
116.121.200.21  102.74.33.0     www.google.net
116.121.200.21  102.74.33.0     www.google.com
2201:5a00:2::d1 2201:5a00:0:1:: www.google.com
2201:5a00:2::d1 2201:5a00:0:1:: www.google.org
116.121.200.21  102.74.33.0     www.google.org
116.121.200.21  102.74.33.0     www.google.net
2201:5a00:2::d1 2201:5a00:0:1:: www.gstatic.com
2201:5a00:2::d1 2201:5a00:0:1:: www.google.org


HTTP /mnt/c/Program\ Files/Wireshark/tshark.exe -r merged.pcap -2 -R 'http.response || http.request'

  607 2020-02-24 01:22:48.320399 2201:5a00:2::d1 36714 2404:6800:4006:806::2004 80 HTTP 137 GET /generate_204 HTTP/1.1
  608 2020-02-24 01:22:48.320416 2201:5a00:2::d1 39350 2001:4860:4802:32::1b 80 HTTP 137 GET /generate_204 HTTP/1.1
  609 2020-02-24 01:22:48.320431 2404:6800:4006:806::2004 80 2201:5a00:2::d1 36714 HTTP 155 HTTP/1.1 204 No Content
  610 2020-02-24 01:22:48.320455 2001:4860:4802:32::1b 80 2201:5a00:2::d1 39350 HTTP 155 HTTP/1.1 204 No Content
  611 2020-02-24 01:23:07.322271 116.121.200.21 45971 216.239.32.27 80 HTTP 117 GET /generate_204 HTTP/1.1
  612 2020-02-24 01:23:07.322288 116.121.200.21 56210 216.58.199.68 80 HTTP 117 GET /generate_204 HTTP/1.1
  613 2020-02-24 01:23:08.321836 216.239.32.27 80 116.121.200.21 45971 HTTP 135 HTTP/1.1 204 No Content
  614 2020-02-24 01:23:08.321853 216.58.199.68 80 116.121.200.21 56210 HTTP 135 HTTP/1.1 204 No Content

Geolocation

https://www.chappell-university.com/post/geoip-mapping-in-wireshark

Step 1: Download the GeoIP Database Files Visit https://dev.maxmind.com/geoip/geoip2/geolite2/ to get the latest GeoLite2 free database files.

  • GeoLite2-City_[date].tar.gz
  • GeoLite2-Country_[date].tar.gz
  • GeoLite2-ASN_[date].tar.gz

tar -xvf to get .mmdb files

In Wireshark, select Edit | Preferences | Name Resolution. Next to MaxMind database - specify the directory the .mmdb files are in

Now comes the cool stuff! Load a trace file in Wireshark and select Statistics | Endpoints. Click on either the IPv4 or IPv6 tabs to see if you have some City, Country, AS Number, and AS Organization information availabl

ip.geoip.dst_country == "Ireland"