tshark -r 1hr.pcap no ip and not ipv6 | head -5 //spanning tree switch output error so tried second down.tshark -r 1hr.pcap -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -rn | head //To see who's sending the packets you see a missing "2959" line.Blank line output means didn't meet criteria which is ip.src and ip.dst this is probably ipv6 packets or other ip based traffic see next tshark -r 1hr.pcap -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -rn | head //output to each without pipe then next pipe to see what is going on.tshark -r *.pcap -T fields -E header=y -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e ip.proto -e ip.ttl |head //prints output with certain fields, head shows first 10 lines then kills screen.You could potentially use various Linux OSes with Windows Subsystem for Linux (WSL) but I’ve had issues with graphics using WSL so normally I use Kali or Parrot Linux on a free virtual machine such ast VirtualBox. Here are some commands used with comments shown after the double forward slashes. This sorts data to cluster similar lines uniq -c used to tally matching lines (basically shows the unique items only and doesn’t show duplicates sort -rn is used to numerically sort and prints the largest first
tshark mantra: "sort"."unique"."sort": eg.tcpdump was one of the first capture tools but limited in capture output.I’m not sure if the pcap file is available but if you attended the talk the pcap files would be provided with a tshark cheat sheet & SLIDES. Here’s the actual video: This talk was from the Wild West Hacking Fest 2020. Tao and the Art of Tshark Fields by Chris Brenton WWHF. Take a look at the Black Hills Information Security #BHIS Website for the blog and training video: This may also be posted on their sister website active countermeasures: Tshark is the command line version of Wireshark.
I’ve mentioned previously tcpdump and Wireshark but haven’t discussed Tshark.
0 kommentar(er)
