I have a pcap file and I am trying to find out source IP's that lie within a certain range in this file.
I did the following:
tshark -r myFile.pcap -T fields -e ip.src ip.src >= 10.0.0.0 && ip.src <= 10.255.255.255
But this doesn't seem to work and gives the error tshark: "10.0.0.0" was unexpected in this context.
Am I doing something wrong here?
While the answer provided by #jon-ander-ortiz-durántez is basically correct, according to the tshark man page, there's actually nothing wrong, per se, with your original attempt, at least according to the current documentation:
A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).
The problem here is that there are bugs in the tshark documentation. The filter at the end is NOT a read filter at all, but rather it's a display filter and it MUST be quoted to be reliable. If you simply quote the filter, then it should work just fine:
tshark -r myFile.pcap -T fields -e ip.src "ip.src >= 10.0.0.0 && ip.src <= 10.255.255.255"
That said, in this particular case I'd use "ip.src == 10.0.0.0/8" because it's more terse, but I would also recommend explicitly using the syntax for display filters, namely -Y <filter>, so something like this:
tshark -r myFile.pcap -T fields -e ip.src -Y "ip.src == 10.0.0.0/8"
Now, how can you tell it's a display filter and not a read filter? It becomes more evident when you also include the frame number. Both of these should produce the same output:
tshark -r myFile.pcap -T fields -e frame.number -e ip.src -Y "ip.src == 10.0.0.0/8"
tshark -r myFile.pcap -T fields -e frame.number -e ip.src "ip.src == 10.0.0.0/8"
However, this one will produce different results (assuming not every packet matches the filter)
tshark -r myFile.pcap -T fields -e frame.number -e ip.src -2R "ip.src == 10.0.0.0/8"
Assuming not all packets match the filter, the output using the read filter will have sequential frame numbers whereas the output using the display filter will have non-sequential frame numbers that match the frame numbers of the original file instead of being renumbered like those of the read filter will have.
I would recommend filing a Wireshark Bug Report regarding the problem with the tshark documentation with respect to the filter.
IP Ranges on Wireshark are specified using CIDR blocks[1].
To define all possible IP addresses under 10.XX.XX.XX range just set:
tshark -r myFile.pcap -T fields -e ip.src ip.src == 10.0.0.0/8
[1] https://www.networkcomputing.com/networking/how-define-ip-range-wireshark
Related
Hello I want to capture from a specific ip adress dns or http or http2 traffic and save it to a file.
I tried this:
tshark -i xxx -w capture-output.pcap -T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
I get this error:
tshark: Display filters aren't supported when capturing and saving the captured packets.
Can somebody help me?
The error gives you as much information as you need - you can't use a display filter when saving a packet capture. You have two options here:
Option 1: Save the capture and use a display filter afterwards
This would look something like
# Write the initial file with incoming packets
$ tshark -i xxx -w capture-output.pcap
# Filter out the traffic we don't want
$ tshark -r capture-output.pcap -w filtered-output.pcap \
-T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
Option 2: Use a capture filter
Use a capture filter instead. Capture filters use a special syntax that is different from display filters.
The equivalent capture filter you would want to use give your display filter is
$ tshark -w filtered.pcap -f "src net 192.168.178.0/24 and (udp port 53 or tcp port 80 or tcp port 443)"
On Tshark;
I am trying to run this command "tshark -r /root/Desktop/a.pcap -T fields -e "dns.count.answers>3"" however I always see; " (process:2009): WARNING : 'dns.count.answers>3' isn't a valid field! tshark: Some fields aren't valid"
Do you have any idea about how can I see "dns.count.answers>3" on tshark and then output it as a cvs. file.
Thank you very much.
Tshark's -e option expects a field as an argument; however, "dns.count.answers>3" isn't a field but a display filter. Display filters are specified using the -Y option.
What you're probably looking for is something like this:
tshark -r /root/Desktop/a.pcap -Y "dns.count.answers > 3" -T fields -e dns.count.answers
I used the below command to get the list of IP address of various entity,but i am not able to convert (identify) the hostname.
tshark -r test_call_1.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport tcp
sample output
192.30.16.95 21 192.30.160.2 43118
192.30.16.95 21 192.30.160.2 43118
192.30.16.95 21 192.30.160.2 43118
192.30.160.2 45791 192.30.16.95 45431
Can any one guide me on how to resolve these ip's to hostnames?
Thanks in Advance
M.Muralidharan
To get tshark to print hostnames you need to enable hostname resolution by specifying the '-N n' option and selecting the hostname fields instead of the ip address by using e.g '-e ip.src_host'.
For example:
tshark -r test_call_1.pcap -N n -T fields -e ip.src_host -e tcp.srcport -e ip.dst_host -e tcp.dstport tcp
I need to have some statics (for test purpose ) on syn packet that was recieved.
I got lost with the available tools - ethreal. tshark.tcpdumt.
I want the simple tool that will not dump the complete packet only by pattern (in my case only ip, but some case i will also need payload) .
Which one from the above (or another) do the job?
If you have some patient i will be tankful for you to reference about the differences between them. didnt find good one.
I am running on Ubuntu.
The tool and the filter and the pattern all need to be from command line.
pattern can be - ip.src ip.payload
Thank you
The following tcpdump command will save all the packets to a file which have the SYN flag set and are sent to the IP address stored in the environmental variable MYIP:
MYIP=172.16.1.2
sudo tcpdump -w /tmp/syn_packets "tcp[tcpflags] & tcp-syn != 0 and dst $MYIP"
List of unique host/ports from the dump can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq
List of packet counts per host/port can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq -c
The packet contents will be stored in the tmp file. You can see a hex dump of the packet data with the -x option:
tcpdump -xr /tmp/syn_packets
You can dump the contents of packets from specific IPs with the following command:
REMOTEIP=6.6.6.6
tcpdump -xr /tmp/syn_packets "src $REMOTEIP"
Ok, i have this Cap file that i captured with Wireshark. There are multiple WEP keys which can be retrieved from the file.
Is there a way, using Wireshark or aircrack-ng, to know exactly how many wep keys that are available in that Pcap file ?
Edit: not the Wep passwords, just the number of Wep keys available.
Wireshark has a display/filter field named wlan.wep.key.
So: Using tshark with a display filter and wc as follows might give you the desired result (altho i haven't tried it):
tshark -R wlan.wep.key -r <filename> | wc -l
Note: I don't know if there can be more than 1 WEP key in a frame. If so then the above won't give the right count.
tshark -R wlan.wep.key -Tfields -eframe.number -r <filename> should show just the frame numbers of all the frames with WEP keys.
tshark -R wlan.wep.key -Tfields -eframe.number -ewlan.wep.key -r <filename> will print out all the keys (even if more than 1 per frame).