On Tshark;
I am trying to run this command "tshark -r /root/Desktop/a.pcap -T fields -e "dns.count.answers>3"" however I always see; " (process:2009): WARNING : 'dns.count.answers>3' isn't a valid field! tshark: Some fields aren't valid"
Do you have any idea about how can I see "dns.count.answers>3" on tshark and then output it as a cvs. file.
Thank you very much.
Tshark's -e option expects a field as an argument; however, "dns.count.answers>3" isn't a field but a display filter. Display filters are specified using the -Y option.
What you're probably looking for is something like this:
tshark -r /root/Desktop/a.pcap -Y "dns.count.answers > 3" -T fields -e dns.count.answers
Related
I can't figure out how to print (unix tool) versions within a BusyBox container:
$ docker run -it quay.io/quay/busybox:latest
$ awk --version
awk: unrecognized option `--version'
BusyBox v1.32.0 (2020-08-31 17:40:13 UTC) multi-call binary.
Usage: awk [OPTIONS] [AWK_PROGRAM] [FILE]...
-v VAR=VAL Set variable
-F SEP Use SEP as field separator
-f FILE Read program from FILE
-e AWK_PROGRAM
$ cut --version
cut: unrecognized option `--version'
BusyBox v1.32.0 (2020-08-31 17:40:13 UTC) multi-call binary.
Usage: cut [OPTIONS] [FILE]...
Print selected fields from each input FILE to stdout
-b LIST Output only bytes from LIST
-c LIST Output only characters from LIST
-d CHAR Use CHAR instead of tab as the field delimiter
-s Output only the lines containing delimiter
-f N Print only these fields
-n Ignored
Any suggestions? Many mulled containers are built on top of BusyBox, best I get on top of this.
Thanks
busybox is a single program which acts as one of various tools depending on what name was used to call it. As you can see in the question, it shows its version as BusyBox v1.32.0.
Check which tools are (symbolic) links to busybox. All these are the same program and therefore have the same version, so you might only need the version of busybox and a list of commands linked to it.
According to https://unix.stackexchange.com/q/15895/330217 the best way to display the version of busybox is
busybox | head -1
I have a pcap file and I am trying to find out source IP's that lie within a certain range in this file.
I did the following:
tshark -r myFile.pcap -T fields -e ip.src ip.src >= 10.0.0.0 && ip.src <= 10.255.255.255
But this doesn't seem to work and gives the error tshark: "10.0.0.0" was unexpected in this context.
Am I doing something wrong here?
While the answer provided by #jon-ander-ortiz-durántez is basically correct, according to the tshark man page, there's actually nothing wrong, per se, with your original attempt, at least according to the current documentation:
A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).
The problem here is that there are bugs in the tshark documentation. The filter at the end is NOT a read filter at all, but rather it's a display filter and it MUST be quoted to be reliable. If you simply quote the filter, then it should work just fine:
tshark -r myFile.pcap -T fields -e ip.src "ip.src >= 10.0.0.0 && ip.src <= 10.255.255.255"
That said, in this particular case I'd use "ip.src == 10.0.0.0/8" because it's more terse, but I would also recommend explicitly using the syntax for display filters, namely -Y <filter>, so something like this:
tshark -r myFile.pcap -T fields -e ip.src -Y "ip.src == 10.0.0.0/8"
Now, how can you tell it's a display filter and not a read filter? It becomes more evident when you also include the frame number. Both of these should produce the same output:
tshark -r myFile.pcap -T fields -e frame.number -e ip.src -Y "ip.src == 10.0.0.0/8"
tshark -r myFile.pcap -T fields -e frame.number -e ip.src "ip.src == 10.0.0.0/8"
However, this one will produce different results (assuming not every packet matches the filter)
tshark -r myFile.pcap -T fields -e frame.number -e ip.src -2R "ip.src == 10.0.0.0/8"
Assuming not all packets match the filter, the output using the read filter will have sequential frame numbers whereas the output using the display filter will have non-sequential frame numbers that match the frame numbers of the original file instead of being renumbered like those of the read filter will have.
I would recommend filing a Wireshark Bug Report regarding the problem with the tshark documentation with respect to the filter.
IP Ranges on Wireshark are specified using CIDR blocks[1].
To define all possible IP addresses under 10.XX.XX.XX range just set:
tshark -r myFile.pcap -T fields -e ip.src ip.src == 10.0.0.0/8
[1] https://www.networkcomputing.com/networking/how-define-ip-range-wireshark
My requirement is to attach all the .csv files in a folder and send them in a single mail.
Here is what have tried,
mutt -s "subject" -a *.csv -- abc#gmail.com < subject.txt
The above command is not working (It's not recognizing multiple files) and throwing the error
Error sending message, child exited 67 (User unknown.).
Could not send the message.
Then I tried using multiple -a option as follows,
mutt -s "subject" -a aaa.csv -a bbb.csv -- abc#gmail.com < subject.txt
This works as expected.
But this is not feasible for 100 files for example. I should be able use it with file mask (as like *.csv to take all csv files). Is there is any way we can use like *.csv in single command?
Thanks
Mutt doesn't support such syntax, but it doesn't mean it's impossible. You just have to build the mutt command.
mutt -s "subject" $( printf -- '-a %q ' *.csv ) ...
The command in $( ... ) produces something like this:
-a aaa.csv -a bbb.csv -a ...
Here is the example of sending multiple files using a single command -
mutt -s "Subject" -i "Mail_body text" email_id#abc.com -c email_cc_id#abc.com -a attachment1.pdf -a attachment2.pdf
At the end of the command line use -a for the attachment .
Some linux system have attachment size limit . Mostly it support less size .
I'm getting backslash( \ ) Additionally
Daily_Batch_Status{20131003}.PDF
Daily_System_Monitoring{20131003}.PDF
printf -- '-a %q ' *.PDF
-a Daily_Batch_Status \ {20131003 \ }.PDF -a Daily_System_Monitoring \ {20131003 \ }.PDF
#!/bin/bash
from="me#address.com"
to="target#address.com"
subject="pdfs $(date +%B) $(date +%Y)"
body="You can find the pdfs from $(date +%B) $(date +%Y)"
# here comes the attachments
mutt -s "$subject" $( printf -- ' -a %q' $PWD/*.pdf ) -- $to <<EOF
Dear Mr and Ms,
$(echo $body)
$(cat ~/.signature)
EOF
but it does not work with escape characters in file name like "\[5\]" which can come in MacOs.
I created as a script and collect needed PDFs in a folder and just run the script from that location. So monthly reports are sent... it does not matter how many pdfs (number can vary) but also there should be no white space.
Currently I am using the following command to catch the Error String in the MY_FILE_NAME*.log
Currentdate=`date -u +"%Y/%m/%d"`
YEST=`TZ=XYZ+24 date '+%Y/%m/%d'`
grep -E "$Currentdate|$YEST" MY_FILE_NAME*.log | grep "Type: Error"
This command is generating huge data with the string "Type: Error" with redundancy in the same error type (in my case the same error is displayed like 100 times)
I want the error strings of same type to be displayed only once
If using GNU/Linux try the '-m' switch
grep -m 1 -E "$Currentdate|$YEST" MY_FILE_NAME*.log | grep "Type: Error"
In the GNU version of grep, the '-m ' switch stops reading the input file after matches are found. This feature does not exist in the older Unix grep on which AIX and similar are built.
If on AIX where there is no -m or -B see this StackOvreflow post
For some research reason, I need to get the http package's tcp sequence numbers. I have already got the pcap file, so how should I do that with tshark?
Thanks so much for answer my question!!!
Something like this should do it:
tshark -r your_file -R http -T fields -e tcp.seq
The sequence numbers are relative or absolute as controlled by .wireshark/preferences. By default it's relative (so you will see small numbers). If you want absolute sequence numbers, edit preferences:
tcp.relative_sequence_numbers: FALSE
Using tshark,
apply the correspoding tcp filter (tcp.nxtseq) check for more from this page
https://www.wireshark.org/docs/dfref/t/tcp.html
C:\Program Files\Wireshark>tshark -r C:<path to pcap>sample.pcap -T fields -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e tcp.flags.ack -e tcp.flags.cwr -e tcp.flags.ecn -e tcp.flags.fin -e tcp.flags.ns -e tcp.flags.push -e tcp.flags.res -e tcp.flags.reset -e tcp.flags.syn -e tcp.flags.urg > C:/20Oct.txt