Using tcpdump, I am capturing network traffic. I am interested in extracting the actual TCP payload data, i.e. HTTP traffic in my particular case.
I tried to achieve that using scapy, but I only found function remove_payload(). Is there a corresponding counterpart? Or do you know of any other tools that provide such functionality?
Unfortunately, I did not find a satisfactory scapy documentation.
You can read a pcap with Scapy easily with rdpcap, you can then use the Raw (right above TCP) layer of your packets to play with HTTP content:
from scapy.all import *
pcap = rdpcap("my_file.pcap")
for pkt in pcap:
if Raw in pkt:
print pkt[Raw]
In case other users might have similar questions: I ended up using the following script:
infile=infile.pcap
outfile=outfile
ext=txt
rm -f ${outfile}_all.${ext}
for stream in $(tshark -nlr $infile -Y tcp.flags.syn==1 -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//')
do
echo "Processing stream $stream: ${outfile}_${stream}.${ext}"
tshark -nlr $infile -qz "follow,tcp,raw,$stream" | tail -n +7 | sed 's/^\s\+//g' | xxd -r -p | tee ${outfile}_${stream}.${ext} >> ${outfile}_all.${ext}
done
Related
I want to make audio data from a Pcap file with Tshark.
I have successfully created audio data from a Pcap file using Wireshark in RTP analysis function.
This Pcap file is created from a VoIP phone conversation.
Next time I want to do the same thing with Tshark.
What command would do that?
I read the Tshark manual to find out how.
but couldn't find it.
do i need any tools?
On Linux, extracting the RTP packets from PCAP file is possible with tshark together with shell tools tr and xxd, but then you might need other tools to convert to an audio format.
If you have a single call recording in the pcap, so all rtp packets belong to it, try with:
tshark -n -r call.pcap -2 -R rtp -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
If the pcap has the recordings from many calls, then you have to identify the calls and their RTP streams by source/destination IPs or SSRC and build the filter accordingly, for example if SSRC is 0x7f029328:
tshark -n -r call.pcap -2 -R rtp -R "rtp.ssrc == 0x7f029328" -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
Tools like sox or ffmpeg can be used to convert from call.rtp file to wav format, depending on the codec that was used in the call. If the codec was G711u (PCMU) with sample rate 8000:
sox -t ul -r 8000 -c 1 call.rtp call.wav
The audio formats supported by sox are listed by sox -h. The ffmpeg might be needed for codecs such as G729 or G722, example for G722 with sample rate 16000:
ffmpeg -f g722 -i call.rtp -acodec pcm_s16le -ar 16000 -ac 1 call.wav
These guidelines are from some brief notes I made during the past when I had similar needs, hope they are good and still valid nowadays, or at least provide the right direction to explore further.
Hey there I want to write a script that will change the network profile settings (ifconfig, /etc/resolv.comf). Let the script retrieve and display the contents of the file with network profiles to root. The format of the database file will be in the form of: IP, IP Mask, Gateway. I've already done something but don't know if it's correct.
#!/bin/bash
IP=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
IPMask=$(/sbin/ifconfig eth0 | grep Mask | cut -d":" -f4)
Gateway=$(/sbin/ip route | awk '/default/ {print $3}')
echo "IP is : $IP"
echo "IP Mask is: $IPMask"
echo Gateway is: $Gateway"
The part I don't understand how to do is - Root interactively selects the network profile (by number), which is then activated. Any help please?
In order to extract the RTP payload from a pcap file captured by wireshark, I'm using tshark with the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
this succeeded with the codecs g.729 and ilbc but with the codec g.723 it wasn't the case. I think that this problem is due to the fact that the field payload of the rtp protocol doesn't exist any more (when consulting the wireshark).
Any idea of how to extract the payload of the codec g.723?
I did it this way:
used rtpxtract.pl from
here
then used ffmpeg to convert it to format user can listen to. like MP3.
ffmpeg -f g723_1 -i ${infile} ${outfile}.mp3
to solve this problem you have just to disable the protocol g723 in wireshark in the item Enabled Protocols from the Analyze menu then the field "payload" will appear in the protocol rtp and the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
will succeed!
I need to have some statics (for test purpose ) on syn packet that was recieved.
I got lost with the available tools - ethreal. tshark.tcpdumt.
I want the simple tool that will not dump the complete packet only by pattern (in my case only ip, but some case i will also need payload) .
Which one from the above (or another) do the job?
If you have some patient i will be tankful for you to reference about the differences between them. didnt find good one.
I am running on Ubuntu.
The tool and the filter and the pattern all need to be from command line.
pattern can be - ip.src ip.payload
Thank you
The following tcpdump command will save all the packets to a file which have the SYN flag set and are sent to the IP address stored in the environmental variable MYIP:
MYIP=172.16.1.2
sudo tcpdump -w /tmp/syn_packets "tcp[tcpflags] & tcp-syn != 0 and dst $MYIP"
List of unique host/ports from the dump can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq
List of packet counts per host/port can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq -c
The packet contents will be stored in the tmp file. You can see a hex dump of the packet data with the -x option:
tcpdump -xr /tmp/syn_packets
You can dump the contents of packets from specific IPs with the following command:
REMOTEIP=6.6.6.6
tcpdump -xr /tmp/syn_packets "src $REMOTEIP"
My goal is to be able to read new messages from a gmail account via a linux server. I guess I could do this via IMAP or something, but I'd like to avoid that complexity if possible given that gmail has this nice feed set up:
https://mail.google.com/mail/feed/atom/
The only issue is that I'm not sure how to authenticate the call to pull this. Is this possible?
A good starting point should be:
curl -u username:password --silent "https://mail.google.com/mail/feed/atom" | tr -d '\n' | awk -F '<entry>' '{for (i=2; i<=NF; i++) {print $i}}' | sed -n "s/<title>\(.*\)<\/title.*name>\(.*\)<\/name>.*/\2 - \1/p"
Checks the Gmail ATOM feed for your account, parses it and outputs a list of unread messages.
Also, see this thread: http://www.commandlinefu.com/commands/view/3380/check-your-unread-gmail-from-the-command-line
OTOH, I would recommend using mutt and IMAP.