I used the below command to get the list of IP address of various entity,but i am not able to convert (identify) the hostname.
tshark -r test_call_1.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport tcp
sample output
192.30.16.95 21 192.30.160.2 43118
192.30.16.95 21 192.30.160.2 43118
192.30.16.95 21 192.30.160.2 43118
192.30.160.2 45791 192.30.16.95 45431
Can any one guide me on how to resolve these ip's to hostnames?
Thanks in Advance
M.Muralidharan
To get tshark to print hostnames you need to enable hostname resolution by specifying the '-N n' option and selecting the hostname fields instead of the ip address by using e.g '-e ip.src_host'.
For example:
tshark -r test_call_1.pcap -N n -T fields -e ip.src_host -e tcp.srcport -e ip.dst_host -e tcp.dstport tcp
Related
Hello I want to capture from a specific ip adress dns or http or http2 traffic and save it to a file.
I tried this:
tshark -i xxx -w capture-output.pcap -T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
I get this error:
tshark: Display filters aren't supported when capturing and saving the captured packets.
Can somebody help me?
The error gives you as much information as you need - you can't use a display filter when saving a packet capture. You have two options here:
Option 1: Save the capture and use a display filter afterwards
This would look something like
# Write the initial file with incoming packets
$ tshark -i xxx -w capture-output.pcap
# Filter out the traffic we don't want
$ tshark -r capture-output.pcap -w filtered-output.pcap \
-T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
Option 2: Use a capture filter
Use a capture filter instead. Capture filters use a special syntax that is different from display filters.
The equivalent capture filter you would want to use give your display filter is
$ tshark -w filtered.pcap -f "src net 192.168.178.0/24 and (udp port 53 or tcp port 80 or tcp port 443)"
Docker creates these virtual ethernet interfaces veth[UNIQUE ID] listed in ifconfig. How can I find out which interface belongs to a specific docker container?
I want to listen to the tcp traffic.
To locate interface
In my case getting value from container was like (check eth0 to):
$ docker exec -it my-container cat /sys/class/net/eth1/iflink
123
And then:
$ ip ad | grep 123
123: vethd3234u4#if122: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP group default
Check with tcpdump -i vethd3234u4
Reference about mysterious iflink from http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-class-net:
150 What: /sys/class/net/<iface>/iflink
151 Date: April 2005
152 KernelVersion: 2.6.12
153 Contact: netdev#vger.kernel.org
154 Description:
155 Indicates the system-wide interface unique index identifier a
156 the interface is linked to. Format is decimal. This attribute is
157 used to resolve interfaces chaining, linking and stacking.
158 Physical interfaces have the same 'ifindex' and 'iflink' values.
Based on the provided answer (which worked for me), I made this simple bash script:
#!/bin/bash
export containers=$(sudo docker ps --format "{{.ID}}|{{.Names}}")
export interfaces=$(sudo ip ad);
for x in $containers
do
export name=$(echo "$x" |cut -d '|' -f 2);
export id=$(echo "$x"|cut -d '|' -f 1)
export ifaceNum="$(echo $(sudo docker exec -it "$id" cat /sys/class/net/eth0/iflink) | sed s/[^0-9]*//g):"
export ifaceStr=$( echo "$interfaces" | grep $ifaceNum | cut -d ':' -f 2 | cut -d '#' -f 1);
echo -e "$name: $ifaceStr";
done
My answer more like improvement on that important topic because it didn't help to "Find out which network interface belongs to docker container", but, as author noticed, he "want to listen to the tcp traffic" inside docker container - I'll try to help on that one during your troubleshooting of network.
Considering that veth network devices are about network namespaces, it is useful to know that we can execute program in another namespace via nsenter tool as follow (remember - you need a privileged permission (sudo/root) for doing that):
Get ID of any container you are interested in capture the traffic, for example it will be 78334270b8f8
Then we need to take PID of that containerized application (I assume you are running only 1 network-related process inside container and want to capture its traffic. Otherwise, that approach is hard to be suitable):
sudo docker inspect 78334270b8f8 | grep -i pid
For example, output for pid will be 111380 - that's ID of your containerized app, you can check also it via ps command: ps aux | grep 111380 just in curiosity.
Next step is to check what network interfaces you have inside your container:
sudo nsenter -t 111380 -n ifconfig
This command will return you list of network devices in network namespace of the containerized app (you should not have ifconfig tool on board of your container, only on your node/machine)
For example, you need to capture traffic on interface eth2 and filter it to tcp destination port 80 (it may vary of course) with this command:
sudo nsenter -t 111380 -n tcpdump -nni eth2 -w nginx_tcpdump_test.pcap 'tcp dst port 80'
Remember, that in this case you do not need tcpdump tool to be installed inside your container.
Then, after capturing packets, .pcap file will be available on your machine/node and to read it use any tool you prefer tcpdump -r nginx_tcpdump_test.pcap
approach's pros:
no need to have network tools inside container, only on docker node
no need to search for map between network devices in container and node
cons:
you need to have privileged user on node/machine to run nsenter tool
One-liner of the solution from #pbaranski
num=$(docker exec -i my-container cat /sys/class/net/eth0/iflink | tr -d '\r'); ip ad | grep -oE "^${num}: veth[^#]+" | awk '{print $2}'
If you need to find out on a container that does not include cat then try this tool: https://github.com/micahculpepper/dockerveth
You can also read the interface names via /proc/PID/net/igmp like (container name as argument 1):
#!/bin/bash
NAME=$1
PID=$(docker inspect $NAME --format "{{.State.Pid}}")
while read iface id; do
[[ "$iface" == lo ]] && continue
veth=$(ip -br addr | sed -nre "s/(veth.*)#if$id.*/\1/p")
echo -e "$NAME\t$iface\t$veth"
done < <(</proc/$PID/net/igmp awk '/^[0-9]+/{print $2 " " $1;}')
I have a lot of interfaces configured in my server, each of which connect to a specific nic card and have a separate routing table. These interfaces can be identified by "netstat -a" command.
Now, I want to execute the rsync command connecting only to specific interface. I have this requirement because each of the interfaces will go through a separate tunnel/path and I want a particular rsync command to sync files through a specified tunnel.
Specifically, I want a way to specify the interface name.
Thanks,
Mohan.
You can specify the address of the interface using --address=x.x.x.x on the command-line.
I don't think there is any way to specify the interface directly, but the ip command can tell you the address for an interface, so you could use something like this:
IP=$(ip -4 -br addr show eth0 | awk '{split($3,a,"/"); print a[1]}')
rsyncd ... --address=$IP
Edit For systems with the "real" iproute2 (anything not busybox-based, essentially), ip can produce JSON output which can be parsed a bit more sanely:
IP=$(ip -j -4 addr show wlo1 | jq .[0].addr_info[0].local)
rsyncd ... --address=$IP
I've written this little perl script to turn interface names to addresses, save it as iftoip (or similar)
#!/usr/bin/perl
use strict;
use warnings;
use IO::Interface::Simple;
use feature qw(say);
my $iface = shift;
my $if = IO::Interface::Simple->new($iface) or die "$!: $iface";
say $if->address;
exit 0;
You can do something similar with bash:
iftoip() {
ip addr show $1 | grep inet | awk '{print $2}' | cut -d'/' -f1
}
just add the above 3 lines to ~/.bashrc and start a new shell or source ~/.bashrc
Running it produces:
v#juno:~$ iftoip ens33
10.251.17.94
v#juno:~$ iftoip ens34
192.168.78.128
v#juno:~$ echo "IP=$(iftoip ens33)"
IP=10.251.17.94
v#juno:~$ iftoip ens35 #perl
No such device: ens35 at /home/v/bin/iftoip line 10.
or
v#juno:~$ iftoip ens35 #bash
Device "ens35" does not exist.
This has been tried using 2 interfaces, with different subnets and worked.
rsync -avzP -e 'ssh -b 10.100.16.X' /var/tmp/ent1 10.100.16.X:/var/tmp/;
rsync -avzP -e 'ssh -b 10.100.20.X' /var/tmp/ent2 10.100.20.X:/var/tmp/ ;
From client to server, over ssh use:
rsync -avP -e 'ssh -b x.x.x.x' tmp/ server:tmp/
I need to have some statics (for test purpose ) on syn packet that was recieved.
I got lost with the available tools - ethreal. tshark.tcpdumt.
I want the simple tool that will not dump the complete packet only by pattern (in my case only ip, but some case i will also need payload) .
Which one from the above (or another) do the job?
If you have some patient i will be tankful for you to reference about the differences between them. didnt find good one.
I am running on Ubuntu.
The tool and the filter and the pattern all need to be from command line.
pattern can be - ip.src ip.payload
Thank you
The following tcpdump command will save all the packets to a file which have the SYN flag set and are sent to the IP address stored in the environmental variable MYIP:
MYIP=172.16.1.2
sudo tcpdump -w /tmp/syn_packets "tcp[tcpflags] & tcp-syn != 0 and dst $MYIP"
List of unique host/ports from the dump can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq
List of packet counts per host/port can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq -c
The packet contents will be stored in the tmp file. You can see a hex dump of the packet data with the -x option:
tcpdump -xr /tmp/syn_packets
You can dump the contents of packets from specific IPs with the following command:
REMOTEIP=6.6.6.6
tcpdump -xr /tmp/syn_packets "src $REMOTEIP"
For some research reason, I need to get the http package's tcp sequence numbers. I have already got the pcap file, so how should I do that with tshark?
Thanks so much for answer my question!!!
Something like this should do it:
tshark -r your_file -R http -T fields -e tcp.seq
The sequence numbers are relative or absolute as controlled by .wireshark/preferences. By default it's relative (so you will see small numbers). If you want absolute sequence numbers, edit preferences:
tcp.relative_sequence_numbers: FALSE
Using tshark,
apply the correspoding tcp filter (tcp.nxtseq) check for more from this page
https://www.wireshark.org/docs/dfref/t/tcp.html
C:\Program Files\Wireshark>tshark -r C:<path to pcap>sample.pcap -T fields -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e tcp.flags.ack -e tcp.flags.cwr -e tcp.flags.ecn -e tcp.flags.fin -e tcp.flags.ns -e tcp.flags.push -e tcp.flags.res -e tcp.flags.reset -e tcp.flags.syn -e tcp.flags.urg > C:/20Oct.txt