How to save to file all the syn packets? - networking

I need to have some statics (for test purpose ) on syn packet that was recieved.
I got lost with the available tools - ethreal. tshark.tcpdumt.
I want the simple tool that will not dump the complete packet only by pattern (in my case only ip, but some case i will also need payload) .
Which one from the above (or another) do the job?
If you have some patient i will be tankful for you to reference about the differences between them. didnt find good one.
I am running on Ubuntu.
The tool and the filter and the pattern all need to be from command line.
pattern can be - ip.src ip.payload
Thank you

The following tcpdump command will save all the packets to a file which have the SYN flag set and are sent to the IP address stored in the environmental variable MYIP:
MYIP=172.16.1.2
sudo tcpdump -w /tmp/syn_packets "tcp[tcpflags] & tcp-syn != 0 and dst $MYIP"
List of unique host/ports from the dump can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq
List of packet counts per host/port can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq -c
The packet contents will be stored in the tmp file. You can see a hex dump of the packet data with the -x option:
tcpdump -xr /tmp/syn_packets
You can dump the contents of packets from specific IPs with the following command:
REMOTEIP=6.6.6.6
tcpdump -xr /tmp/syn_packets "src $REMOTEIP"

Related

How to create an audio file from a Pcap file with Tshark?

I want to make audio data from a Pcap file with Tshark.
I have successfully created audio data from a Pcap file using Wireshark in RTP analysis function.
This Pcap file is created from a VoIP phone conversation.
Next time I want to do the same thing with Tshark.
What command would do that?
I read the Tshark manual to find out how.
but couldn't find it.
do i need any tools?
On Linux, extracting the RTP packets from PCAP file is possible with tshark together with shell tools tr and xxd, but then you might need other tools to convert to an audio format.
If you have a single call recording in the pcap, so all rtp packets belong to it, try with:
tshark -n -r call.pcap -2 -R rtp -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
If the pcap has the recordings from many calls, then you have to identify the calls and their RTP streams by source/destination IPs or SSRC and build the filter accordingly, for example if SSRC is 0x7f029328:
tshark -n -r call.pcap -2 -R rtp -R "rtp.ssrc == 0x7f029328" -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
Tools like sox or ffmpeg can be used to convert from call.rtp file to wav format, depending on the codec that was used in the call. If the codec was G711u (PCMU) with sample rate 8000:
sox -t ul -r 8000 -c 1 call.rtp call.wav
The audio formats supported by sox are listed by sox -h. The ffmpeg might be needed for codecs such as G729 or G722, example for G722 with sample rate 16000:
ffmpeg -f g722 -i call.rtp -acodec pcm_s16le -ar 16000 -ac 1 call.wav
These guidelines are from some brief notes I made during the past when I had similar needs, hope they are good and still valid nowadays, or at least provide the right direction to explore further.

tshark capture only dns or http traffic with specific ip adress and write to file

Hello I want to capture from a specific ip adress dns or http or http2 traffic and save it to a file.
I tried this:
tshark -i xxx -w capture-output.pcap -T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
I get this error:
tshark: Display filters aren't supported when capturing and saving the captured packets.
Can somebody help me?
The error gives you as much information as you need - you can't use a display filter when saving a packet capture. You have two options here:
Option 1: Save the capture and use a display filter afterwards
This would look something like
# Write the initial file with incoming packets
$ tshark -i xxx -w capture-output.pcap
# Filter out the traffic we don't want
$ tshark -r capture-output.pcap -w filtered-output.pcap \
-T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
Option 2: Use a capture filter
Use a capture filter instead. Capture filters use a special syntax that is different from display filters.
The equivalent capture filter you would want to use give your display filter is
$ tshark -w filtered.pcap -f "src net 192.168.178.0/24 and (udp port 53 or tcp port 80 or tcp port 443)"

How can I make Wireshark filter by port when reading from standard in?

I'm piping from a RawCap-generated dump file to Wireshark in order to monitor local traffic, how can I instruct wireshark to only show traffic to a certain destination port?
I'm running RawCap in one Cygwin shell, and Wireshark in another to monitor RawCap's output:
Shell 1:
RawCap.exe -f 127.0.0.1 dumpfile.pcap
Shell 2:
# How do I tell Wireshark to show only traffic to port 10000?
tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -
The appropriate flag for instructing wireshark to filter the displayed packets is -Y, as its man page reports:
-Y <display filter> start with the given display filter
For filtering the destination port of TCP, use tcp.dstport==X where X specifies the port.
Therefore, the full command is:
tail -c +0 -f dumpfile.pcap | wireshark -k -i - -Y "tcp.dstport==10000"
This is a good starting point for information on display filters. A full reference on the subject is available here and a detailed explanation of its syntax is available here. However, it's worth noting that most basic filters can be found via a simple online search.

tshark: extract rtp payload of the codec G.723

In order to extract the RTP payload from a pcap file captured by wireshark, I'm using tshark with the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
this succeeded with the codecs g.729 and ilbc but with the codec g.723 it wasn't the case. I think that this problem is due to the fact that the field payload of the rtp protocol doesn't exist any more (when consulting the wireshark).
Any idea of how to extract the payload of the codec g.723?
I did it this way:
used rtpxtract.pl from
here
then used ffmpeg to convert it to format user can listen to. like MP3.
ffmpeg -f g723_1 -i ${infile} ${outfile}.mp3
to solve this problem you have just to disable the protocol g723 in wireshark in the item Enabled Protocols from the Analyze menu then the field "payload" will appear in the protocol rtp and the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
will succeed!

Multiple WEP keys which can be retrieved from the Pcap file

Ok, i have this Cap file that i captured with Wireshark. There are multiple WEP keys which can be retrieved from the file.
Is there a way, using Wireshark or aircrack-ng, to know exactly how many wep keys that are available in that Pcap file ?
Edit: not the Wep passwords, just the number of Wep keys available.
Wireshark has a display/filter field named wlan.wep.key.
So: Using tshark with a display filter and wc as follows might give you the desired result (altho i haven't tried it):
tshark -R wlan.wep.key -r <filename> | wc -l
Note: I don't know if there can be more than 1 WEP key in a frame. If so then the above won't give the right count.
tshark -R wlan.wep.key -Tfields -eframe.number -r <filename> should show just the frame numbers of all the frames with WEP keys.
tshark -R wlan.wep.key -Tfields -eframe.number -ewlan.wep.key -r <filename> will print out all the keys (even if more than 1 per frame).

Resources