• Save
OSTU - Sake Blok on Scripting with TShark (Part 2)
Upcoming SlideShare
Loading in...5
×
 

OSTU - Sake Blok on Scripting with TShark (Part 2)

on

  • 1,903 views

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who ...

Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

Statistics

Views

Total Views
1,903
Views on SlideShare
1,424
Embed Views
479

Actions

Likes
0
Downloads
0
Comments
1

3 Embeds 479

http://www.lovemytool.com 476
http://www.slideee.com 2
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Excellent tutorial. Thank you for taking the time to post this ! Look forward to more (well.. I'm about to view (3) ... hopefully there are many more).
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OSTU - Sake Blok on Scripting with TShark (Part 2) OSTU - Sake Blok on Scripting with TShark (Part 2) Presentation Transcript

    • Scripting with Tshark (2) June 2009
    • This months topic
      • Extracting user (TCP) sessions based on application layer data
      • You will learn:
        • how to select the TCP streams in which the user data is found
        • filter out the complete TCP streams that contain the user data
    • Situation
      • A user logs in to a website
      • The webserver creates a session cookie
      • Every request of the client will contain session cookie
      • Filtering on session cookie will only show HTTP requests, not full TCP sessions
      • Use session cookie to extract full TCP sessions
    • Steps to take
      • Select only the packets that contain the application data
      • Print only ip address and port number
      • Create a display filter for these ports
      • Use another tshark instance with the above filter to extract the TCP sessions
    • "Prerequisites"
      • Use "linux", "*nix" or "windows with Cygwin"
      • Understand the "|" directive and the use of 'backticks' (see "pipelines" and "command substitution" in the bash manpage)
      • Have a look at the manpage of:
        • bash
        • awk
    • 1: Select packets with searchdata $ tshark -r sharkfest-1.cap -R "http.request and http.cookie contains "PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcaf"" 66 352.849802 192.168.1.30 -> 194.134.109.48 HTTP GET /styles/ ... 90 352.943964 192.168.1.30 -> 194.134.109.48 HTTP GET /styles/ ... 101 352.995346 192.168.1.30 -> 194.134.109.48 HTTP GET /javascr ... 115 353.051093 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 118 353.055001 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 139 353.131598 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 142 353.132616 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 161 353.191958 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 165 353.200628 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 182 353.493676 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 185 353.503053 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 205 353.553385 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 209 353.557910 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 225 353.607322 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 229 353.619819 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... 245 353.669407 192.168.1.30 -> 194.134.109.48 HTTP GET /javascr ... 249 353.681990 192.168.1.30 -> 194.134.109.48 HTTP GET /images/ ... [...] $
    • 2: Print only source ip and port $ tshark -r sharkfest-1.cap -R "http.request and http.cookie contains "PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcaf"" -T fields -e ip.src -e tcp.srcport | sort | uniq 192.168.1.30 3981 192.168.1.30 3982 192.168.1.30 3983 192.168.1.30 3984 192.168.1.30 3985 192.168.1.30 3986 192.168.1.30 3987 192.168.1.30 3988 192.168.1.30 3989 192.168.1.30 3991 192.168.1.30 3992 192.168.1.30 3993 192.168.1.30 3994 192.168.1.30 3996 192.168.1.30 3997 192.168.1.30 3998 [...] $
    • 3: Create new display filter (1)
      • Introducing 'awk'
      • awk processes its input line by line
      • fields within one line are available with $1, $2 etc
      • standard field separator is "whitespace"
      • C like printf function available
      • Goal:
        • 192.168.1.30 3981
        • 192.168.1.30 3982
        • to
        • (ip.addr==192.168.1.30&&tcp.port==3981)||(ip.addr==192.168.1.30&&tcp.port==3982)
    • 3: Create new display filter (2) $ tshark -r sharkfest-1.cap -R "http.request and http.cookie contains "PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcaf"" -T fields -e ip.src -e tcp.srcport | sort | uniq | awk '{printf("%s(ip.addr==%s&&tcp.port==%s)",sep,$1,$2);sep="||"}' (ip.addr==192.168.1.30&&tcp.port==3981)||(ip.addr==192.168.1.30&& tcp.port==3982)||(ip.addr==192.168.1.30&&tcp.port==3983)||(ip.add r==192.168.1.30&&tcp.port==3984)||(ip.addr==192.168.1.30&&tcp.por t==3985)||(ip.addr==192.168.1.30&&tcp.port==3986)||(ip.addr==192. 168.1.30&&tcp.port==3987)||(ip.addr==192.168.1.30&&tcp.port==3988 )||(ip.addr==192.168.1.30&&tcp.port==3989)||(ip.addr==192.168.1.3 0&&tcp.port==3991)||(ip.addr==192.168.1.30&&tcp.port==3992)||(ip. addr==192.168.1.30&&tcp.port==3993)||(ip.addr==192.168.1.30&&tcp. port==3994)||(ip.addr==192.168.1.30&&tcp.port==3996)||(ip.addr==1 92.168.1.30&&tcp.port==3997)||(ip.addr==192.168.1.30&&tcp.port==3 998)||(ip.addr==192.168.1.30&&tcp.port==3999)||(ip.addr==192.168. 1.30&&tcp.port==4000)||(ip.addr==192.168.1.30&&tcp.port==4001)||( ip.addr==192.168.1.30&&tcp.port==4002)||(ip.addr==192.168.1.30&&t cp.port==4003)||(ip.addr==192.168.1.30&&tcp.port==4004)||(ip.addr ==192.168.1.30&&tcp.port==4006)||(ip.addr==192.168.1.30&&tcp.port ==4007)|| [...] ||(ip.addr==192.168.1.30&&tcp.port==4126) $
    • 4: extract the tcp sessions $ tshark -r sharkfest-1.cap -R $( tshark -r sharkfest-1.cap -R "http.request and http.cookie contains "PHPSESSID=c0bb9d04cebbc765bc9bc366f663fcaf"" -T fields -e ip.src -e tcp.srcport | sort | uniq | awk '{printf("%s(ip.addr==%s&&tcp.port==%s)",sep,$1,$2); sep="||"}' ) -w cookie.cap $ $ tshark -r cookie.cap 1 0.000000 192.168.1.30 -> 194.134.109.48 TCP starfish > http [SYN] Seq=0 Win=655… 2 0.010379 194.134.109.48 -> 192.168.1.30 TCP http > starfish [SYN, ACK] Seq=0 Ac… 3 0.010456 192.168.1.30 -> 194.134.109.48 TCP starfish > http [ACK] Seq=1 Ack=1 W… 4 0.010692 192.168.1.30 -> 194.134.109.48 HTTP GET /styles/scherm.css HTTP/1.1 5 0.026023 194.134.109.48 -> 192.168.1.30 TCP http > starfish [ACK] Seq=1 Ack=384… 6 0.034230 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 7 0.038617 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 8 0.038683 192.168.1.30 -> 194.134.109.48 TCP starfish > http [ACK] Seq=384 Ack=29… 9 0.043327 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 10 0.050840 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 11 0.050899 192.168.1.30 -> 194.134.109.48 TCP starfish > http [ACK] Seq=384 Ack=58… 12 0.055159 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] 13 0.059893 194.134.109.48 -> 192.168.1.30 TCP [TCP segment of a reassembled PDU] [...] $
    • TIPS
      • Can be used on &quot;any&quot; TCP protocol with filter &quot;tcp contains <string>&quot;
      • Use ip.dst and tcp.dstport when the search data is in the TCP response
    • That's all folks!
      • More info:
        • see the manpages at: http://www.wireshark.org/docs/man-pages/
      • Next months episode: &quot;Scripting with Tshark (3)&quot;
      • Previous episodes can be found at: http://www.lovemytool.com/blog/sake_blok.html
      • e-mail: [email_address]
      • LoveMyTool.com Community for Network Monitoring & Management Tools
      • For additional educational videos on Open Source Network Tools, please visit: http://www.lovemytool.com/blog/ostu.html