{"id":17854,"date":"2021-11-23T04:54:32","date_gmt":"2021-11-23T03:54:32","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=17854"},"modified":"2023-08-20T14:55:20","modified_gmt":"2023-08-20T12:55:20","slug":"sniffer-tshark-auf-dem-raspberry-nutzen","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=17854","title":{"rendered":"Penetrationstest: Sniffer tshark auf dem Raspberry nutzen"},"content":{"rendered":"

Hatte noch einen Raspberry Pi rumliegen, der Headless mit Raspian 11 bullseye bespielt wurde. Hier ein screenfetch<\/strong>:
\n\"\"
\nAuf den wollen wir nun packet analyzer oder packet sniffer installieren (man braucht dazu kein Kali \ud83d\ude09 ). Hatte in der Vergangenheit sch\u00f6n \u00f6fters davon berichtet (1<\/a>, 2<\/a>, 3<\/a>). Tshark ist das Kommandozeilen API f\u00fcr Wireshark. <\/p>\n\n

Installation tshark tcpdump nmap<\/h1>\n
\r\n# System updaten\r\nsudo apt update\r\nsudo apt upgrade\r\n# bei der installation von tshark kommt ein Abfrage Dialog, dort mit JA antworten.\r\nsudo apt install tshark tcpdump nmap \r\n<\/pre>\n
Test der Installation und Anleitung<\/h1>\n
Ausgabe der Anleitung mit tshark -h<\/strong><\/p>\n
TShark (Wireshark) 3.4.4 (Git v3.4.4 packaged as 3.4.4-1)\r\nDump and analyze network traffic.\r\nSee https:\/\/www.wireshark.org for more information.\r\n\r\nUsage: tshark [options] ...\r\n\r\nCapture interface:\r\n  -i <interface>, --interface <interface>\r\n                           name or idx of interface (def: first non-loopback)\r\n  -f <capture filter>      packet filter in libpcap filter syntax\r\n  -s <snaplen>, --snapshot-length <snaplen>\r\n                           packet snapshot length (def: appropriate maximum)\r\n  -p, --no-promiscuous-mode\r\n                           don't capture in promiscuous mode\r\n  -I, --monitor-mode       capture in monitor mode, if available\r\n  -B <buffer size>, --buffer-size <buffer size>\r\n                           size of kernel buffer (def: 2MB)\r\n  -y <link type>, --linktype <link type>\r\n                           link layer type (def: first appropriate)\r\n  --time-stamp-type <type> timestamp method for interface\r\n  -D, --list-interfaces    print list of interfaces and exit\r\n  -L, --list-data-link-types\r\n                           print list of link-layer types of iface and exit\r\n  --list-time-stamp-types  print list of timestamp types for iface and exit\r\n\r\nCapture stop conditions:\r\n  -c <packet count>        stop after n packets (def: infinite)\r\n  -a <autostop cond.> ..., --autostop <autostop cond.> ...\r\n                           duration:NUM - stop after NUM seconds\r\n                           filesize:NUM - stop this file after NUM KB\r\n                              files:NUM - stop after NUM files\r\n                            packets:NUM - stop after NUM packets\r\nCapture output:\r\n  -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>\r\n                           duration:NUM - switch to next file after NUM secs\r\n                           filesize:NUM - switch to next file after NUM KB\r\n                              files:NUM - ringbuffer: replace after NUM files\r\n                            packets:NUM - switch to next file after NUM packets\r\n                           interval:NUM - switch to next file when the time is\r\n                                          an exact multiple of NUM secs\r\nInput file:\r\n  -r <infile>, --read-file <infile>\r\n                           set the filename to read from (or '-' for stdin)\r\n\r\nProcessing:\r\n  -2                       perform a two-pass analysis\r\n  -M <packet count>        perform session auto reset\r\n  -R <read filter>, --read-filter <read filter>\r\n                           packet Read filter in Wireshark display filter syntax\r\n                           (requires -2)\r\n  -Y <display filter>, --display-filter <display filter>\r\n                           packet displaY filter in Wireshark display filter\r\n                           syntax\r\n  -n                       disable all name resolutions (def: all enabled)\r\n  -N <name resolve flags>  enable specific name resolution(s): \"mnNtdv\"\r\n  -d <layer_type>==<selector>,<decode_as_protocol> ...\r\n                           \"Decode As\", see the man page for details\r\n                           Example: tcp.port==8888,http\r\n  -H <hosts file>          read a list of entries from a hosts file, which will\r\n                           then be written to a capture file. (Implies -W n)\r\n  --enable-protocol <proto_name>\r\n                           enable dissection of proto_name\r\n  --disable-protocol <proto_name>\r\n                           disable dissection of proto_name\r\n  --enable-heuristic <short_name>\r\n                           enable dissection of heuristic protocol\r\n  --disable-heuristic <short_name>\r\n                           disable dissection of heuristic protocol\r\nOutput:\r\n  -w <outfile|->           write packets to a pcapng-format file named \"outfile\"\r\n                           (or '-' for stdout)\r\n  --capture-comment <comment>\r\n                           set the capture file comment, if supported\r\n  -C <config profile>      start with specified configuration profile\r\n  -F <output file type>    set the output file type, default is pcapng\r\n                           an empty \"-F\" option will list the file types\r\n  -V                       add output of packet tree        (Packet Details)\r\n  -O <protocols>           Only show packet details of these protocols, comma\r\n                           separated\r\n  -P, --print              print packet summary even when writing to a file\r\n  -S <separator>           the line separator to print between packets\r\n  -x                       add output of hex and ASCII dump (Packet Bytes)\r\n  -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\r\n                           format of text output (def: text)\r\n  -j <protocolfilter>      protocols layers filter if -T ek|pdml|json selected\r\n                           (e.g. \"ip ip.flags text\", filter does not expand child\r\n                           nodes, unless child is specified also in the filter)\r\n  -J <protocolfilter>      top level protocol filter if -T ek|pdml|json selected\r\n                           (e.g. \"http tcp\", filter which expands all child nodes)\r\n  -e <field>               field to print if -Tfields selected (e.g. tcp.port,\r\n                           _ws.col.Info)\r\n                           this option can be repeated to print multiple fields\r\n  -E<fieldsoption>=<value> set options for output when -Tfields selected:\r\n     bom=y|n               print a UTF-8 BOM\r\n     header=y|n            switch headers on and off\r\n     separator=\/t|\/s|<char> select tab, space, printable character as separator\r\n     occurrence=f|l|a      print first, last or all occurrences of each field\r\n     aggregator=,|\/s|<char> select comma, space, printable character as\r\n                           aggregator\r\n     quote=d|s|n           select double, single, no quotes for values\r\n  -t a|ad|adoy|d|dd|e|r|u|ud|udoy\r\n                           output format of time stamps (def: r: rel. to first)\r\n  -u s|hms                 output format of seconds (def: s: seconds)\r\n  -l                       flush standard output after each packet\r\n  -q                       be more quiet on stdout (e.g. when using statistics)\r\n  -Q                       only log true errors to stderr (quieter than -q)\r\n  -g                       enable group read access on the output file(s)\r\n  -W n                     Save extra information in the file, if supported.\r\n                           n = write network address resolution information\r\n  -X <key>:<value>         eXtension options, see the man page for details\r\n  -U tap_name              PDUs export mode, see the man page for details\r\n  -z <statistics>          various statistics, see the man page for details\r\n  --export-objects <protocol>,<destdir>\r\n                           save exported objects for a protocol to a directory\r\n                           named \"destdir\"\r\n  --color                  color output text similarly to the Wireshark GUI,\r\n                           requires a terminal with 24-bit color support\r\n                           Also supplies color attributes to pdml and psml formats\r\n                           (Note that attributes are nonstandard)\r\n  --no-duplicate-keys      If -T json is specified, merge duplicate keys in an object\r\n                           into a single key with as value a json array containing all\r\n                           values\r\n  --elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the\r\n                           specified protocols within the mapping file\r\n\r\nMiscellaneous:\r\n  -h, --help               display this help and exit\r\n  -v, --version            display version info and exit\r\n  -o <name>:<value> ...    override preference setting\r\n  -K <keytab>              keytab file to use for kerberos decryption\r\n  -G [report]              dump one of several available reports and exit\r\n                           default report=\"fields\"\r\n                           use \"-G help\" for more help\r\n\r\nDumpcap can benefit from an enabled BPF JIT compiler if available.\r\nYou might want to enable it by executing:\r\n \"echo 1 > \/proc\/sys\/net\/core\/bpf_jit_enable\"\r\nNote that this can make your system less secure!\r\n<\/pre>\n
Ausgabe der Anleitung mit nmap -h<\/strong><\/p>\n
Nmap 7.80 ( https:\/\/nmap.org )\r\nUsage: nmap [Scan Type(s)] [Options] {target specification}\r\nTARGET SPECIFICATION:\r\n  Can pass hostnames, IP addresses, networks, etc.\r\n  Ex: scanme.nmap.org, microsoft.com\/24, 192.168.0.1; 10.0.0-255.1-254\r\n  -iL <inputfilename>: Input from list of hosts\/networks\r\n  -iR <num hosts>: Choose random targets\r\n  --exclude <host1[,host2][,host3],...>: Exclude hosts\/networks\r\n  --excludefile <exclude_file>: Exclude list from file\r\nHOST DISCOVERY:\r\n  -sL: List Scan - simply list targets to scan\r\n  -sn: Ping Scan - disable port scan\r\n  -Pn: Treat all hosts as online -- skip host discovery\r\n  -PS\/PA\/PU\/PY[portlist]: TCP SYN\/ACK, UDP or SCTP discovery to given ports\r\n  -PE\/PP\/PM: ICMP echo, timestamp, and netmask request discovery probes\r\n  -PO[protocol list]: IP Protocol Ping\r\n  -n\/-R: Never do DNS resolution\/Always resolve [default: sometimes]\r\n  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers\r\n  --system-dns: Use OS's DNS resolver\r\n  --traceroute: Trace hop path to each host\r\nSCAN TECHNIQUES:\r\n  -sS\/sT\/sA\/sW\/sM: TCP SYN\/Connect()\/ACK\/Window\/Maimon scans\r\n  -sU: UDP Scan\r\n  -sN\/sF\/sX: TCP Null, FIN, and Xmas scans\r\n  --scanflags <flags>: Customize TCP scan flags\r\n  -sI <zombie host[:probeport]>: Idle scan\r\n  -sY\/sZ: SCTP INIT\/COOKIE-ECHO scans\r\n  -sO: IP protocol scan\r\n  -b <FTP relay host>: FTP bounce scan\r\nPORT SPECIFICATION AND SCAN ORDER:\r\n  -p <port ranges>: Only scan specified ports\r\n    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9\r\n  --exclude-ports <port ranges>: Exclude the specified ports from scanning\r\n  -F: Fast mode - Scan fewer ports than the default scan\r\n  -r: Scan ports consecutively - don't randomize\r\n  --top-ports <number>: Scan <number> most common ports\r\n  --port-ratio <ratio>: Scan ports more common than <ratio>\r\nSERVICE\/VERSION DETECTION:\r\n  -sV: Probe open ports to determine service\/version info\r\n  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)\r\n  --version-light: Limit to most likely probes (intensity 2)\r\n  --version-all: Try every single probe (intensity 9)\r\n  --version-trace: Show detailed version scan activity (for debugging)\r\nSCRIPT SCAN:\r\n  -sC: equivalent to --script=default\r\n  --script=<Lua scripts>: <Lua scripts> is a comma separated list of\r\n           directories, script-files or script-categories\r\n  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts\r\n  --script-args-file=filename: provide NSE script args in a file\r\n  --script-trace: Show all data sent and received\r\n  --script-updatedb: Update the script database.\r\n  --script-help=<Lua scripts>: Show help about scripts.\r\n           <Lua scripts> is a comma-separated list of script-files or\r\n           script-categories.\r\nOS DETECTION:\r\n  -O: Enable OS detection\r\n  --osscan-limit: Limit OS detection to promising targets\r\n  --osscan-guess: Guess OS more aggressively\r\nTIMING AND PERFORMANCE:\r\n  Options which take <time> are in seconds, or append 'ms' (milliseconds),\r\n  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).\r\n  -T<0-5>: Set timing template (higher is faster)\r\n  --min-hostgroup\/max-hostgroup <size>: Parallel host scan group sizes\r\n  --min-parallelism\/max-parallelism <numprobes>: Probe parallelization\r\n  --min-rtt-timeout\/max-rtt-timeout\/initial-rtt-timeout <time>: Specifies\r\n      probe round trip time.\r\n  --max-retries <tries>: Caps number of port scan probe retransmissions.\r\n  --host-timeout <time>: Give up on target after this long\r\n  --scan-delay\/--max-scan-delay <time>: Adjust delay between probes\r\n  --min-rate <number>: Send packets no slower than <number> per second\r\n  --max-rate <number>: Send packets no faster than <number> per second\r\nFIREWALL\/IDS EVASION AND SPOOFING:\r\n  -f; --mtu <val>: fragment packets (optionally w\/given MTU)\r\n  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys\r\n  -S <IP_Address>: Spoof source address\r\n  -e <iface>: Use specified interface\r\n  -g\/--source-port <portnum>: Use given port number\r\n  --proxies <url1,[url2],...>: Relay connections through HTTP\/SOCKS4 proxies\r\n  --data <hex string>: Append a custom payload to sent packets\r\n  --data-string <string>: Append a custom ASCII string to sent packets\r\n  --data-length <num>: Append random data to sent packets\r\n  --ip-options <options>: Send packets with specified ip options\r\n  --ttl <val>: Set IP time-to-live field\r\n  --spoof-mac <mac address\/prefix\/vendor name>: Spoof your MAC address\r\n  --badsum: Send packets with a bogus TCP\/UDP\/SCTP checksum\r\nOUTPUT:\r\n  -oN\/-oX\/-oS\/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,\r\n     and Grepable format, respectively, to the given filename.\r\n  -oA <basename>: Output in the three major formats at once\r\n  -v: Increase verbosity level (use -vv or more for greater effect)\r\n  -d: Increase debugging level (use -dd or more for greater effect)\r\n  --reason: Display the reason a port is in a particular state\r\n  --open: Only show open (or possibly open) ports\r\n  --packet-trace: Show all packets sent and received\r\n  --iflist: Print host interfaces and routes (for debugging)\r\n  --append-output: Append to rather than clobber specified output files\r\n  --resume <filename>: Resume an aborted scan\r\n  --stylesheet <path\/URL>: XSL stylesheet to transform XML output to HTML\r\n  --webxml: Reference stylesheet from Nmap.Org for more portable XML\r\n  --no-stylesheet: Prevent associating of XSL stylesheet w\/XML output\r\nMISC:\r\n  -6: Enable IPv6 scanning\r\n  -A: Enable OS detection, version detection, script scanning, and traceroute\r\n  --datadir <dirname>: Specify custom Nmap data file location\r\n  --send-eth\/--send-ip: Send using raw ethernet frames or IP packets\r\n  --privileged: Assume that the user is fully privileged\r\n  --unprivileged: Assume the user lacks raw socket privileges\r\n  -V: Print version number\r\n  -h: Print this help summary page.\r\nEXAMPLES:\r\n  nmap -v -A scanme.nmap.org\r\n  nmap -v -sn 192.168.0.0\/16 10.0.0.0\/8\r\n  nmap -v -iR 10000 -Pn -p 80\r\nSEE THE MAN PAGE (https:\/\/nmap.org\/book\/man.html) FOR MORE OPTIONS AND EXAMPLES<\/pre>\n
Ausgabe der Anleitung mit tcpdump -h<\/strong><\/p>\n
tcpdump version 4.99.0\r\nlibpcap version 1.10.0 (with TPACKET_V3)\r\nOpenSSL 1.1.1k  25 Mar 2021\r\nUsage: tcpdump [-AbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ] [--count]\r\n\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\r\n\t\t[ -i interface ] [ --immediate-mode ] [ -j tstamptype ]\r\n\t\t[ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]\r\n\t\t[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]\r\n\t\t[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]\r\n\t\t[ --time-stamp-precision precision ] [ --micro ] [ --nano ]\r\n\t\t[ -z postrotate-command ] [ -Z user ] [ expression ]\r\n<\/pre>\n
Vorhandenen Interfaces ausgeben<\/h1>\n
tshark -D<\/strong><\/p>\n
\r\n1. eth0\r\n2. any\r\n3. lo (Loopback)\r\n4. bluetooth-monitor\r\n5. nflog\r\n6. nfqueue\r\n7. dbus-system\r\n8. dbus-session\r\n9. ciscodump (Cisco remote capture)\r\n10. dpauxmon (DisplayPort AUX channel monitor capture)\r\n11. randpkt (Random packet generator)\r\n12. sdjournal (systemd Journal Export)\r\n13. sshdump (SSH remote capture)\r\n14. udpdump (UDP Listener remote capture)\r\n<\/pre>\n
In welche Formate kann tshark speichern?<\/h1>\n
\"\"<\/p>\n
Normalerweise speichert man in pcapng Format. Es sind aber auch diese Formate m\u00f6glich:<\/p>\n
tshark -F<\/strong><\/p>\n
Auf dem PI:<\/p>\n
tshark: The available capture file types for the \"-F\" flag are:\r\n    5views - InfoVista 5View capture\r\n    btsnoop - Symbian OS btsnoop\r\n    commview - TamoSoft CommView\r\n    dct2000 - Catapult DCT2000 trace (.out format)\r\n    erf - Endace ERF capture\r\n    eyesdn - EyeSDN USB S0\/E1 ISDN trace format\r\n    k12text - K12 text file\r\n    lanalyzer - Novell LANalyzer\r\n    logcat - Android Logcat Binary format\r\n    logcat-brief - Android Logcat Brief text format\r\n    logcat-long - Android Logcat Long text format\r\n    logcat-process - Android Logcat Process text format\r\n    logcat-tag - Android Logcat Tag text format\r\n    logcat-thread - Android Logcat Thread text format\r\n    logcat-threadtime - Android Logcat Threadtime text format\r\n    logcat-time - Android Logcat Time text format\r\n    modpcap - Modified tcpdump - pcap\r\n    netmon1 - Microsoft NetMon 1.x\r\n    netmon2 - Microsoft NetMon 2.x\r\n    nettl - HP-UX nettl trace\r\n    ngsniffer - Sniffer (DOS)\r\n    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1\r\n    ngwsniffer_2_0 - Sniffer (Windows) 2.00x\r\n    niobserver - Network Instruments Observer\r\n    nokiapcap - Nokia tcpdump - pcap\r\n    nsecpcap - Wireshark\/tcpdump\/... - nanosecond pcap\r\n    nstrace10 - NetScaler Trace (Version 1.0)\r\n    nstrace20 - NetScaler Trace (Version 2.0)\r\n    nstrace30 - NetScaler Trace (Version 3.0)\r\n    nstrace35 - NetScaler Trace (Version 3.5)\r\n    pcap - Wireshark\/tcpdump\/... - pcap\r\n    pcapng - Wireshark\/... - pcapng\r\n    rf5 - Tektronix K12xx 32-bit .rf5 format\r\n    rh6_1pcap - RedHat 6.1 tcpdump - pcap\r\n    snoop - Sun snoop\r\n    suse6_3pcap - SuSE 6.3 tcpdump - pcap\r\n    visual - Visual Networks traffic capture<\/pre>\n
Erzeugen einer pcapng Dump-Datei<\/h1>\n
Dann mal 10 Sekunden in die Datei traffic-10-sekunden.pcapng<\/strong> den Netzwerkverkehr von 1 (eth0, wie oben) sichern mit:<\/p>\n
tshark -i 1 -a duration:10 -w traffic-10-sekunden.pcapng<\/strong><\/p>\n
Als Ergebnis sehen wir einen Counter und den Hinweis das „eth0“ \u00fcberwacht wird:<\/p>\n
Capturing on 'eth0'\r\n109 <\/pre>\n
Es wird die pcapng<\/strong> (pcap next generation) (fr\u00fcher pcap) Datei geschrieben. Die Formate werden hier<\/a> beschrieben. Das Format kann mit<\/p>\n
file traffic-10-sekunden.pcapng <\/strong> ausgegeben werden:<\/p>\n
traffic-10-sekunden.pcapng: pcapng capture file – version 1.0<\/p>\n
Es m\u00fcssen f\u00fcr Tests nicht unbedingt alle Files selbst erzeugt werden, es gibt hier<\/a> eine Menge Beispiel PCAP\/NG-Files zum Download. <\/p>\n
Farbe<\/h1>\n
Es k\u00f6nnen die Ausgabe auch eingef\u00e4rbt werden, dazu den Parameter –color<\/strong> anh\u00e4ngen. Wenn das Terminal (bei mir iTerm2) keine Farbe anzeigt, in der ~\/.bashrc<\/strong> Datei ein<\/p>\n
export COLORTERM=truecolor<\/strong><\/p>\n
anh\u00e4ngen. Dann geht alles mit Farbe in das Terminal z.B.<\/p>\n
tshark --color<\/pre>\n
Verzeichnise ausgeben<\/h1>\n
tshark -G folders<\/pre>\n
Z.B.<\/p>\n
pi@pi-org:~ $ tshark -G folders\r\nTemp:                \t\/tmp\r\nPersonal configuration:\t\/home\/pi\/.config\/wireshark\r\nGlobal configuration:\t\/usr\/share\/wireshark\r\nSystem:              \t\/etc\r\nProgram:             \t\/usr\/bin\r\nPersonal Plugins:    \t\/home\/pi\/.local\/lib\/wireshark\/plugins\/3.4\r\nGlobal Plugins:      \t\/usr\/lib\/arm-linux-gnueabihf\/wireshark\/plugins\/3.4\r\nPersonal Lua Plugins:\t\/home\/pi\/.local\/lib\/wireshark\/plugins\r\nGlobal Lua Plugins:  \t\/usr\/lib\/arm-linux-gnueabihf\/wireshark\/plugins\r\nExtcap path:         \t\/usr\/lib\/arm-linux-gnueabihf\/wireshark\/extcap\r\nMaxMind database path:\t\/usr\/share\/GeoIP\r\nMaxMind database path:\t\/var\/lib\/GeoIP\r\nMaxMind database path:\t\/usr\/share\/GeoIP\r\nMaxMind database path:\t\/var\/lib\/GeoIP<\/pre>\n
Profile ausgeben<\/h1>\n
tshark -G folders  | grep conf | awk -F':\\t*' '{print $2\"\/profiles\"}' | xargs ls<\/pre>\n
Ergebnis z.B.<\/p>\n
\/home\/pi\/.config\/wireshark\/profiles:\r\ntw\r\n\r\n\/usr\/share\/wireshark\/profiles:\r\n Bluetooth   Classic  'No Reassembly'<\/pre>\n
Wenn es ein eigenes Profil z.B. wie bei mir mit Namen tw<\/strong> gibt ist das der Name des Verzeichnis, dh. es gib ein Verzeichnis ~\/.config\/wireshark\/profiles\/tw<\/strong> und in diesem liegen die Config-Dateien mit festen Namen<\/a> wie z.B. die colorfilters, preferences oder hosts.
\nDas Profil kann wie folgt mit dem -C <\/strong>Parameter und dann der Profilename aufgerufen werden, z.B.:<\/p>\n
tshark -C tw --color<\/pre>\n
Analyse einer pcapng Datei mit capinfos<\/h1>\n
Um vorhandene pcapng Dateien auszuwerten, kann capinfos verwendet werden. Damit erh\u00e4lt man einen schnellen \u00dcberblick z.B. von wann die Aufzeichnungen sind.<\/p>\n
capinfos datei-name.pcapng<\/strong><\/p>\n
Ergebnis z.B.<\/p>\n
\r\nFile name:           datei-name.pcapng\r\nFile type:           Wireshark\/... - pcapng\r\nFile encapsulation:  Ethernet\r\nFile timestamp precision:  nanoseconds (9)\r\nPacket size limit:   file hdr: (not set)\r\nNumber of packets:   86\r\nFile size:           11kB\r\nData size:           8,468 bytes\r\nCapture duration:    6.982115287 seconds\r\nFirst packet time:   2021-11-22 09:08:15.247428821\r\nLast packet time:    2021-11-22 09:08:22.229544108\r\nData byte rate:      1,212 bytes\/s\r\nData bit rate:       9,702 bits\/s\r\nAverage packet size: 98.47 bytes\r\nAverage packet rate: 12 packets\/s\r\nSHA256:              8b42cd6bd297036cadfc7673ff34d20b512349317e2faa824b4edc6b50f94519\r\nRIPEMD160:           7ce5c28d92560d31098b8eee6dfeb76c8451fa60\r\nSHA1:                9e4e43b55d6ddb0fa2aadb527ae2e5c3e14dd7ce\r\nStrict time order:   True\r\nCapture oper-sys:    Linux 5.10.63+\r\nCapture application: Dumpcap (Wireshark) 3.4.4 (Git v3.4.4 packaged as 3.4.4-1)\r\nNumber of interfaces in file: 1\r\nInterface #0 info:\r\n                     Name = eth0\r\n                     Encapsulation = Ethernet (1 - ether)\r\n                     Capture length = 262144\r\n                     Time precision = nanoseconds (9)\r\n                     Time ticks per second = 1000000000\r\n                     Time resolution = 0x09\r\n                     Operating system = Linux 5.10.63+\r\n                     Number of stat entries = 1\r\n                     Number of packets = 86<\/pre>\n
Hier die ganze Anleitung:<\/p>\n
Capinfos (Wireshark) 3.4.4 (Git v3.4.4 packaged as 3.4.4-1)\r\nPrint various information (infos) about capture files.\r\nSee https:\/\/www.wireshark.org for more information.\r\n\r\nUsage: capinfos [options] <infile> ...\r\n\r\nGeneral infos:\r\n  -t display the capture file type\r\n  -E display the capture file encapsulation\r\n  -I display the capture file interface information\r\n  -F display additional capture file information\r\n  -H display the SHA256, RMD160, and SHA1 hashes of the file\r\n  -k display the capture comment\r\n\r\nSize infos:\r\n  -c display the number of packets\r\n  -s display the size of the file (in bytes)\r\n  -d display the total length of all packets (in bytes)\r\n  -l display the packet size limit (snapshot length)\r\n\r\nTime infos:\r\n  -u display the capture duration (in seconds)\r\n  -a display the capture start time\r\n  -e display the capture end time\r\n  -o display the capture file chronological status (True\/False)\r\n  -S display start and end times as seconds\r\n\r\nStatistic infos:\r\n  -y display average data rate (in bytes\/sec)\r\n  -i display average data rate (in bits\/sec)\r\n  -z display average packet size (in bytes)\r\n  -x display average packet rate (in packets\/sec)\r\n\r\nMetadata infos:\r\n  -n display number of resolved IPv4 and IPv6 addresses\r\n  -D display number of decryption secrets\r\n\r\nOutput format:\r\n  -L generate long report (default)\r\n  -T generate table report\r\n  -M display machine-readable values in long reports\r\n\r\nTable report options:\r\n  -R generate header record (default)\r\n  -r do not generate header record\r\n\r\n  -B separate infos with TAB character (default)\r\n  -m separate infos with comma (,) character\r\n  -b separate infos with SPACE character\r\n\r\n  -N do not quote infos (default)\r\n  -q quote infos with single quotes (')\r\n  -Q quote infos with double quotes (\")\r\n\r\nMiscellaneous:\r\n  -h display this help and exit\r\n  -C cancel processing if file open fails (default is to continue)\r\n  -A generate all infos (default)\r\n  -K disable displaying the capture comment\r\n\r\nOptions are processed from left to right order with later options superseding\r\nor adding to earlier options.\r\n\r\nIf no options are given the default is to display all infos in long report\r\noutput format.<\/pre>\n
Tree<\/h1>\n
Ausgabe von Statistik aus einer Datei. Ohne -q wird auch die Datei noch ausgebeben.<\/p>\n
tshark -r datei-name.pcapng -z ptype,tree -q<\/strong><\/p>\n
z.B.<\/p>\n
==================================================================================================================================\r\nIPv4 Statistics\/IP Protocol Types:\r\nTopic \/ Item       Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start\r\n----------------------------------------------------------------------------------------------------------------------------------\r\nIP Protocol Types  495                                                     0.0353        100%          1.3700        11.151\r\n TCP               449                                                     0.0320        90.71%        1.3700        11.151\r\n UDP               38                                                      0.0027        7.68%         0.0600        1.539\r\n NONE              8                                                       0.0006        1.62%         0.0200        1.559\r\n\r\n----------------------------------------------------------------------------------------------------------------------------------<\/pre>\n
Analog mit DNS:<\/p>\n
tshark -r datei-name.pcapng -z dns,tree -q<\/strong><\/p>\n
z.B.:<\/p>\n
==============================================================================================================================================\r\nDNS:\r\nTopic \/ Item                   Count         Average       Min Val       Max Val       Rate (ms)     Percent       Burst Rate    Burst Start\r\n----------------------------------------------------------------------------------------------------------------------------------------------\r\nTotal Packets                  18                                                      0.0018        100%          0.0600        1.539\r\n rcode                         18                                                      0.0018        100.00%       0.0600        1.539\r\n  No error                     18                                                      0.0018        100.00%       0.0600        1.539\r\n opcodes                       18                                                      0.0018        100.00%       0.0600        1.539\r\n  Standard query               18                                                      0.0018        100.00%       0.0600        1.539\r\n Query\/Response                18                                                      0.0018        100.00%       0.0600        1.539\r\n  Response                     9                                                       0.0009        50.00%        0.0300        1.552\r\n  Query                        9                                                       0.0009        50.00%        0.0300        1.539\r\n Query Type                    18                                                      0.0018        100.00%       0.0600        1.539\r\n  PTR (domain name PoinTeR)    6                                                       0.0006        33.33%        0.0200        1.572\r\n  AAAA (IPv6 Address)          6                                                       0.0006        33.33%        0.0200        1.539\r\n  A (Host Address)             6                                                       0.0006        33.33%        0.0200        1.539\r\n Class                         18                                                      0.0018        100.00%       0.0600        1.539\r\n  IN                           18                                                      0.0018        100.00%       0.0600        1.539\r\nPayload size                   18            46.00         29            71            0.0018        100%          0.0600        1.539\r\nQuery Stats                    0                                                       0.0000        100%          -             -\r\n Qname Len                     9             16.33         11            27            0.0009                      0.0300        1.539\r\n Label Stats                   0                                                       0.0000                      -             -\r\n  2nd Level                    6                                                       0.0006                      0.0200        1.539\r\n  4th Level or more            3                                                       0.0003                      0.0100        1.572\r\n  3rd Level                    0                                                       0.0000                      -             -\r\n  1st Level                    0                                                       0.0000                      -             -\r\nResponse Stats                 0                                                       0.0000        100%          -             -\r\n no. of questions              18            1.00          1             1             0.0018                      0.0600        1.552\r\n no. of authorities            18            0.00          0             0             0.0018                      0.0600        1.552\r\n no. of answers                18            1.00          1             1             0.0018                      0.0600        1.552\r\n no. of additionals            18            0.00          0             0             0.0018                      0.0600        1.552\r\nService Stats                  0                                                       0.0000        100%          -             -\r\n request-response time (secs)  9             0.00          0.001041      0.013449      0.0009                      0.0300        1.552\r\n no. of unsolicited responses  0                                                       0.0000                      -             -\r\n no. of retransmissions        0                                                       0.0000                      -             -\r\n\r\n----------------------------------------------------------------------------------------------------------------------------------------------\r\n<\/pre>\n
Mindmap<\/h1>\n
\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"
Hatte noch einen Raspberry Pi rumliegen, der Headless mit Raspian 11 bullseye bespielt wurde. Hier ein screenfetch: Auf den wollen wir nun packet analyzer oder packet sniffer installieren (man braucht dazu kein Kali \ud83d\ude09 ). Hatte in der Vergangenheit sch\u00f6n \u00f6fters davon berichtet (1, 2, 3). Tshark ist das Kommandozeilen API f\u00fcr Wireshark.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[220,808,1319,7],"tags":[5110,5111,5112,5113,5109,3527],"class_list":["post-17854","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-linux-2","category-sicherheit-2","category-tools","tag-5110","tag-bullseye","tag-packet-analyse","tag-pi-org","tag-raspian","tag-sniffer"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/17854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17854"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/17854\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17854"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}