Adding latest PPA to system
Latest stable Wireshark releases back-ported from Debian package versions. You can update your system with unsupported packages from this untrusted PPA by adding 'ppa:wireshark-dev/stable' to your system's Software Sources.
$ sudo add-apt-repository ppa:wireshark-dev/stable $ sudo apt-get update $ sudo apt-get install wireshark $ sudo apt-get install tshark
editcap
Edit and/or translate the format of capture files
한 개의 파일을 패킷 1000개씩 나누기
$ editpcap -c 1000 input.pcap output.pcap
will split input.pcap up into captures with a maximum of 1000 packets per capture. The output will be multiple capture files formatted like output_{index}_{timestamp}.pcap
mergecap
Merges two or more capture files into one
여러 파일 하나로 합치기
$ mergecap -w output.pcap input1.pcap input2.pcap input3.pcap
tshark
Dump and analyze network traffic
example.pcap 파일 읽기
$ tshark -r example.pcap
패킷 갯수 확인
$ tshark -r sample.cap | wc -l
Wireshark 필터 적용하기
$ tshark -r example.pcap -Y "ip.addr == 192.168.1.0/24"
Source IP와 Destination IP만 탭으로 구분하여 출력하기
$ tshark -r example.pcap -T fields -e ip.src -e ip.dst -E separator=/t
Source IP와 HTTP 요청 호스트 출력하기
$ tshark -r example.pcap -Y "http && tcp.dstport == 80" -T fields -e ip.src -e http.host -E separator=/t
Source IP와 DNS 요청 도메인 출력하기
$ tshark -r example.pcap -Y "dns.flags == 0x0100" -T fields -e ip.src -e dns.qry.name -E separator=/t
특정 IP 정보에 해당하는 패킷만 추출하기
$ tshark -r example.pcap -Y "ip.addr == 192.168.111.222" -w subsample.cap
Email 주소 추출하기
$ tshark -r example.pcap -Y "data-text-lines" -T fields -e text > textdata.txt
$ grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b' textdata.txt | sort | uniq
References
- https://www.wireshark.org/docs/man-pages/
- http://www.packetu.com/2009/05/07/wireshark-display-filter-by-ip-range/
- http://www.rubyguides.com/2013/09/network-forensics-with-tshark/
- https://hackertarget.com/tshark-tutorial-and-filter-examples/