Wireshark
Some filters GUI
ip.src ==
ip.dst ==
ip.addr ==
protocols tout court (dns, http,etc)
CLI Tshark
Why CLI=>because not all the enveronment support GUI
Router or some server not support it
generate pcap file and move to a system who can run wireshark
tshark --help to list all the posibilities or tshark -h
tshark -D (list all the interface=>we choose one of it by its number)
tshark -i int_name or number_int (launch the capture if we've the root privileges)
With this sort of command the informations isn't saved
tshark -i p8p1 -w /mypath..testCap.pcap=>this cmd allows us to launch capture and saved it into the file testCap.pcap. contrariwise we can't open it in this location due to security reasons.
So we've to save it in tmp folder=>tshark -i p8p1 -w /tmp/testCap.pcap
to save & specify duration=> tshark -i p8p1 -a duration:60(time in second) -w /tmp/duration.pcap
tshark -i p8p1 -b filesize:3 (l'option b pour faire un break et alimenter un autre fichier et le filesize est en kb) -f "port 80 or port 443 or port 53" -a files:3 (nombre de fichier) -i (on peut aussi specifier une autre interface et lui specifier d'autre filtres) -w /tmp/filename.pcap
tshark -r sampleCapture.pcap -T fields -e dns -e ip | uniq=> pour filtrer à partir d'une ancienne capture (see onenote)
tshark -r sampleCapture.pcap -T fields -e dns -e ip.src | uniq
Network card mode
Promescious mode=>allow us to monitor the traffic going into and from our local network card
Monitor mode =>allow us to monitor the traffic of the Net
Iwconfig wireless_card_name | grep -i mode
udp.port==
tcp.port==
tcp.analysis.flags=> it can show me the problem that wireshark identified in trace file i.e tcp problems
tcp.stream eq 2 (follow all the comunication=> se fait à travers un clique droit sur la follow tcp stream
tcp contains keyword (google or facebook and so on)
http.request
http.response || http.response.code==200 or 404 or 500 etc
tcp.flags.syn==1 or tcp.flags.syn
tcp.flags.reset or tcp.flags.reset==
sip && rtp or sip or rtp only
ip.proto eq proto_num