Without having to launch Wireshark or store and analyze packets later.
How to have a live view of this without that gibberish that websockets do?
tcpdump -nnXSs 0 port 1234
tshark -r out.pcap -Y websocket.payload -E occurrence=l -T fields -e text
The unmasked text is handed off to the "Line-Based text data" dissector, so you need to use the field selector for that, and also set the occurrence to the last instance of that field in the packet to remove "noise". I've also added a filter to limit the output to packets that contain a websocket payload.
by grahamb in https://ask.wireshark.org/questions/60725/how-to-dump-websockets-live-with-tshark
The feature was removed in the version 2.0 of the Wireshark.
So have to get the following packages from Ubuntu trusty 14.04 and install them:
sudo dpkg -i wireshark-common_1.10.6-1_amd64.deb tshark_1.10.6-1_amd64.deb libwireshark3_1.10.6-1_amd64.deb libwsutil3_1.10.6-1_amd64.deb libwiretap3_1.10.6-1_amd64.deb libgnutls26_2.12.23-12ubuntu2.7_amd64.deb libgcrypt11_1.5.3-2ubuntu4.4_amd64.deb
Disable updates:
sudo apt-mark hold tshark
Fix dependencies:
sudo apt install -f
Command to dump content:
tshark -e websocket.payload.text_unmask -Tfields port 1234
Related
Is there any possibility to capture packets by tcpdump from all devices in MacOS?
In Linux I would use 'sudo tcpdump -i any'. In my MacOS when I execute 'sudo tcpdump -D', I don't see "any" pseudo-device.
Per #ChristopherMaynard:
tcpdump docs specify any as working on linux: On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. However, it is not actually OS-specific.
tcpdump accepts the any interface on macos in my testing, so in answer to your question, the analog of any on linux is any on macos:
bash-5.0 $ sudo tcpdump -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
09:43:57.789302 IP6 dsldevice7.attlocal.net.domain > 2600:1700:a700:7340:6dad:2758:c536:f29f.56483: 4283 1/0/0 SOA (85)
09:43:57.789324 IP6 2600:1700:a700:7341:6dad:2759:c536:f29f > dsldevice7.attlocal.net: ICMP6, destination unreachable, unreachable port, 2600:1700:a700:7340:6ded:2759:c536:f29f udp port 56423, length 141
...
tcpdump should have the same options (manpage)
on both macos and linux, apart from those detailed below. If you have an older version of tcpdump (my version is 4.9.3/Apple version 83.200.3), you can update it with brew install tcpdump.
Macos/Linux Tcpdump Differences
You should still look at the manpages when in doubt, but this is a summary of differences:
Linux
-Q direction : Choose send/receive direction (in/out/inout)
Macos
-k : Control display of packet metadata
-Q : Specify a filter expression based on packet metadata
-P : Save to pcapng
Note: Unlike Linux or *BSD, Macos does not support -Q direction.
The .cap file is captured on AIX v7.1 by iptrace -a -T -b -d XXX.XXX.XX.XXX mycap.cap
when I try to open it with wireshark/tshark on MAC OSX, it shows:
The capture file appears to be damaged or corrupt. (pcap: File has 3130924352-byte packet, bigger than maximum of 262144)
I think it's iptrace's problem. as this is given once I try it with tcpdump -r:
SONGMBP:toibm6 song$ tcpdump -r bk22.cap
reading from file bk22.cap, link-type EN10MB (Ethernet)
-5:-46:-20.131076 [|ether]
tcpdump: pcap_loop: bogus savefile header
SONGMBP:toibm6 song$
my tcpdump version is shipped with MAC OS X.
So why ? thanks in advance.
I dropped the idea. Even ipreport -T on the same host of AIX couldn't parse the data.
Thanksfully newer versions of AIX ships tcpdump with it. So... I'll go for tcpdump instead.
I'm trying to run snort in windows, but instead of using -i eth0, can i use remote (rpcap). I'm using windows 7 in vmware
Here is the command i run
c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
I run on ERROR:pcap does not support inline
run command snort --daq-list; the result is
Available DAQ modules:
pcap(v3): readback live multi unpriv
Please help, how can i connect and collect data to my remote machine.
Many thanks!
Your problem is that you are trying to operate in inline mode and read a pcap, which doesn't make sense. You would do one or the other. Notes:
The argument "--daq pcap" isn't required for you because pcap is the default, but this won't cause any problems, just a note.
The argument "--daq-mode inline" should be completely removed from the command. You are playing a pcap so the device isn't inspecting traffic inline, it doesn't make any sense to use this here.
Using the -i option is for specifying the interface to listen on. You don't want to specify a pcap file here. Since you are replaying a pcap you need to change this argument to "-r". snort help for this option: -r <tf> Read and process tcpdump file <tf>
Your command should be as follows:
c:\Snort\bin>snort -c c:\Snort\etc\snort.conf -l c:\Snort\log -r rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
this is how I'm getting the stats now:
echo -e "stats\nquit" | nc 127.0.0.1 11211
I can't use expect as it's not part of a default installation.
Is there a way to get memcached stats without nc?
Your question doesn't specify why you're looking for an alternative to netcat, so it's hard to to tell what you're looking for. You could do it in bash like this:
exec 3<>/dev/tcp/127.0.0.1/11211
echo -e "stats\nquit" >&3
cat <&3
You could do it using telnet:
(echo -e 'stats\nquit'; sleep 1) | telnet localhost 11211
The sleep is to precent telnet from exiting before receiving a response from memcached.
You could also write something simple in python or perl or some other high level scripting language. Or brush up on your c. There are lots of options.
Another, possibly simpler way, is with the memcached-tool script. It came installed with my installation of memcached 1.4.5 via yum, but under apt and ubuntu I didn't get it. I found it here and put it on my system: https://raw.githubusercontent.com/memcached/memcached/master/scripts/memcached-tool
on the server, type the following to get memcached stats:
memcached-tool 127.0.0.1:11211 stats
or the following to get slabs:
memcached-tool 127.0.0.1:11211
assuming your server is listening on port 11211 and IP 127.0.0.1 (set config options at /etc/sysconfic/memcached)
article: http://www.cyberciti.biz/faq/rhel-fedora-linux-install-memcached-caching-system-rpm/
Anyone knows how to start Syslogd server on Mac to accept remote logging messages?
I started Syslogd, but seems it doesn't accept remote messages.
If I do a netstat -an it looks like udp port 514 is listening. However, if I scan the server from my laptop using nmap then I don't see udp 514. It's likely the port is being blocked somewhere. I have checked ipfw but it does not look like any rules defined.
I've seen lots of articles say that have to specify -r option. Is this the same on Mac?
How to do that on Mac?
Syslogd should already be running on your system; what you need to do is enable its UDP listening option. This is controlled by a section near the end of /System/Library/LaunchDaemons/com.apple.syslogd.plist; remove the comment markers so that it looks like this:
<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>
And then reload the syslogd daemon either by rebooting, or by running:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
UPDATE: Starting in OS X v10.7, Apple switched com.apple.syslogd.plist to a binary plist format, which doesn't include the relevant comment, and isn't editable as plain text. With the new format, PlistBuddy seems to be the easiest way to add the listener:
cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist
A bit old, but I did have to do this today and whilst searching around for a simple piece of software to do this for me I came across this question.
All I really wanted to do was watch some syslog entries for a short period of time and see what was coming from the server so what I ended up doing was:
sudo tcpdump -lns 0 -w - udp and port 514 | strings
This will simply print out any message that is sent to your machine on the output so you can display it.
Anyway if you do this and it outputs messages that are being transmitted to your server you can be sure it's not being blocked by your firewall or any other hardware in the middle.