I am capturing traffic using:
tcpdump -i <interface> -nn -s0 -w ike2.pcap
Then I am reading the captured file using:
tcpdump -vvv -l -r ike2.pcap
While reading, the first packet is getting displayed as:
07:22:33.320142 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 296) 10.0.0.1.isakmp > 10.0.0.2.isakmp: [udp sum ok] isakmp 2.0 msgid cookie ->: phase 1 I #34[]:
(#33)
(#34)
(#40)
(#41)
(#41)
I need to get the details of this packet. In this ISAKMP IKEv2 packet, I am interested to extract the values of 'Encryption Algorithm' and 'Integrity Algorithm' (i.e 'ENCR_3DES' and 'AUTH_HMAC_MD5_96')
I can view the values if I inspect the packet in wireshark. But, I have to do this from a shell script, so I cannot use wireshark. I need to get these values from tcpdump read command itself.
I am assuming there might be some way to print the encryption and integrity algorithms used from tcpdump read command. Could you please help to figure this out.
Captured packet:
Could find the way to do it as you are expecting with only tcpdump, but has #user862787 said use tshark like:
# tshark -V -r somecapfile.pcap
Frame 1: 196 bytes on wire (1568 bits), 196 bytes captured (1568 bits)
Encapsulation type: Linux cooked-mode capture (25)
Arrival Time: May 10, 2017 02:00:34.811347000 CDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1494399634.811347000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 196 bytes (1568 bits)
Capture Length: 196 bytes (1568 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: sll:ethertype:ip:sctp:m3ua:sccp:tcap:gsm_map]
The -V does what you want!
I can view the values if I inspect the packet in wireshark. But, I have to do this from a shell script, so I cannot use wireshark.
But you could perhaps use TShark.
tcpdump -r file with some other flags (-X, for example).
Related
I have a string from which I would like to extract all the ip addresses. I'm very new to bash. Please help
#!/usr/bin/env bash
IP=$(ping -c 25 x.x.x.255)
"$IP" will have the following text. Please suggest a way to get only the ip addresses like x.x.x.252, x.x.x.141 ......
PING x.x.x.255 (x.x.x.255): 56 data bytes
64 bytes from x.x.x.252: icmp_seq=0 ttl=64 time=0.111 ms
64 bytes from x.x.x.141: icmp_seq=0 ttl=255 time=2.200 ms
64 bytes from x.x.x.197: icmp_seq=0 ttl=64 time=70.087 ms
64 bytes from x.x.x.108: icmp_seq=0 ttl=64 time=70.136 ms
--- x.x.x.255 ping statistics ---
25 packets transmitted, 25 packets received, +12 duplicates, 0.0% packet loss
You could use grep's -E and -o options:
$ ips=$(ping -c 4 example.com | grep -Eo '\s([0-9]+\.){3}[0-9]+\s')
$ echo $ips
93.184.216.34 93.184.216.34 93.184.216.34 93.184.216.34
The regex matches a space \s, followed by a capturing group consisting of one or more digits [0-9]+ and a dot \. repeated three times {3}, followed by [0-9]+\s. Information about grep's options can be found in man grep.
NC -q option
I control my receiver over LAN using this command:
printf '$CMD\r\n' | nc 192.168.1.106 23
Receiver send response to command but netcat is already closed. If i use command:
printf '$CMD\r\n' | nc 192.168.1.106 23 -q 1
i get correct response, but 1 second lasts like forever. Tried some tricks like 0.1 or 100ms but i get error for invalid timer.
How can i force nc to wait for response or force it to wait small amount of time?
man is your friend:
$ man nc
«Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).»
edit: for nc 7.12
This question already has answers here:
Use tee (or equivalent) but limit max file size or rotate to new file
(7 answers)
Closed 7 years ago.
Given a bash script running ping -c 25 google.com | tee /home/user/myLogFile.log
And the output file /home/user/myLogFile.log containing:
PING google.com (117.102.117.238) 56(84) bytes of data.
64 bytes from 117.102.117.238: icmp_seq=1 ttl=61 time=12.7 ms
64 bytes from 117.102.117.238: icmp_seq=2 ttl=61 time=61.1 ms
(...)
64 bytes from 117.102.117.238: icmp_seq=25 ttl=61 time=7.11 ms
--- google.com ping statistics ---
25 packets transmitted, 25 received, 0% packet loss, time 24038ms
rtt min/avg/max/mdev = 5.573/11.293/61.102/11.210 ms
How to limit the maximum lines in the log file, and if that maximum is reached, the file is reset and keep the next output saved?
Ok, I think you can do something like:
ping -c 25 google.com | tee >(split -d -b 100000 - /home/user/myLogFile.log)
How can I get interrupts per sec during a test and record the information to a file? Do I use itop or what would I use to collect the information? Script in bash.
Example of what I want to do:
# ./itop -t -f eth0
Output
Device (IRQ) CPU0 CPU1 IRQs/Second
TOTAL
eth0 ( 59): 0 0 20
I would like to report the number under IRQs/Second TOTAL no matter how many CPUs. SO pretty much I would like to strip everything except what's under "IRQs a second total" like below example.
Output for example above should be simply:
# 20
pipe out to file
You can use something like
$ awk '!/^Device/{print $NF}' inputFile
20
Tshark is a command line packet sniffer. I am trying to find a way to get information from the packets, put it in a variable and do some regular expression on it.
Right now, I am getting this from tshark:
Capturing on eth0
0.000000 74.125.71.116 -> 112.204.184.111 TCP http > 55828 [ACK] Seq=1 Ack=1 Win=6434 Len=0 TSV=2558834852 TSER=542043
0.000035 112.204.184.111 -> 74.125.71.116 HTTP Continuation or non-HTTP traffic
0.000043 112.204.184.111 -> 74.125.71.116 HTTP Continuation or non-HTTP traffic
Note: I am using Ruby.
You can use tshark itself without another utility. This command prints out all URI's from packets as they arrive:
$ tshark -R http.request.full_uri -T fields -e http.request.full_uri -i en0
You can refine the display filter (the -R parameter) to better match your requirements. It even supports Perl regular expression matching:
# Mac OS X
$ tshark -R 'http.request.full_uri matches "\\.jpg\|\\.js"' -T fields -e http.request.full_uri -i en0
Example output from visiting youtube.com:
$ tshark -R 'http.request.full_uri matches "\\.jpg\|\\.js"' -T fields -e http.request.full_uri -i en0
Capturing on en0
http://s.ytimg.com/yt/jsbin/www-core-vfl3_mVgh.js
http://s.ytimg.com/yt/jsbin/www-subscriptions-vfl5HwfxW.js
http://i2.ytimg.com/i/QMbqH7xJu5aTAPQ9y_U7WQ/1.jpg?v=95416b
http://i1.ytimg.com/vi/4R0BAjrZqyY/default.jpg
http://i4.ytimg.com/i/KVtW8ExxO21F2sNLtwrq_w/1.jpg?v=a1fa0c
http://i3.ytimg.com/vi/z3U0udLH974/default.jpg
http://i2.ytimg.com/vi/arKyyDRsE_8/default.jpg
http://i2.ytimg.com/vi/y1TGz-fEyiE/default.jpg
http://i2.ytimg.com/vi/-tc983PZK3o/default.jpg
http://i2.ytimg.com/vi/1yT2rrTyMK8/default.jpg
http://i4.ytimg.com/vi/cciUXpITsu0/default.jpg
http://i2.ytimg.com/vi/uG0dimAxHpI/default.jpg
http://i2.ytimg.com/vi/eP9P50kbzTk/default.jpg
http://i1.ytimg.com/vi/ppBe0T412uU/default.jpg
http://i1.ytimg.com/vi/8360wVLtEuk/default.jpg
http://i4.ytimg.com/vi/G_yB7wdTxa0/default.jpg
http://i4.ytimg.com/vi/gcZxoLs3NIU/default.jpg
http://i1.ytimg.com/i/po2fJvnalYlwN97ehhyfBQ/1.jpg?v=b8e52a
http://i1.ytimg.com/vi/D2Xjj_ra8lQ/default.jpg
http://i1.ytimg.com/vi/PewewGu9gp8/default.jpg
http://i1.ytimg.com/vi/P9FkRD6ppGo/default.jpg
http://i3.ytimg.com/vi/vpZ4SMU4znQ/default.jpg
http://i3.ytimg.com/vi/jrrSGulNOLc/default.jpg
http://i3.ytimg.com/vi/FJtTzQfdnoQ/default.jpg
http://i3.ytimg.com/vi/68sEHPpQXes/default.jpg
http://i2.ytimg.com/vi/iWYqsaJk_U8/default.jpg
http://i4.ytimg.com/vi/7Prb8DbdfwY/default.jpg
http://i1.ytimg.com/vi/HJFlxLJSX8E/default.jpg
http://i1.ytimg.com/vi/ta6Vu_v7VLg/default.jpg
http://i1.ytimg.com/vi/Hq7NtDSIErE/default.jpg
http://i4.ytimg.com/vi/Sjdj7qhcTuw/default.jpg
http://i3.ytimg.com/vi/Nm3Acf3_oMY/default.jpg
http://i3.ytimg.com/vi/BpsrThXh_gM/default.jpg
http://i3.ytimg.com/vi/Z3yapgewktY/default.jpg
http://i3.ytimg.com/vi/2UFc1pr2yUU/default.jpg
http://i2.ytimg.com/vi/q_Bt6NwD4FY/default.jpg
http://i2.ytimg.com/vi/uTAAlzABzBA/default.jpg
http://i2.ytimg.com/vi/iRLUY6dMF8k/default.jpg
http://i2.ytimg.com/vi/-cDH6CYzTAw/default.jpg
http://i1.ytimg.com/vi/8p6Fn8R1Rc4/default.jpg
http://i1.ytimg.com/vi/T8gDQWdlW6A/default.jpg
http://i2.ytimg.com/vi/ERTcZV7uTFU/default.jpg
http://i1.ytimg.com/vi/PyxgwA6PvnI/default.jpg
http://i1.ytimg.com/vi/xUGlezOCvu4/default.jpg
http://i1.ytimg.com/vi/Ljb6Mne8Mfc/default.jpg
Note: In Windows, I've seentshark print all URIs in a particular packet in one line without delimiters (e.g., "http://www.google.comhttp://www.google.com/logos/classicplus.png"). Only some packets were affected by this.
You could either pipe this data into a file which you then open and parse with Ruby, or you could use a Ruby lib that can access the same data, such as: http://sourceforge.net/apps/trac/rubypcap/