I'm trying to write a filter for TShark the command line based Wireshark.
I want to add those options to the command :
-i 2 (interface with index n°2)
-a duration:60 (the "scan" should last 60 seconds)
-v (print the result and exit)
-x (print an ASCII dump in the file)
and a filter that only captures packets with these particularities :
"ip" (only IP packets)
"ip.src == 192.168.0.1" (source IP adress should be 192.168.0.1)
"ip.dst == 111.222.111.222" (destination IP adress should be 111.222.111.222)
"port == 80 or port == 443" (port should be http or https)
"http.request.method == 'GET'" (it should be a GET request)
and then I want the results to be saved in a file "test.txt".
So the final command should be this :
tshark -i 2 -a duration:60 -vx -f "ip" && "ip.src == 192.168.0.1" && "ip.dst == 111.222.111.222" && "port == 80 or port == 443" && "http.request.method == 'GET'" > test.txt
But I keep getting an error message from Windows saying that '"ip.src == 192.168.0.1" isn't a recognized internal or external command. I tried with spaces, without spaces ...etc, but can't figure a way to get this work.
The problem probably comes from the way I "chain" the conditions.
Also wanted to ask if there was some kind of "stop execution" command that would stop the current capturing but still save the results in a .txt file.
and a filter that only captures packets with these particularities
...
"http.request.method == 'GET'" (it should be a GET request)
That last part is EXTREMELY difficult to do with a capture filter. If you can avoid that, the rest is relatively easy to do with a capture filter:
"ip src 192.168.0.1 && ip dst 111.222.111.222 && (tcp port 80 or tcp port == 443)"
and you might be able to use the entire *shark filter as a read filter:
-r "ip && ip.src == 192.168.0.1 && ip.dst == 111.222.111.222 && (tcp.port == 80 or tcp.port == 443) && http.request.method == 'GET'"
(note that it's tcp.port, not just port).
However, note that for HTTP-over-SSL/TLS, if the requests are encrypted, you'll have to arrange to decrypt those in order for http.request.method == 'GET' to work.
(The parentheses around the "or" clauses might not be necessary, but I prefer them to just make the meaning of the expression more obvious.)
The tshark -f option takes capture filters, not wireshark display filters. This is the same as the libpcap syntax.
You have to remove the " characters between the filter parts. Try:
"ip && ip.src == 192.168.0.1 && ip.dst == 111.222.111.222 &&
port == 80 or port == 443 && http.request.method == 'GET'"
Related
[SOLVED]
I'm pretty new tho bash-/shell-scripting and trying setup a check for ip address on a server which gets about once a week a new ip.
The script will then send the new ip to the users.
My problem is, that I'm getting a syntax-error in the last if-else statement for "unexpected" else and can wrap my head around why.
My first iteration didn't use functions, but instead one multi lined if-else which got me the same error. The functions on their own seem to work just fine.
#!/bin/bash
# script to send the new server ip to the users
# get the recent ip address of the system
new_ip=$(ip route get 8.8.8.8 | awk -F"src " 'NR==1{split($2,a," ");print a[1]}')
file=old_ip.txt
function ip_mail(){
source $file
if [ $new_ip != $old_ip ]
then
# email-address changed for obvious reasons
mail -s "New Server IP" [hidden]#[hidden].com <<< "$new_ip"
echo "old_ip=$new_ip" > old_ip.txt
exit 0
fi
exit 0
}
function set_old(){
touch old_ip.txt
echo "old_ip=$new_ip" > old_ip.txt
exit 0
}
if [ $file ]
then
ip_mail()
else
set_old()
fi
Apple removed high-level PPTP support in macOS Sierra from its network configuration system. However, the PPP internals are all still there, including /usr/sbin/pppd and /etc/ppp/.
How can I programmatically initiate a PPTP VPN connection on macOS Sierra / High Sierra using what's left?
Answer:
This method creates a PPTP connection that doesn't send all traffic and doesn't override other DNS providers, meaning it works with multiple simultaneous VPN connections each having different DNS search domains, and closes it in an orderly fashion.
Not sending all traffic requires you to know the VPN subnet beforehand. If you don't, you must send all traffic (see below), since vanilla PPP/LCP has no means to tell the client its subnet (although theoretically the ip-up and ip-down scripts could guess it from the received IP address).
Save this perl as /usr/local/bin/pptp:
#!/usr/bin/env perl
if (#ARGV) {
my $name = $ARGV[0];
if (length $name && -e "/etc/ppp/peers/$name") {
my $pid;
$SIG{"INT"} = "IGNORE";
die "fork: $!" unless defined ($pid = fork);
if ($pid) { # parent
$SIG{"INT"} = sub {
kill HUP => $pid;
};
wait;
exit;
} else { #child
$SIG{"INT"} = "DEFAULT";
exec "pppd", "call", $name;
exit;
}
} else {
print "Error: PPTP name: $name\n";
}
} else {
opendir my $d, "/etc/ppp/peers" or die "Cannot read /etc/ppp/peers";
while (readdir $d) {
print "$_\n" if !($_ eq "." || $_ eq "..");
}
closedir $d;
}
Run it as sudo pptp AcmeOffice, where AcmeOffice is the PPP connection name, and close it with a single Control-C/SIGINT.
In /etc/ppp/peers, create the PPP connection file, in this example /etc/ppp/peers/AcmeOffice:
plugin /System/Library/SystemConfiguration/PPPController.bundle/Contents/PlugIns/PPPDialogs.ppp
plugin PPTP.ppp
noauth
# debug
redialcount 1
redialtimer 5
idle 1800
#mru 1320
mtu 1320
receive-all
novj 0:0
ipcp-accept-local
ipcp-accept-remote
refuse-pap
refuse-chap
#refuse-chap-md5
refuse-eap
hide-password
#noaskpassword
#mppe-stateless
mppe-128
mppe-stateful
require-mppe
passive
looplocal
nodetach
# defaultroute
#replacedefaultroute
# ms-dns 8.8.8.8
# usepeerdns
noipdefault
# logfile /tmp/ppp.AcmeOffice.log
ipparam AcmeOffice
remoteaddress office.acme.com
user misteracme
password acme1234
The last 4 options are connection-specific. Note the password is stored cleartext. chown root:wheel and chmod 600 is recommended. nodetach, ipcp-accept-local, ipcp-accept-remote, noipdefault are critical.
Since we're not becoming/replacing the default route, you must manually change your routing table. Add an AcmeOffice entry to the /etc/ppp/ip-up script:
#!/bin/sh
#params: interface-name tty-device speed local-IP-address remote-IP-address ipparam
PATH=$PATH:/sbin:/usr/sbin
case "$6" in
AcmeOffice)
route -n add -net 192.168.1.0/24 -interface "$1"
;;
AcmeLab)
route -n add -net 192.168.2.0/24 -interface "$1"
;;
AcmeOffshore)
route -n add -net 192.168.3.0/24 -interface "$1"
;;
VPNBook)
;;
*)
;;
esac
and your /etc/ppp/ip-down script:
#!/bin/sh
#params: interface-name tty-device speed local-IP-address remote-IP-address ipparam
PATH=$PATH:/sbin:/usr/sbin
case "$6" in
AcmeOffice)
route -n delete -net 192.168.1.0/24 -interface "$1"
;;
AcmeLab)
route -n delete -net 192.168.2.0/24 -interface "$1"
;;
AcmeOffshore)
route -n delete -net 192.168.3.0/24 -interface "$1"
;;
VPNBook)
;;
*)
;;
esac
If the VPN has a DNS search domain (i.e. somehost.office.acme.com), create a file in /etc/resolver/ named after the DNS suffix, like /etc/resolver/office.acme.com, with contents like:
nameserver 192.168.1.1
domain office.acme.com
Note that this requires knowing the destination domain & nameserver beforehand. Theoretically ip-up & ip-down could create & delete this file on demand.
To send all traffic (& if you don't know the destination subnet), uncomment #defaultroute in the PPP connection file and leave the ip-up & ip-down entries blank (e.g. the VPNBook example). To override your DNS with the VPN's, uncomment usepeerdns.
I'm writing a script that will check/open ports/protocols in the event any are blocked. What I have so far is below. The port/protocol names look strange to me. I would have expected IP addresses, but I've never done this before. Would the host be IP address of the DSLAM? Also, can I run nc without specifying host if it's the current machine? Otherwise, does this script do what is needed?
#!/bin/bash
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
echo -e "############################nnnPresent ports opened on this machine are
$(iptables -nL INPUT | grep ACCEPT | grep dpt)
nCompleted listing...nnn#########################"
#these look funny to me
PORTS=( 123 161 69 "UDP" 80 443 22 8443 8080 23 25 3307 "TCP" "HTTPS" "SNMP" "SFTP" "TFTP")
#modified ip's for public sharing
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")
for HOST in "${HOSTS[#]}"
do
for PORT in "${PORTS[#]}"
do
#see which ones need opening...0 is pass (open), 1 fail, 5 timeout; need host still
#alternatively try nmap
nc -z -v -w5 ${HOST} ${PORT}
#if it's not open, then open it
if [ "$?" ne 0 ]; then #shellcheck err this line: Couldn't parse this test expression.
iptables -A INPUT -m tcp -p tcp --dport "$PORT" -j ACCEPT &&
{ service iptables save;
service iptables restart;
echo -e "Ports opened through iptables are n$(iptables -nL INPUT | grep ACCEPT | grep dpt)"; }
else
echo "Port $PORT already open"
fi
done
done
I've been referring to test if port is open, and also open port.
These lines seem odd, OP edit #6 adds an outer for loop which assigns the same value to $HOST on each go-round:
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")
for HOST in "${HOSTS[#]}"
do
< stuff ... >
done
Assuming running < stuff ... > four times is not necessary, then
the seven lines above, as written, would be equivalent to:
HOST="10.x.x.x"
< stuff ... >
(Fixed.) Remove the commas from this line:
PORTS=( 123, 161, 69, UDP, 80, 443, 22, 8443, 8080, 23, 25,
3307, TCP, HTTPS, SNMP, SFTP, TFTP)
bash does not use commas to define arrays, and if commas are used
they become chars in the the array data. Example, given the array
exactly as it is above:
echo ${PORTS[0]}
Outputs:
123,
Is there any way to program a server in bash?
Basically I want be able to connect to a bash server from a PHP client and send messages that will be displayed in console.
The bad news first
Unfortunately, there seems to be no hope to do this in pure Bash.
Even doing a
exec 3<> /dev/tcp/<ip>/<port>
does not work, because these special files are implemented on top on connect() instead of bind(). This is apparent if we look at the source.
In Bash 4.2, for example, the function _netopen4() (or _netopen6() for IPv6) reads as follows (lib/sh/netopen.c):
s = socket(AF_INET, (typ == 't') ? SOCK_STREAM : SOCK_DGRAM, 0);
if (s < 0)
{
sys_error ("socket");
return (-1);
}
if (connect (s, (struct sockaddr *)&sin, sizeof (sin)) < 0)
{
e = errno;
sys_error("connect");
close(s);
errno = e;
return (-1);
}
But
It is possible to use a command line tool such as nc. E.g.,
nc -l <port>
will listen for incoming connections on localhost:<port>.
There is a project on GIT which implements a HTTP web server fully written in bash;
https://github.com/avleen/bashttpd
Create a process that reads from a socket, executes the data via shell, and prints back the response. Possible with the following script, which listens on port 9213:
ncat -l -kp 9213 | while read line; do
out=$($line)
# or echo $line
echo $out
done
If all you want is to display the data, ncat -l -p 9213 is sufficient though.
i'm trying to filter out the ip, the method(GET and POST), and then http data that contains a specific string. The filter looks like this:
http.request.method == "GET" && http.request.method == "POST" && ip.src == 10.1.5.8 && http contains "facebook"
I want to filter the data as specified by the filter, but it don't work. If I use || instead of &&, it works, other IPs are also shown, which is wrong. The only IP that should be listed is 10.1.5.8
I solved it like this:
(http.request.method == "GET" or http.request.method == "POST") and (ip.src == 10.1.5.8 or ip.src == 10.1.5.2 or ip.src == 10.1.5.3 or ip.src == 10.1.5.4 or ip.src == 10.1.5.5 or ip.src == 10.1.5.7) and (http contains "facebook" or http contains "reddit")