To expand on our example looking for ICMP type 3 packets, let's narrow that filter down to one specific type of Destination Unreachable message. If we look at the IANA ICMP parameters list, found at here, we see that there 15 codes that can be set with type 3. Some of the more common ones are code 4, Fragmentation Needed and Don't Fragment was Set, code 7, Destination Host Unknown and code 10, Communication with Destination Host is Administratively Prohibited. Let's add a code 4 to our tshark diplay filter.
tshark -r packets1.pcap -Y "icmp.type == 3 and icmp.code == 4"
501732 194.413516 10.10.10.1 -> 10.10.20.1 ICMP 70 Destination unreachable (Fragmentation needed)
507176 196.247873 10.10.10.1 -> 10.10.20.1 ICMP 70 Destination unreachable (Fragmentation needed)
Our output looks the same, with one difference. We're now seeing only ICMP messages that are type 3 and code 4, instead of all destination unreachables.
We've been using the default fields that tshark displays. But we can specify which fields to see, if we wish. In the case of ICMP there wasn't much reason to, as it is a concise output and shows us just what we need anyway. But when looking at other types of packets, we might want to limit the fields to specific data we need, or we may be looping through a large number of packets and pulling out just certain fields we wish to report on, like the IP addresses that generate a certain HTTP status code or just the IP's that generated traffic to a certain port or host.
tshark -n -r packets1.pcap -Y "tcp.port == 80"
16714 6.578480 192.203.136.227 -> 10.10.20.2 HTTP 471 HTTP/1.1 200 OK (text/html)
16715 6.579366 10.10.10.1 -> 10.10.20.1 TCP 60 3786?80 [ACK] Seq=221 Ack=1846 Win=65071 Len=0
16716 6.579611 10.10.10.1 -> 10.10.20.1 TCP 60 3786?80 [FIN, ACK] Seq=221 Ack=1846 Win=65071 Len=0
16717 6.580180 10.10.10.1 -> 10.10.20.1 TCP 62 3787?80 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1
16720 6.582334 140.172.17.191 -> 10.10.20.2 TCP 1434 [TCP segment of a reassembled PDU]
16721 6.582384 140.172.17.191 -> 10.10.20.2 TCP 1434 [TCP segment of a reassembled PDU]
16722 6.582828 140.172.17.191 -> 10.10.20.2 TCP 1434 [TCP segment of a reassembled PDU]
16724 6.583013 140.172.17.191 -> 10.10.20.2 TCP 1434 [TCP segment of a reassembled PDU]
16725 6.583020 140.172.17.191 -> 10.10.20.2 TCP 1434 [TCP segment of a reassembled PDU]
16729 6.583194 10.10.20.2 -> 140.172.17.191 TCP 60 [TCP Window Update] 45932?80 [ACK] Seq=882 Ack=113388 Win=17817 Len=0
To filter this down to only see source IP and port and destination IP and port, we need to tell tshark we want to display only certain fields, using the "-T" parameter. We can specify fields, as well as output types of pdml, ps, psml or text.
After the -T fields param, we'll use the "-e" parameter to specify which fields to display. The Source IP field is "ip.src", the Source Port field is "tcp.srcport" and the destination IP and port are, as expected, "ip.dst" and "tcp.dstport".
So after adding these filters, our output is narrowed down to the four fields of interest for this run.
tshark -n -r packets1.pcap -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -Y "tcp.port == 80"
10.10.10.1 19248 66.175.58.9 80
10.10.10.1 19248 66.175.58.9 80
10.10.20.1 80 10.85.120.101 3743
192.203.136.227 80 10.10.10.2 45870
74.125.69.95 80 10.10.10.1 36719
74.125.69.95 80 10.10.10.1 36719
74.125.69.95 80 10.10.10.1 36719
10.10.10.1 5925 184.169.162.197 80
10.10.10.1 5925 184.169.162.197 80
10.10.10.2 45870 192.203.136.227 80
Next post we'll use more display filters to build our custom output and look at tsharks ability to do stats from the command line.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
No comments:
Post a Comment