All tshark/Wireshark dislay filters aren't limited to a precise match. tshark has the powerful ability to find multiple values that match one part of a field. A good example is the http.request.uri field. There is a modifier called "contains" that allows you to search the field for matches in diverse content. In the http.request.uri field, we could use "http.request.uri contains "google"", allowing us to match on tools.google.com, apis.google.com, safebrowsing, www, mail, news and so forth and domains that contain the word google even if it's part of a longer word, like googlesyndication.com.
tshark -n -r packets1.pcap -Y "http.request.uri contains "google""
132 0.026293 10.10.10.2 -> 10.10.220.100 HTTP 159 CONNECT talkx.l.google.com:5222 HTTP/1.1
247 0.048647 10.10.10.2 -> 10.10.220.100 HTTP 243 CONNECT talkx.l.google.com:5222 HTTP/1.1 , NTLMSSP_NEGOTIATE
23956 8.625725 10.20.122.52 -> 10.10.220.100 HTTP 298 CONNECT pagead2.googlesyndication.com:443 HTTP/1.1
28461 11.024309 10.20.121.95 -> 10.10.220.100 HTTP 273 CONNECT safebrowsing.google.com:443 HTTP/1.1
29078 11.308659 10.20.42.17 -> 10.10.220.100 HTTP 396 CONNECT clients1.google.com:443 HTTP/1.0
38350 19.076371 10.20.112.137 -> 10.10.220.100 HTTP 123 CONNECT tools.google.com:443 HTTP/1.1
38368 19.096608 10.20.112.137 -> 10.10.220.100 HTTP 207 CONNECT tools.google.com:443 HTTP/1.1 , NTLMSSP_NEGOTIATE
51468 25.387301 10.30.130.104 -> 10.10.220.100 HTTP 520 GET http://www.googletagservices.com/tag/js/gpt.js HTTP/1.1
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
No comments:
Post a Comment