Xe1phix-[TShark]-CheatSheet-[.v5.5.45.].sh

1. #!/bin/sh
2. ##-========================================-##
3. ##      [+] Xe1phix-TShark-Cheatsheet-[v*.*.*].sh
4. ##-========================================-##
5.  
6.  
7.  
8. tshark -Y $Filter -r $InFile -w $OutFile
9. tshark -2 -R $Filter -r $InFile -w $OutFile
10.  
11.  
12.  
13. ##-=============================-##
14. ##   [+] Basic protocols dump:
15. ##-=============================-##
16.  
17. ## ------------------------------------------------------------------------------ ##
18.       tshark -i any -f 'port http' -Y http -l -N nNC      ## Dump HTTP Traffic
19. ## ------------------------------------------------------------------------------ ##
20.       tshark -i any -f 'port smtp' -Y smtp -l -N nNC      ## Dump SMTP Traffic
21. ## ------------------------------------------------------------------------------ ##
22.       tshark -i any -f 'port imap' -Y imap -l -N nNC      ## Dump IMAP Traffic
23. ## ------------------------------------------------------------------------------ ##
24.  
25.  
26.  
27. ##-==============================-##
28. ##   [+] Filtering TCP packets
29. ##-==============================-##
30. tshark -f "tcp"
31.  
32.  
33. ##-==============================-##
34. ##   [+] Filtering UDP packets
35. ##-==============================-##
36. tshark -f "udp"
37.  
38.  
39. ##-======================================-##
40. ##  [+]
41. ##-======================================-##
42. tshark -f "tcp port 80" -i eth0
43.  
44.  
45.  
46. ##-==================================================-##
47. ##   [+] Show all ICMPv6 traffic from a pcap file:
48. ##-==================================================-##
49. tshark -Y "icmpv6" -r $File
50.  
51.  
52. ##-====================================-##
53. ##   [+] Only show multicast traffic:
54. ##-====================================-##
55. tshark -r $File -Y "eth.dst[0] & 1"
56.  
57.  
58.  
59. ##-======================================-##
60. ##  [+]
61. ##-======================================-##
62. tshark -i eth0 -T fields -e ip.src -e ip.dst -e frame.protocols -E header=y
63.  
64.  
65. ##-=======================-##
66. ##     [+] trace http requests
67. ##-=======================-##
68. tshark -i eth0 -z proto,colinfo,http.request.uri,http.request.uri -R http.request.uri
69.  
70.  
71.  
72.  
73. TCP SYN packets
74. match all packets that contain a "tcp.flags" field with the 0x02 bit,
75. tcp.flags & 0x02
76.  
77.  
78.  
79. ip.src == $1
80. ip.dst == $2
81. tcp.srcport == $3
82. tcp.dstport == $4
83. ip.src == $2
84. ip.dst == $1
85. tcp.srcport == $4
86. tcp.dstport == $3
87.  
88.  
89.  
90. eth.dst eq ff:ff:ff:ff:ff:ff
91. ip.dst eq www.mit.edu
92. ip.src == 192.168.1.1
93. ip.addr == 129.111.0.0/16
94. ipx.src.net == 0xc0a82c00
95.  
96.  
97.  
98. ipv6.addr == ::1                        ## IPv6 address
99.  
100.  
101.  
102. tcp.port == 80 and ip.src == 192.168.2.1
103.  
104.  
105.  
106.  
107. ip.src==10.0.0.5 and tcp.flags.fin
108.  
109.  
110. ip.src==10.0.0.5 or ip.src==192.1.1.1
111.  
112.  
113.  
114.  
115. http.request.method == "POST"
116.  
117.  
118. hexadecimal to look for "HEAD":
119.  
120. http.request.method == "\x48EAD"
121. http.request.method in {"HEAD" "GET"}
122.  
123. octal to look for "HEAD":
124.  
125. http.request.method == "\110EAD"
126.  
127.  
128. The slice operator
129. take a slice of a field if the field is a text string or a byte array.
130.  
131.  
132. filter on the vendor portion of an ethernet address (the first three bytes)
133. eth.src[0:3] == 00:00:83
134. http.content_type[0:4] == "text"
135.  
136.  
137.  
138. use the slice operator on a protocol name
139.  
140.  
141. check the last four bytes of a frame:
142.  
143. frame[-4:4] == 0.1.2.3
144. frame[-4:] == 0.1.2.3
145.  
146.  
147.  
148. The "frame" protocol can be useful,
149. encompassing all the data captured
150.  
151. frame[100-199] contains "wireshark"
152.  
153.  
154.  
155.  
156. frame[4] == 0xff
157.  
158.  
159.  
160.  
161. The membership operator
162. A field may be checked for matches against a set of values
163.  
164.  
165.  
166. find traffic on common HTTP/HTTPS ports
167. tcp.port in {80 443 8080}
168.  
169.  
170. more verbose:
171. tcp.port == 80 or tcp.port == 443 or tcp.port == 8080
172.  
173.  
174. matches HTTP packets where the HOST header contains
175. http.request.uri == "https://www.wireshark.org/"
176.  
177.  
178. matches HTTP packets where the HOST header contains acme.org, acme.com, or acme.net.
179. http.host matches "acme\\.(org|com|net)"
180.  
181.  
182.  
183.  
184. find HTTP requests using the HEAD or GET methods:
185.  
186. http.request.method in {"HEAD" "GET"}
187.  
188.  
189.  
190.  
191.  
192.  
193. The set of values can also contain ranges:
194.  
195. tcp.port in {443 4430..4434}
196. ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
197. frame.time_delta in {10 .. 10.5}
198.  
199.  
200. http.request.method == "GET"
201.  
202.  
203. ##-============================================-##
204. ##     [+]
205. ##-============================================-##
206. tshark -r $File.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
207.  
208.  
209. ##-============================================-##
210. ##     [+]
211. ##-============================================-##
212. tshark -r $File.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
213.  
214.  
215. ##-===============================================================-##
216. ##     [+] DNS servers were used by the clients for domain name resolutions
217. ##-===============================================================-##
218. tshark -r $File.pcap -Y "dns && dns.flags.response==0" -Tfields -e ip.dst
219.  
220.  
221. ##-====================================-##
222. ##     [+] Monitor DNS queries and replies:
223. ##-====================================-##
224. tshark -Y "dns.flags.response == 1" -Tfields -e frame.time_delta -e dns.qry.name -e dns.a -Eseparator=
225.  
226.  
227. ##-========================================-##
228. ##     [+] Monitor HTTP requests and responses:
229. ##-========================================-##
230. tshark -Y "http.request or http.response" -Tfields -e ip.dst -e http.request.full_uri -e http.request.method -e http.response.code -e http.response.phrase -Eseparator=/s
231.  
232.  
233. ##-====================================-##
234. ##     [+]
235. ##-====================================-##
236. tshark -r $File.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
237.  
238.  
239. ##-=====================================-##
240. ##     [+] Monitor x509 (SSL/TLS) certificates:
241. ##-=====================================-##
242. tshark -Y "ssl.handshake.certificate" -Tfields -e ip.src -e x509sat.uTF8String -e x509sat.printableString -e x509sat.universalString -e x509sat.IA5String -e x509sat.teletexString -Eseparator=/s -Equote=d
243.  
244.  
245. ##-====================================-##
246. ##     [+]
247. ##-====================================-##
248. tshark -r $File.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
249.  
250.  
251.  
252. ##-====================================-##
253. ##     [+]
254. ##-====================================-##
255. tshark -r $File.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
256.  
257.  
258. ##-====================================-##
259. ##     [+]
260. ##-====================================-##
261. tshark -r $File.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
262.  
263.  
264. ##-=================================-##
265. ##     [+] HTTP traffic from a PCAP file
266. ##-=================================-##
267. tshark -Y ‘http’ -r $File.pcap
268.  
269.  
270. ##-===========================================-##
271. ##     [+] Show the IP packets sent from IP address
272. ##           192.168.252.128 to IP address 52.32.74.91
273. ##-===========================================-##
274. tshark -r $File.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"
275.  
276.  
277. ##-============================================-##
278. ##     [+] Only print packets containing GET requests
279. ##-============================================-##
280. tshark -r $File.pcap -Y "http.request.method==GET"
281.  
282.  
283. ##-=======================================================-##
284. ##     [+] Print only source IP and URL for all GET request packets
285. ##-=======================================================-##
286. tshark -r $File.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri
287.  
288.  
289. ##-======================================================-##
290. ##     [+] How many HTTP packets contain the "password" string?
291. ##-======================================================-##
292. tshark -r $File.pcap -Y "http contains password"
293.  
294.  
295. ##-======================================================-##
296. ##     [+] Which IP address was sent GET requests for $Domain
297. ##-======================================================-##
298. tshark -r $File.pcap -Y "http.request.method==GET && http.host==$Domain" -Tfields -e ip.dst
299.  
300.  
301. ##-======================================================-##
302. ##     [+] What is the session ID being used by 192.168.252.128
303. ##           for Amazon India store (amazon.in)?
304. ##-======================================================-##
305. tshark -r $File.pcap -Y "ip contains $Domain && ip.src==192.168.252.128" -Tfields -e ip.src -e http.cookie
306.  
307.  
308. ##-=========================================================-##
309. ##     [+] What type of OS the machine on IP address 192.168.252.128
310. ##           is using (i.e. Windows/Linux/MacOS/Solaris/Unix/BSD)?
311. ##-=========================================================-##
312. tshark -r $File.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent
313.  
314.  
315. ##-===========================-##
316. ##     [+] Only show SSL traffic
317. ##-===========================-##
318. tshark -Y ‘ssl’ -r $File.pcap
319.  
320.  
321. ##-============================================-##
322. ##     [+] Only print the source IP and destination IP
323. ##          for all SSL handshake packets
324. ##-============================================-##
325. tshark -r $File.pcap -Y "ssl.handshake" -Tfields -e ip.src -e ip.dst
326.  
327.  
328. ##-==================================================-##
329. ##     [+] List issuer name for all SSL certificates exchanged
330. ##-==================================================-##
331. tshark -r $File.pcap -Y "ssl.handshake.certificate" -Tfields -e x509sat.printableString
332.  
333.  
334. ##-======================================================-##
335. ##     [+] Print the IP addresses of all servers accessed over SSL
336. ##-======================================================-##
337. tshark -r $File.pcap -Y "ssl && ssl.handshake.type==1" -Tfields -e ip.dst
338.  
339.  
340. ##-===============================================================-##
341. ##     [+] IP addresses associated with Ask Ubuntu servers (askubuntu.com)
342. ##-===============================================================-##
343. tshark -r $File.pcap -Y "ip contains askubuntu"
344.  
345.  
346. ##-================================================-##
347. ##     [+] IP address of the user who interacted
348. ##          with with Ask Ubuntu servers (askubuntu.com)
349. ##-================================================-##
350. tshark -r $File.pcap -Y "ip.dst==151.101.1.69 || ip.dst==151.101.193.69 || ip.dst==151.101.129.69 || ip.dst==151.101.65.69" -Tfields -e ip.src
351.  
352.  
353. ##-==============================================================-##
354. ##     [+] DNS servers were used by the clients for domain name resolutions
355. ##-==============================================================-##
356. tshark -r $File.pcap -Y "dns && dns.flags.response==0" -Tfields -e ip.dst
357.  
358.  
359. ##-============================================-##
360. ##     [+] Name of the antivirus solution?
361. ##           IP addresses of the machines running this
362. ##-============================================-##
363. tshark -r $File.pcap -Y "ip contains avast" -Tfields -e ip.src
364.  
365.  
366.  
367. ##-=====================================-##
368. ##     [+] capture mysql queries sent to server
369. ##-=====================================-##
370. tshark -i any -T fields -R mysql.query -e mysql.query
371.  
372.  
373. ##-=======================================-##
374. ##     [+]
375. ##-=======================================-##
376. tshark -i eth0 -f 'not tcp port 22'
377.  
378.  
379.  
380. icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
381.  
382. tshark -T fields -e http.host -r $File.pcap | sort | uniq -c | sort -nr
383.  
384. tshark -T fields -e http.host -e http.request.uri -Y 'http.request.method == \"GET\"' -r $File.pcap | sort | uniq
385. tshark -Y 'http contains \"User-Agent:\"' -T fields -e http.user_agent -r $File.pcap | sort | uniq -c | sort -nr
386.  
387. tshark -r $File.pcap -qz io,stat,10,tcp,udp,icmp,ip,smtp,smb,arp,browser
388.  
389. tshark -r $File.pcap -qz io,phs
390.  
391.  
392. TCP Conversation
393. tshark -r $File.pcap -qz conv,tcp
394.  
395.  
396.  
397. IP Conversation
398. tshark -r $File.pcap -qz conv,ip
399.  
400. UDP Conversation
401. tshark -r $File.pcap -qz conv,udp
402.  
403.  
404. (proto,src_addr,src_port,dst_addr,dst_port)
405.  
406.  
407.  
408. How Many | Port Used
409.  
410. tcpdump -nn -r $File.pcap -p 'tcp or udp' | awk -F' ' '{print $5}' | awk -F'.' '{print $5}' | sed 's/:/ /g'  | sort | uniq -c | sort -n
411.  
412.  
413. ALL IP List
414. tcpdump -nn -r $File.pcap -p 'tcp or udp'
415.  
416.  
417. Request IP List
418. tcpdump -nn -r $File.pcap -p 'tcp or udp' | awk -F' ' '{print $3}' | awk -F'.' '{print $1\".\"$2\".\"$3\".\"$4}' | sort | uniq | sort -n
419.  
420.  
421.  
422. "frame.protocols": "eth:ethertype:ip:tcp:bittorrent"
423.  
424.  
425.  
426.  
427.  
428.  
429. ngrep -q -I $File.pcap
430. mergecap $File.pcap -w $File.pcap -F pcap
431. ngrep -q -I $File.pcap | grep -i $File.pcap | sort | uniq -c
432.  
433.  
434.  
435. ##-=======================================-##
436. ##     [+]
437. ##-=======================================-##
438. tshark -i eth0 -f 'tcp dport != { 80, 443 }'
439. tshark -i eth0 -f 'tnot cp dport 80, 443 '
440. tcp.port in {80 443 8080}
441.  
442. tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
443.  
444.  
445.  
446.  
447. Print all connections of a source IP address in pcap
448.  
449. tshark -r $File.pcap -R "ip.src==192.168.1.2" -T fields -e "ip.dst" |sort |uniq -c
450.  
451.  
452.  
453.  
454. Capture all tcp and udp packets in LAN,
455. except packets coming to localhost (192.168.1.2)
456.  
457. tcpdump -n -i eth0 -w $File.pcap -v tcp or udp and 'not host 192.168.1.2'
458.  
459.  
460.  
461. ##-========================-##
462. ##     [+] HTTP GET request
463. ##-========================-##
464. tshark -i eth0 -f 'tcp port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' -w -
465.  
466.  
467. ##-=================================-##
468. ##     [+] Extract infomation form pcap
469. ##-=================================-##
470. tshark -r $File.pcap -zio,phs
471.  
472. ##-===========================================-##
473. ##     [+] IOstatistics.txt contains Protocol Hierarchy
474. ##-===========================================-##
475. tshark -nr $File -q -z io,stat,30 > IOstatistics.txt
476. tshark -nr $File -q -z io,phs >> IOstatistics.txt
477.  
478. ##-================================================-##
479. ##     [+] IPstatistics contains overall stats to/from endpoints
480. ##-================================================-##
481. tshark -nr $File -q -z endpoints,ip > IPstatistics.txt
482. tshark -nr $File -q -z conv,ip >> IPstatistics.txt
483.  
484. ##-===========================================-##
485. ##     [+] Statistical data about HTTP conversations
486. ##-===========================================-##
487. tshark -nr $File -q -z http,tree > HTTPInfo.txt
488. tshark -nr $File -q -z http_req,tree >> HTTPInfo.txt
489. tshark -nr $File -q -z http_srv,tree >> http_info.txt
490.  
491. ##-===========================-##
492. ##     [+] check for hostname flag
493. ##-===========================-##
494. ## ------------------------------------------------------------ ##
495. ##     [?] Performing hostname resolution
496. ## ------------------------------------------------------------- ##
497. tshark -nr $File -N Nnt -z hosts > $File.txt
498. cat $File.txt | grep '# TShark' -A 100000000 > hostnamesResolved.txt
499.  
500.  
501. ##-=======================-##
502. ##     [+] HTTP pcap carving
503. ##-=======================-##
504. ## -------------------------------------------------------------------------------------------------------- ##
505. ##    [?] http.pcap contains all conversations containing port 80,8080,8000
506. ## -------------------------------------------------------------------------------------------------------- ##
507. tshark -nr $File -n -Y '(tcp.port==80 || tcp.port==8080 || tcp.port==8000)' -w $File.pcap
508.  
509.  
510.  
511. ##-===================================================-##
512. ##     [+] Print all connections of a source IP address in pcap
513. ##-===================================================-##
514. tshark -r $File.pcap -R "ip.src==192.168.1.2" -T fields -e "ip.dst" |sort |uniq -c
515.  
516.  
517. ##-===================-##
518. ##     [+] Decrypt SSL
519. ##-===================-##
520. ## --------------------------------------------------------------------------------------------------------------- ##
521. ##     [?] on a web server (with access to the ssl key), decrypt SSL off the wire
522. ## --------------------------------------------------------------------------------------------------------------- ##
523. openssl pkcs8 -in /etc/pki/tls/web.key -out /root/wc.key -nocrypt && tshark -o "ssl.desegment_ssl_records:TRUE" -o "ssl.desegment_ssl_application_data:TRUE" -o "ssl.keys_list:,443,http,/root/wc.key" -o "ssl.debug_file:rsa.log" -R "(tcp.port eq 443)"
524.  
525.  
526.  
527.  
528. ##-==========================-##
529. ##     [+] Decrypt 802.11 traffic:
530. ##-==========================-##
531. tshark -r $File.pcap -o wlan.enable_decryption:TRUE -o wlan.wep_key1:wpa-psk:55f8e415485dd9a272060ca558d3db184be51b3cb6d4a048b064c7aaca335df2
532.  
533.  
534. ##-======================================================-##
535. ##     [+] Generate Top Talkers by #TCP conv started per second:
536. ##-======================================================-##
537. ## --------------------------------------------------------------------------------------------------------------- ##
538. ##     [?] #_connects src_IP dst_IP When_It_Happened_Secs Show Sample Output
539. ## --------------------------------------------------------------------------------------------------------------- ##
540. tshark -qr $File -z conv,tcp | awk '{printf("%s:%s:%s\n",$1,$3,$10)}' | awk -F: '{printf("%s %s %s\n",$1,$3,substr($5,1,length($5)-10))}' | sort | uniq -c | sort -nr
541.  
542.  
543. tshark -a filesize:10000 -b files:200 -i eth0 -w $File.pcap -f "port 80 or port 53 or port 443"
544.  
545.  
546.  
547. tshark -q -E separator=';' -T fields -e frame.time_epoch -e eth.src -e frame.len -b filesize:10000 -b files:100 -w $File.pcap
548.  
549.  
550. tshark -r $File.pcap -n -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport
551.  
552.  
553. ##-================================================-##
554. ##     [+] follow a tcp communication between two nodes
555. ##-================================================-##
556. tshark -r $File.pcap -z "follow,tcp,hex,192.168.3.200:46168,192.168.3.100:5150" > /tmp/o46168_f5150.follow
557.  
558.  
559.  
560.  
561.  
562.  
563. dtruss -a -f tshark
564.  
565.  
566. tshark -f 'host '${i}'' -R "http.request" -T fields -e http.host -w $File.log -S
567.  
568. tshark -n -r $File.log -R "http.request" -T fields -e http.host > $File.txt
569.  
570.  
571. tshark -Nn -r $File.cap -o column.format:'"Unres","%us","Res","%rs"'
572.  
573.  
574. tshark -n -r $File.cap -o column.format:'"Unres","%us","Res","%rs"'
575.  
576. tshark -nn -r $File.pcap -z conv,tcp > tcp_convs
577. tshark -nn -r $File.pcap -z conv,udp > udp_convs
578. tshark -nn -r $File.pcap -z conv,ip > ip_convs
579. tshark -nn -q -r $File.pcap -Y http.request.full_uri -T fields -e http.request.full_uri -e http.referer | grep 'moonstoneafgelekte.onewide.co.uk' >>
580.  
581.  
582. tshark -i eth0 -f "host bucket-name.s3.amazonaws.com"  -w $File.pcap
583.  
584.  
585.  
586. tshark -n -r $File.pcap -Y dns.qry.name -T fields -e dns.qry.name -q | grep '-' | head -1 > mta-20150711-id
587. tshark -n -r $File.pcap -Y dns.qry.name -T fields -e dns.qry.name | sort -u > mta-20150711-dns-domains
588. tshark -n -r $File.pcap -z endpoints,ip -q | head -2 >> mta-20150711-id
589. tshark -n -r $File.pcap -z endpoints,ether -q >> mta-20150711-id
590. tshark -n -r $File.pcap -c1 -V | grep -i src >> mta-20150711-id
591. tshark -n -r $File.pcap -Y http -T fields -e http.request.full_uri -e http.referer | sort -u > mta-20150711-http
592.  
593.  
594.  
595. tshark -i vboxnet0
596.  
597.  
598. tshark -i eth0 multicast
599.  
600.  
601. ##-==============================================================-##
602. ##     [+] Get data out of the capture and remove all newlines and commas:
603.  
604. tshark -r $File.pcap -T fields -e data | tr -d '\n' | tr -d ',' > $File
605.  
606.  
607. ##-================================================-##
608. ##     [+]
609. ##-================================================-##
610. tshark -i eth0 -p -n -Q -l -Y dhcpv6.msgtype==7 && dhcpv6.iaprefix.pref_addr -T fields -e ipv6.dst -e dhcpv6.iaprefix.pref_addr-e dhcpv6.iaprefix.pref_len -- ip6 and udp and dst port 546
611.  
612.  
613.  
614.  
615. ##-================================================-##
616. ##     [+]
617. ##-================================================-##
618.  
619. END=$(tshark -r $File.pcap -T fields -e tcp.stream | sort -n | tail -1);
620. for ((i=0;i<=END;i++));
621. do
622. echo $i; tshark -r $File.pcap -qz follow,tcp,ascii,$i
623. done
624.  
625.  
626.  
627.  
628. ##-#########################################-##
629. ##     [+] TShark - Graphs + Statistrics + Lists
630. ##-#########################################-##
631.  
632.  
633.  
634. ##-====================================-##
635. ##     [+]
636. ##-====================================-##
637. tshark -r $File.pcap -qz http_req,tree
638.  
639.  
640. ##-====================================-##
641. ##     [+] List conversations by percentage:
642. ##-====================================-##
643.  tshark -r $File -n -qz ip_hosts,tree
644.  
645.  
646. ##-=============================-##
647. ##     [+] List protocol breakdown:
648. ##-=============================-##
649. tshark -r $File -n -qz ptype,tree
650.  
651.  
652. ##-============================-##
653. ##     [+] Show stats by protocol:
654. ##-============================-##
655. tshark -q -r $File -z io,phs
656.  
657.  
658. ##-=======================================================-##
659. ##     [+] Show 5 second interval stats of tcp, icmp and udp traffic:
660. ##-=======================================================-##
661. tshark -q -n -r $File -z io,stat,5,tcp,icmp,udp
662.  
663.  
664. ##-===================================-##
665. ##     [+] Show TCP retransmission count:
666. ##-===================================-##
667. tshark -nr $File.pcap -qz 'io,stat,0,COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission'
668.  
669.  
670.  
671.  
672. ##-===================================================-##
673. ##    [+] Extract Debugging Fields In  x509 Certificate Traffic:
674. ##-===================================================-##
675. tshark -Y "ssl.handshake.certificate" -Tfields -e ip.src -e x509sat.uTF8String -e x509sat.printableString -e x509sat.universalString -e x509sat.IA5String -e x509sat.teletexString -Eseparator=/s -Equote=d
676.  
677.  
678. ##-=========================-##
679. ##     [+] Protocol hierarchy :
680. ##-=========================-##
681. tshark -qr $File.pcap -z io,phs
682.  
683.  
684.  
685. ##-=====================================-##
686. ##     [+] Print DNS Query Names + CNames
687. ##-=====================================-##
688. tshark -r $File.pcap -Tfields -e dns.qry.name -e dns.cname
689.  
690.  
691. ##-============================================================-##
692. ##     [+] PCAP Extraction, one query/response per line and unique one :
693. ##-============================================================-##
694. tshark -r $File.pcap -Tfields -e dns.qry.name | awk '!a[$0]++' > $File.txt && tshark -r $File.pcap -Tfields -e dns.cname | awk '!a[$0]++' >> $File.txt
695.  
696.  
697.  
698.  
699.  
700. ##-================================================-##
701. ##     [+] SMB carving - Stats on CLI ran by smb or smb2
702. ##-================================================-##
703. tshark -nr $File.pcap -q -z smb,srt > SMBstatistics.txt
704. tshark -nr $File.pcap -q -z smb2,srt >> SMBstatistics.txt
705.  
706.  
707.  
708.  
709. tshark -i eth0 -r $File.pcap -qz io,phs
710.  
711.  
712. tshark -r $File.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
713.  
714.  
715. tshark -r $File.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
716.  
717.  
718. tshark -r $File.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
719.  
720.  
721. tshark -r $File.pcap -Tfields -e "eth.src" | sort | uniq
722.  
723.  
724. tshark -r $File.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
725.  
726.  
727. tshark -r $File.pcap -Tfields -e "eth.src" | sort |uniq
728.  
729.  
730. tshark -r $File.pcap -qz ip_hosts,tree
731.  
732.  
733. tshark -r $File.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
734.  
735.  
736. tshark -r $File.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
737.  
738.  
739. tshark -r $File.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
740.  
741.  
742. tshark -r $File.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
743.  
744.  
745. tshark -r $File.pcap -qz http_req,tree
746.  
747.  
748. tshark -r $File.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
749.  
750.  
751. tshark -r $File.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
752.  
753.  
754.  
755.  
756.  
757.  
758. ##-=============================-##
759. ##   [+] Basic protocols dump:
760. ##-=============================-##
761.  
762. ## ------------------------------------------------------------------------------ ##
763.       tshark -i any -f 'port http' -Y http -l -N nNC      ## Dump HTTP Traffic
764. ## ------------------------------------------------------------------------------ ##
765.       tshark -i any -f 'port smtp' -Y smtp -l -N nNC      ## Dump SMTP Traffic
766. ## ------------------------------------------------------------------------------ ##
767.       tshark -i any -f 'port imap' -Y imap -l -N nNC      ## Dump IMAP Traffic
768. ## ------------------------------------------------------------------------------ ##
769.  
770.  
771.  
772. ##-==================================================-##
773. ##   [+] Show all ICMPv6 traffic from a pcap file.
774. ##-==================================================-##
775. tshark -Y "icmpv6" -r $File
776.  
777.  
778. ##-====================================-##
779. ##   [+] Show only multicast traffic
780. ##-====================================-##
781. tshark -r $File -Y "eth.dst[0] & 1"
782.  
783.  
784.  
785.