This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I capture everything on port 25 into a pcap file using dumpcap. Sometimes, I see a malicious email campaign come through, so now, I want to find all the times it occurs. So far, I have this bash script:

sudo tshark -n -t ad -r $2 -R "smtp.command___line contains $1 || data-text-lines contains $1 || imf contains $1" -T fields -e frame.time -e ip.src -e ip.dst -e tcp.stream -e smtp.command_line -e data-text-lines

An example output of this script is shown below:

Sep  4, 2012 05:53:47.577902000 redacted IP    redacted IP    138     MAIL FROM:<[email protected]welcome.aexp.com> SIZE=14138\x0d\x0a

In the script above, $2 is the pcap file, and $1 is what I'm looking for. I then want to take the identified tcp.stream and dump that out to a file. I can do that easily enough with one stream, but I'm interested in doing that for, say, 4 to 5 different streams. I'm thinking of using a for-loop or something that will look like the below:

./findstreams bleh.pcap <- command typed in
138 139 140             <- streams to pick out

I think the tshark command would be:

tshark -r $1 -P -w /tmp/ick``date +%m-%N`'.pcap -R 'tcp.stream == $variable'

...but I'm not sure how to get the $variable part to "work". Thanks for any help you can give.

asked 04 Sep '12, 12:42

DigiAngel's gravatar image

DigiAngel
1334
accept rate: 0%

edited 04 Sep '12, 15:31

helloworld's gravatar image

helloworld
3.1k42041

One thing that sticks out to me is the usage of a variable inside a single-quoted string (i.e., 'tcp.stream == $variable'). The single-quotes prevent the variable from being expanded in bash. Assuming you meant to expand that variable, you need to use double-quotes instead.

(04 Sep '12, 15:16) helloworld

Another: do you really need to use sudo in your first tshark commmand? Most users resort to sudo only when tshark can't access the capture interfaces on their host, but you're only reading in a pcap file (thus no capture interfaces would be accessed...I would hope).

(04 Sep '12, 15:22) helloworld

Yea that's a good point with sudo. And agreed..it's double quote nice catch.

(04 Sep '12, 15:44) DigiAngel

You need to parse the output of the first tshark command. It will print out the stream number (tcp.stream). Then loop over those stream numbers.

Reagards
Kurt

permanent link

answered 04 Sep '12, 14:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Yea it's the looping part I'm getting stuck on ;)

(04 Sep '12, 14:50) DigiAngel

can you please post the output of the first tshark command?

(04 Sep '12, 14:58) Kurt Knochner ♦

Sep 4, 2012 05:53:47.577902000 ip ip 138 MAIL FROM:[email protected] SIZE=14138\x0d\x0a Sep 4, 2012 05:53:48.358362000 ip ip 138 Sep 4, 2012 05:53:49.907442000 ip ip 139 RCPT TO:[email protected]\x0d\x0a

So in this case, the sessions I want to see in their entirety are 138 and 139. Thanks for looking all.

(04 Sep '12, 15:45) DigiAngel

If you have a command like ./findstreams that you can encapsulate the first tshark call in, it will make this next part much easier.

for stream in `./findstreams blah.pcap`; do tshark <all your options> -R "tcp.stream==$stream"; done

The trick is using back-ticks (`) around the first command, and using Bash's "for var in set; do;done" to loop over it. For a trivial example of it in action, look at this:

for i in 1 2 3 4 5; do echo "i is $i'; done

And for substituting a command in there, think about ls

for i in `ls`; do echo $i; done

You may run into punctuation-soup when trying to embed all of this into a single command, so the more you can put into separate scripts, the better off you'll probably be.

permanent link

answered 05 Sep '12, 06:00

zachad's gravatar image

zachad
331149
accept rate: 21%

edited 06 Sep '12, 12:27

helloworld's gravatar image

helloworld
3.1k42041

Thank you....I will give this a shot and show my results.

(06 Sep '12, 06:58) DigiAngel

So...looks like this is it, where $1 is the search item and $2 is the pcap file. Thanks of the help all!

for stream in tshark -n -t ad -r $2 -R "smtp.command_line contains $1 || data-text-lines contains $1 || imf contains $1" -T fields -e tcp.stream -e data-text-lines | sort -u; do tshark -r $2 -w test-$stream.pcap -R "tcp.stream==$stream" ; done

permanent link

answered 06 Sep '12, 13:58

DigiAngel's gravatar image

DigiAngel
1334
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×5

question asked: 04 Sep '12, 12:42

question was seen: 7,439 times

last updated: 06 Sep '12, 13:58

p​o​w​e​r​e​d by O​S​Q​A