Tshark and bash scripting

Question

I capture everything on port 25 into a pcap file using dumpcap. Sometimes, I see a malicious email campaign come through, so now, I want to find all the times it occurs. So far, I have this bash script:

sudo tshark -n -t ad -r $2 -R "smtp.command___line contains $1 || data-text-lines contains $1 || imf contains $1" -T fields -e frame.time -e ip.src -e ip.dst -e tcp.stream -e smtp.command_line -e data-text-lines

An example output of this script is shown below:

Sep  4, 2012 05:53:47.577902000 redacted IP    redacted IP    138     MAIL FROM:<[email protected]welcome.aexp.com> SIZE=14138\x0d\x0a

In the script above, $2 is the pcap file, and $1 is what I'm looking for. I then want to take the identified tcp.stream and dump that out to a file. I can do that easily enough with one stream, but I'm interested in doing that for, say, 4 to 5 different streams. I'm thinking of using a for-loop or something that will look like the below:

./findstreams bleh.pcap <- command typed in
138 139 140             <- streams to pick out

I think the tshark command would be:

tshark -r $1 -P -w /tmp/ick``date +%m-%N`'.pcap -R 'tcp.stream == $variable'

...but I'm not sure how to get the $variable part to "work". Thanks for any help you can give.

Answer 1

0

You need to parse the output of the first tshark command. It will print out the stream number (tcp.stream). Then loop over those stream numbers.

Reagards
Kurt

answered 04 Sep '12, 14:36

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

Yea it's the looping part I'm getting stuck on ;)

(04 Sep '12, 14:50) DigiAngel

can you please post the output of the first tshark command?

(04 Sep '12, 14:58) Kurt Knochner ♦

Sep 4, 2012 05:53:47.577902000 ip ip 138 MAIL FROM:[email protected] SIZE=14138\x0d\x0a Sep 4, 2012 05:53:48.358362000 ip ip 138 Sep 4, 2012 05:53:49.907442000 ip ip 139 RCPT TO:[email protected]\x0d\x0a

So in this case, the sessions I want to see in their entirety are 138 and 139. Thanks for looking all.

(04 Sep '12, 15:45) DigiAngel

Answer 2

If you have a command like ./findstreams that you can encapsulate the first tshark call in, it will make this next part much easier.

for stream in `./findstreams blah.pcap`; do tshark <all your options> -R "tcp.stream==$stream"; done

The trick is using back-ticks (`) around the first command, and using Bash's "for var in set; do;done" to loop over it. For a trivial example of it in action, look at this:

for i in 1 2 3 4 5; do echo "i is $i'; done

And for substituting a command in there, think about ls

for i in `ls`; do echo $i; done

You may run into punctuation-soup when trying to embed all of this into a single command, so the more you can put into separate scripts, the better off you'll probably be.

Answer 3

So...looks like this is it, where $1 is the search item and $2 is the pcap file. Thanks of the help all!

for stream in tshark -n -t ad -r $2 -R "smtp.command_line contains $1 || data-text-lines contains $1 || imf contains $1" -T fields -e tcp.stream -e data-text-lines | sort -u; do tshark -r $2 -w test-$stream.pcap -R "tcp.stream==$stream" ; done