This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using regex with tshark to detect tor traffic

0

I've been playing around with tshark to detect tor traffic. In the article below I've found some interesting information with a tshark command that I've used:

https://www.rsreese.com/detecting-tor-traffic-with-bro-network-traffic-analyzer/

tshark -r tor.pcap -T fields -Y "ssl.handshake.certificate" -e x509af.utcTime -e x509sat.uTF8String

Then I noticed I also got to see a lot of non-tor related certificates. So I used the following display filter in Wireshark which worked fine. I only got to see the tor certificate (in this example, I haven't tested it on a large pcap with lots of other traffic):

ssl.handshake.certificate && x509sat.uTF8String matches "www.[A-Za-z0-9.-]+.(com|net)"

Then I tried to combine the filter from the article on rsreese.com, with the regex mentioned before to apply an extra filter, since many address in that field just start with a dot (.) instead of 'www'. The line of code below is just one of many variations I tried, it just doesn't seem to work.

tshark.exe -r tor.pcap -T fields -Y "ssl.handshake.certificate" -e x509af.utcTime -e "x509sat.uTF8String matches "www\.[A-Za-z0-9.-]+\.(com|net)""

Then I got the following error:

tshark: Some fields aren't valid
x509sat.uTF8String matches "www\.[A-Za-z0-9.-]+\.(com|net)

Does this mean that regex filters doesn't work with tshark or did I missed something else? Because the specific filter did worked in Wireshark itself. Thanks in advance for any input! :)

asked 16 Jan '17, 07:38

r00t070's gravatar image

r00t070
6437
accept rate: 0%

edited 16 Jan '17, 09:21

grahamb's gravatar image

grahamb ♦
19.8k330206

-e is not a filter, it's field extractor. Move it to -Y.

(16 Jan '17, 08:31) Jaap ♦

That doesn't work either. I tried many variations of commands with the regex part (-Y, -R, -e), so that's why the example above is showing -e right now. Nothing worked so far. So that's why I'm wondering if searching using a regex even works in tshark?

(16 Jan '17, 08:57) r00t070

Is it a problem of quoting, not sure what shell you're using, try:

tshark.exe -r tor.pcap -T fields -e x509af.utcTime -Y "ssl.handshake.certificate and x509sat.uTF8String matches 'www\.[A-Za-z0-9.-]+\.(com|net)'"
(16 Jan '17, 09:37) grahamb ♦

I tried that as well. Using your example I get the error: - tshark: "www" was unexpected in this context. Then changing quotes again I got: - tshark: Display filters were specified both with "-d" and with additional command-line arguments. I'm working with Windows 7 command-prompt. I know there are probably other and easier ways to do this, but I need to do it this way because I can't use and install any other software.

(16 Jan '17, 23:12) r00t070

One Answer:

2

You can try escaping the inner quotes instead:

tshark.exe -r tor.pcap -T fields -e x509af.utcTime -Y "ssl.handshake.certificate and x509sat.uTF8String matches \"www\.[A-Za-z0-9.-]+\.(com|net)\""

answered 17 Jan '17, 07:22

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Chris's answer works for me in a Cmd shell, now that the OP has identified their shell so the correct quoting rules can be supplied.

(17 Jan '17, 09:32) grahamb ♦

Chris, thanks for pointing out escaping the quotes. Although your answer didn't worked, I found out the answer was to use "double double-quotes to escape the double-quote" :P. Thanks for all the input everyone!

The command below now semi-works. I don't get any errors and it creates some output. However it isn't quite doing what I'm looking for yet, so I still have to do some fine-tuning.

  • tshark.exe -r tor.pcap -T fields -e x509af.utcTime -Y "ssl.handshake.certificate and x509sat.uTF8String matches ""www.[A-Za-z0-9.-]+.(com|net)"""
(19 Jan '17, 06:49) r00t070