I've been playing around with tshark to detect tor traffic. In the article below I've found some interesting information with a tshark command that I've used: https://www.rsreese.com/detecting-tor-traffic-with-bro-network-traffic-analyzer/
Then I noticed I also got to see a lot of non-tor related certificates. So I used the following display filter in Wireshark which worked fine. I only got to see the tor certificate (in this example, I haven't tested it on a large pcap with lots of other traffic):
Then I tried to combine the filter from the article on rsreese.com, with the regex mentioned before to apply an extra filter, since many address in that field just start with a dot (.) instead of 'www'. The line of code below is just one of many variations I tried, it just doesn't seem to work.
Then I got the following error:
Does this mean that regex filters doesn't work with tshark or did I missed something else? Because the specific filter did worked in Wireshark itself. Thanks in advance for any input! :) asked 16 Jan '17, 07:38 r00t070 edited 16 Jan '17, 09:21 grahamb ♦ |
One Answer:
You can try escaping the inner quotes instead:
answered 17 Jan '17, 07:22 cmaynard ♦♦ Chris's answer works for me in a Cmd shell, now that the OP has identified their shell so the correct quoting rules can be supplied. (17 Jan '17, 09:32) grahamb ♦ Chris, thanks for pointing out escaping the quotes. Although your answer didn't worked, I found out the answer was to use "double double-quotes to escape the double-quote" :P. Thanks for all the input everyone! The command below now semi-works. I don't get any errors and it creates some output. However it isn't quite doing what I'm looking for yet, so I still have to do some fine-tuning.
(19 Jan '17, 06:49) r00t070 |
-e is not a filter, it's field extractor. Move it to -Y.
That doesn't work either. I tried many variations of commands with the regex part (-Y, -R, -e), so that's why the example above is showing -e right now. Nothing worked so far. So that's why I'm wondering if searching using a regex even works in tshark?
Is it a problem of quoting, not sure what shell you're using, try:
I tried that as well. Using your example I get the error: - tshark: "www" was unexpected in this context. Then changing quotes again I got: - tshark: Display filters were specified both with "-d" and with additional command-line arguments. I'm working with Windows 7 command-prompt. I know there are probably other and easier ways to do this, but I need to do it this way because I can't use and install any other software.