This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi Everyone,

I'm attempting to baseline my network's typical SYN Requests sourced from the internet. Our organization was recently DDoS'd with a SYN Flood and my goal here is to find out what typical SYN traffic looks like so I can create a threshold on our firewall to prevent another SYN Flood attack without this configuration being detrimental to legitimate traffic.

My idea is to use TShark to do an ongoing capture starting a new file every 60 seconds the grabbing Time, Source IP, and Destination IP of ONLY SYN Requests sourced from the internet (anything NOT in RFC 1918 Subnets). Then, pump that data into a .csv so I can send it to my ELK Stack for analysis.

I am pretty unfamiliar with TShark as I typicaly use Wireshark GUI. I found something similar to what I'm looking for here

https://rudibroekhuizen.wordpress.com/2016/02/12/analyse-tshark-capture-in-kibana/

but I'm not quite sure how to write out what I need.

Can anyone offer some help?

asked 07 Apr '17, 13:37

Exiar's gravatar image

Exiar
6112
accept rate: 0%


Using tshark in this manner you'll need to specify a few things, noting that if you want to create a new file every 60 seconds you'll have to output using a capture file format, e.g. pcapng and then subsequently post-process those using tshark to output in csv format, you can't just redirect tshark "fields" out and get multiple files, the link you reference is a one-shot run of 60 seconds:

  1. The interface(s) to capture on, e.g. -i eth0
  2. The capture file options, for a new file every 60 seconds use -b duration:60
  3. The output file, for ringbuffer use -w basefilename.pcapng, each new file created will add a suffix to the basename
  4. The capture filter, something like "tcp[tcpflags] & (tcp-syn) == tcp-syn and not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))". You may or may not need to quote this depending on your shell.

Then post-process those files with something like tshark -r filename.pcapng -T fields -e frame.time -e ip.src -e ip.dst > filename.csv using the scripting language of choice to loop over all the files providing the "filename" part of the command.

permanent link

answered 07 Apr '17, 16:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 08 Apr '17, 11:16

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×55
×22
×1

question asked: 07 Apr '17, 13:37

question was seen: 1,602 times

last updated: 08 Apr '17, 11:16

p​o​w​e​r​e​d by O​S​Q​A