This repo aims to store all notes from TCP Dump analyses using Wireshark tool. The repo contains tips, tricks, teory overview and good practices.
Wireshark
GeoLite2 Free Geolocation Data
tcpdump -i eth0 -s 65535 -w /tmp/tcp_dump.pcap
tshark -i eth0 -Y "ip.src==10.224.106.73 and http"
eq not or and
== ! | &&
contains (exact string) # frame contains google
match (regex) # http.host matches "\.(org|com|br)"
-
TTL (Time to Live) - Router passed throw;
-
Window Size
-
Delta Time (Time between last packages sent/received)
-
TCP Options
- Acknowledment
- Push
- Reset
- Syn
mkfifo /tmp/pcap
wireshark -k -i /tmp/pcap
ssh user@host1 "tcpdump -s 0 -U -n -w -" > /tmp/pcap
ssh user@host2 "tcpdump -s 0 -U -n -w -" > /tmp/pcap
To read TLS messages we need to have the Keys changed between client and server.
To do that we have two ways:
Add SSLKEYLOGFILE variable to environment
echo 'export SSLKEYLOGFILE=/tmp/sslkeylogfile.log' >> ~/.bash_profile
Add Java Agent to application running to store all SSL keys in file
https://github.com/neykov/extract-tls-secrets
wget https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.tar.gz
wget https://repo1.maven.org/maven2/name/neykov/extract-tls-secrets/4.0.0/extract-tls-secrets-4.0.0.jar
tar -xzvf jdk-17_linux-x64_bin.tar.gz
ln -s jdk-17.0.9/bin/java .
echo JAVA_HOME=$(pwd)/jdk-17.0.9/bin >> ~/.bash_profile
java -jar ~/Downloads/extract-tls-secrets-4.0.0.jar list
java -jar ~/Downloads/extract-tls-secrets-4.0.0.jar <pid> /tmp/secrets.log
Preferences > Protocols > TLS > (Pre)-Master-Secret Log Filename