using tshark with timestamp and flags - packet-capture

I am trying to use tshark with a few flags and also get timestamp for each filtered trace. I am using this to filter all the DNS queries in my system.
I am not able to get the time stamps along with the filters working. For instance if i try something like
tshark -t ad -n -T fields -e ip.src -e dns.qry.name -f 'dst port 53' -Y "dns.flags.response eq 0"
I get the output as I want
192.168.1.3 clientservices.googleapis.com
192.168.1.3 play.google.com
192.168.1.3 play.google.com
I get the timestamp with
tshark -t ad
1 2018-09-02 21:12:20.536204429 61.223.125.209 → 192.168.1.3 UDP 174 12929 → 51465 Len=132
2 2018-09-02 21:12:20.536355008 192.168.1.3 → 61.223.125.209 UDP 126 51465 → 12929 Len=84
3 2018-09-02 21:12:20.599264715 192.168.1.3 → 176.31.225.118 TCP 54 45942 → 80 [FIN, ACK] Seq=1 Ack=1 Win=30016 Len=0
However I am not able to get both working together. Though the command runs it just outputs without the timestamp.
tshark -t ad -T fields -e ip.src -e dns.qry.name -Y "dns.flags.response eq 0"
192.168.1.3 captive.apple.com
192.168.1.3 myip.opendns.com
192.168.1.3 ipv4.icanhazip.com
192.168.1.3 slack.com
Any pointers that can help in this regard. I am using tshark version 2.2.6 on Debian 9.

In your command, -t ad has no effect because -T fields overrides the output format. You'll need to display the timestamp as a new field in your fields format, using -e frame.time:
$ tshark -n -T fields -e frame.time -e ip.src -e dns.qry.name -f 'dst port 53' -Y "dns.flags.response eq 0"
Capturing on 'eno1'
Sep 3, 2018 15:49:46.354055274 CEST 10.0.0.1 google.co.uk
Sep 3, 2018 15:49:52.034315960 CEST 10.0.0.1 google.jp
Sep 3, 2018 15:49:54.561493702 CEST 10.0.0.1 google.cn

Related

How to remotely capture traffic across multiple SSH hops?

I want to debug another machine on my network but have to pass through one or more SSH tunnels to get there.
Currently:
# SSH into one machine
ssh -p 22 me#some_ip -i ~/.ssh/00_id_rsa
# From there, SSH into the target machine
# Note that this private key lives on this machine
ssh -p 1234 root#another_ip -i ~/.ssh/01_id_rsa
# Capture debug traffic on the target machine
tcpdump -n -i eth0 -vvv -s 0 -XX -w tcpdump.pcap
But then it's a pain to successively copy that .pcap out. Is there a way to write the pcap directly to my local machine, where I have wireshark installed?
You should use ProxyCommand to chain ssh hosts and to pipe output of tcpdump directly into wireshark. To achieve that you should create the following ssh config file:
Host some_ip
IdentityFile ~/.ssh/00_id_rsa
Host another_ip
Port 1234
ProxyCommand ssh -o 'ForwardAgent yes' some_ip 'ssh-add ~/.ssh/01_id_rsa && nc %h %p'
I tested this with full paths, so be carefull with ~
To see the live capture you should use something like
ssh another_ip "tcpdump -s0 -U -n -w - -i eth0 'not port 1234'" | wireshark -k -i -
If you want to just dump pcap localy, you can redirect stdout to filename of your choice.
ssh another_ip "tcpdump -n -i eth0 -vvv -s 0 -XX -w -" > tcpdump.pcap
See also:
https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
https://serverfault.com/questions/503162/locally-examine-network-traffic-of-remote-machine/503380#503380
How can I have tcpdump write to file and standard output the appropriate data?

How to run netperf Omni-test with stream direction correctly

netperf v2.7.0
When I test latency use stream or maerts direction, I doubt my test results are correct.
$ netperf -H 172.18.44.3 -p 12345 -l 10 -j -c -C -t omni -- -d steam -k THROUGHPUT,THROUGHPUT_UNITS,MIN_LATENCY,MAX_LATENCY,RT_LATENCY,STDDEV_LATENCY,P50_LATENCY,P90_LATENCY,P99_LATENCY,LOCAL_TRANSPORT_RETRANS,REMOTE_TRANSPORT_RETRANS,LOCAL_CPU_UTIL,REMOTE_CPU_UTIL
OMNI Send TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 172.18.44.3 () port 0 AF_INET
THROUGHPUT=442.84
THROUGHPUT_UNITS=10^6bits/s
MIN_LATENCY=1
MAX_LATENCY=233127
RT_LATENCY=-1.000
STDDEV_LATENCY=2226.74
P50_LATENCY=3
P90_LATENCY=4
P99_LATENCY=12354
LOCAL_TRANSPORT_RETRANS=292
REMOTE_TRANSPORT_RETRANS=0
LOCAL_CPU_UTIL=7.82
REMOTE_CPU_UTIL=91.48
MAX_LATENCY, STDDEV_LATENCY, etc. are very large. This is impossible. So where is the problem? thx all.

How to setup a forward proxy without VPN?

I have a laravel application which is country restricted based on IP address. To get access to certain pages I need to bypass that restriction.
So here comes the proxy server. There are plenty of free and paid proxy sites are available but I want setup my own. I do have a server running in the country from which I can gain access to that certain pages. Please suggest me some way to setup the proxy so I can originate request through the server from that specific country?
Anything on forward proxy or squid will help me. I'm trying to avoid the VPN setup and all because It's too complex and time consuming.
Any help would be appreciated? Just point me to the right direction. Thanks in advance.
I managed to do that in following manner. I'm posting here if someone needs it. You need a SSH enabled server or machine from the country you want to browse from.
Steps to follow:
1] Open the terminal
2] Enter the following command
ssh -D 8123 -f -C -q -N root#ip
(If you have sshpass then sshpass -p 'password' ssh -D 8123 -f -C -q -N root#ip)
3] After that open firefox goto preference->advanced->Network tab->settings and select manual proxy configuration
and enter localhost in SOCKS host and 8123 as port. Then select SOCKS v5
4] Select ok and browse through Firefox. Make sure your ip address is from country you want. http://whatismyipaddress.com/.
Steps to follow to close the SSH tunnel connection.
1] Enter ps aux | grep ssh command on your terminal you will see connection like below.
root 991 0.0 0.0 61364 684 ? Ss 16:32 0:00 /usr/sbin/sshd -D
root 15204 0.0 0.0 50164 3256 ? Ss 19:27 0:00 ssh -D 8123 -f -C -q -N root#ip
root 15534 0.0 0.0 15940 928 pts/20 S+ 19:36 0:00 grep --color=auto ssh
2] Take the pid of SSH tunnel connection and enter the command kill 15204 to terminate the connection.
3] Reset the Firefox settings.
For easier access you can create an alias for that. (Optional)
1] On terminal enter sudo gedit ~/.bashrc
2] Copy paste the following command at end of the file.
alias SOCKS5='sshpass -p 'password' ssh -D 8123 -f -C -q -N root#ip'
alias DISPLAY='ps aux | grep ssh'
3] Save the file.
4] Execute . ~/.bashrc
5] You can use SOCKS5 and DISPLAY command directly from your terminal.

Get incoming ssh forwarded connection port number

I have a server who is forwarding connections to a set of other servers.
Here I forward all incomming connections on:
my.tunnel.com:33199 to my.server2.com:52222
And..
my.tunnel.com:33200 to my.server3.com:52222
.. until
my.tunnel.com:XXXXX to my.serverN.com:52222
I'm initiating this by the following command on each server, except the tunnel my.tunnel.com:
ssh -o StrictHostKeyChecking=no -l root -i /etc/ssh/id_rsa -R *:33199:127.0.0.1:22 -p 443 my.tunnel.com 0 33199
...
ssh -o StrictHostKeyChecking=no -l root -i /etc/ssh/id_rsa -R *:XXXXX:127.0.0.1:22 -p 443 my.tunnel.com 0 XXXXX
Well, this works fine!
But!
At the point of the launching of each of these commands I'd like to check on my.tunnel.com that my.server2.com wants my.tunnel.com to forward exactly from port 33199, but not another port! So at this point I'd like to get this port number.
Please let me know if the problem is still not enough clearly exposed.
Thanks!
To get the forwarded port
There is no such information in the environmental variables, so you must pass it yourself:
ssh -R 33199:127.0.0.1:22 my.tunnel.com "export MY_FWD_PORT=33199; my_command"
(my_command is the script you want to run on the server). More information about passing variables - https://superuser.com/q/163167/93604
To get the source port
Look at the environment variable SSH_CONNECTION in man ssh(1). Its meaning is:
source_ip source_port dest_ip dest_port
You probably want source_port, so just get the second part of it:
echo $SSH_CONNECTION | awk '{ print $2 }'
or
echo $SSH_CONNECTION | cut -d" " -f 2

creating 2 variables from a multiple pattern grep

I am attempting to create a proof of concept bash script to scan the network using ngrep, find appropriate cookies and then place them into a variable.
cook=`ngrep -s 1000 -l -q -d eth1 "Cookie:" tcp and port 80 |
grep -m 1 -Po '(?<=user=)[^;]+'`
cook2=`ngrep -s 1000 -l -q -d eth1 "Cookie:" tcp and port 80 |
grep -m 1 -Po '(?<=ab=)[^;]+'`
How can I store cookie & cookie2 from the ONE packet instead of having to ngrep twice?
Assuming the string is in this form
Cookie: foo=111; bar=222; baz=333
you can source the string, as it is valid Bash code. Example
ngrep -s 1000 -l -q -d eth1 'Cookie:' tcp and port 80 | cut -d: -f2- > v.sh
. v.sh
rm v.sh
cook="$user"
cook2="$ab"