I have a wireshark capture that contains an RTP multicast stream (plus some other incidental data).
Using a Tshark command like the following, I can produce a CSV of the RTP timestamp compared with the packet capture time:
tshark.exe -r "capture.pcap" -Eseparator=, -Tfields -e rtp.timestamp -e frame.time_epoch -d udp.port==5000,rtp
This decodes the UDP packets as RTP, and successfully prints out the two fields as expected.
Now, my question: The payload of the RTP stream is an MPEG2 Transport Stream, and I also want to print the PCR value (if there is one) alongside the packet and RTP timestamps.
In wireshark, I can see the PCR being decoded correctly, however using a command like the following:
tshark.exe -r "HBO HD CZ.pcap" -Eseparator=,-Tfields -e rtp.timestamp -e frame.time_epoch -e mp2t.af.pcr -d udp.port==5000,mp2t
...only prints out a "1" if there is a PCR oresent, not the actual value. I have also checked the .pcr_flag to confirm that these two are not exchanged, but still I see the same result.
The documentation seems to call mp2t.af.pcr a "Label", does this mean that Tshark is not able to use it as a field? Is there a way to generate a CSV with these values?
(What part of the documentation calls it a "Label"? That's a somewhat odd description of a named field.)
The problem is that the value that Wireshark displays after "base(XXX)*300 + ext(YYY)" is calculated and displayed, but the field itself isn't given an integral type and is instead given a type that doesn't have a value. Arguably, it should be an FT_UINT64 field and should be given a value, so that you can filter on it and can print the value in TShark.
Please file an enhancement request for this on the Wireshark Bugzilla.
Related
When first connecting to a new SSH host in Putty it displays a message asking me to verify the RSA fingerprint:
When viewing this same information on the network (e.g. through Wireshark), the same value is not shown, instead is shown as:
How can I calculate the fingerprint from the information shown in the Packet Capture?
The value shown in wireshark is the full public key from the server. The fingerprint (MD5 Hash value) of this value is shown to the user in putty as it's much easier (shorter) to read that expecting the user to match up the entire key.
To calculate the public key fingerprint it is necessary to first convert the hex stream given by Wireshark to the the byte stream equivilent then to calculate the MD5 hash from this and output in hexadecimal format.
A crude implementation of this in python is below which will take the wireshark value (HEX DH host Key copied as a HEX Stream) on STDIN and output the fingerprint on STDOUT:
import md5
import sys
# Accepts a wireshark encoded string on STDIN an outputs MD5 fingerprint to STDOUT
# The value copied from the 'HEX DH host Key' as a HEX Stream
wireshark_key = sys.stdin.readline()
# Change the HEX value into the raw byte stream, which will include non-printable characters
hex_string = wireshark_key.strip().decode("hex")
# Calculate the MD5 Hash of the byte stream and output in Hexidecimal format
md5_fingerprint = md5.new(hex_string).hexdigest()
# Tidy up the output so it matches what Putty displays
putty_fingerprint = ":".join([md5_fingerprint[i:i+2] for i in range(0, len(md5_fingerprint), 2)])
print(putty_fingerprint)
To run this, save the wireshark value (public key) to a file and then execute:
cat <key.txt> | python scriptname.py
The output should then match what is displayed by Putty on first connect as well as in the Event Log.
The following web pages were very useful in figured this all out:
http://passionateaboutis.blogspot.co.uk/2015/07/ssh-fingerprint-from-pcap.html
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
Whilst this script may be useful for one off cases, if you need to obtain fingerprints for a large number of hosts, nmap and one of it's NSE scripts may be more efficient:
https://nmap.org/nsedoc/scripts/ssh-hostkey.html
Saving the output from NMAP to XML will automatically store the calculated fingerprint for all hsots.
I want to generate some trace file from disk IO, but the problem is I need the actual input data along with timestamp, logical address and access block size, etc.
I've been trying to solve the problem by using the "blktrace | blkparse" with "iozone" on the ubuntu VirtualBox environment, but it seems not working.
There is an option in blkparse for setting the output format to show the packet data, -f "%P", but it dose not print anything.
below is the command that i use:
$> sudo blktrace -a issue -d /dev/sda -o - | blkparse -i - -o ./temp/blktrace.sda.iozone -f "%-12C\t\t%p\t%d\t%S:%n:%N\t\t%P\n"
$> iozone -w -e -s 16M -f ./mnt/iozone.dummy -i 0
In the printing format "%-12C\t\t%p\t%d\t%S:%n:%N\t\t%P\n", all other things are printed well, but the "%P" is not printed at all.
Is there anyone who knows why the packet data is not displayed?
OR anyone who knows other way to get the disk IO packet data with actual input value?
As far as I know blktrace does not capture the actual data. It just capture the metadata. One way to capture real data is to write your own kernel module. Some students at FIU.edu did that in this paper:
"I/O deduplication: Utilizing content similarity to ..."
I would ask this question in linux-btrace mailing list as well:
http://vger.kernel.org/majordomo-info.html
I am wondering that how to generate massive packet-in messages to the controller to test the response time of SDN controller in the environment of Mininet.
Can you give me some advice on it?
You could use iperf to send packets, like this:
$ iperf -c -F
You could specify the amount of time:
$IPERF_TIME (-t, --time)
The time in seconds to transmit for. Iperf normally works by repeatedly sending an array of len bytes for time seconds. Default is 10 seconds. See also the -l and -n options.
Here is a nice reference for iperf: https://iperf.fr/.
If you would like to use Scapy, try this:
from scapy.all import IP, TCP, send
data = "University of Network blah blah"
a = IP(dst="129.132.2.21")/TCP()/data
send(a)
using hiredis to pass the command to redis-server.
My code:
redisContext* c = redisConnect("127.0.0.1", 6379);
char y[15]={"pointx"};
strcat(y," 2");
redisReply* reply= (redisReply*)redisCommand(c,"set %s",y);
printf("%s\n", reply->str);
The output is "ERR wrong number of arguments for 'set' command".
However,it works when I change the code like this:
redisContext* c = redisConnect("127.0.0.1", 6379);
char y[15]={"pointx"};
char x[5] = {"2"};
redisReply* reply= (redisReply*)redisCommand(c,"set %s %s",y,x);
printf("%s\n", reply->str);
The output is "OK".
why??
The Redis server does not parse the command built with redisCommand. The server only accepts Redis protocol, with already delimited parameters.
Parsing therefore occurs in hiredis, and it applies only on the format string, in one step. For performance reasons, hiredis avoids multiple formatting passes (or a recursive implementation), so expansion of the parameters is not done before parsing, but while parsing in on-going - contrary to what you think.
Imagine your objects are very big (say several MB), you would not want them to be parsed at each query. This is why hiredis only parses the format string and not the parameters.
In your first example, hiredis parses a format string with a unique parameter, it builds a message with only one parameter, and redis receives:
$ netcat -l -p 6379
*2
$3
set
$8
pointx 2
which is an ill formed set command (one parameter only).
Long story short - I'm capturing SQLs from vendor tool to Oracle database by using Wireshark. It already has decoder for TNS protocol (which is great) and I can access text of SQL by
Right Click->Copy->Bytes(Printable Text Only).
The problem is that there are tons of packets and doing right-click on each of them could take ages. I was wondering if there any way to export 'Printable Text Only' right from Wireshark. Ideally I want to have a text file with statements.
Any help will be highly appreciated.
Finally found away to do this. First, use tshark capturing tns packets:
tshark -R tcp.port==1521 -T fields -e data.data -d tcp.port==1521,tns > input.txt
Then you could use home brew Ruby script below to transform from bytes to text:
file = ARGV[0]
print_all = ARGV[1]
File.open(file, "r").each {|line|
line.gsub(",", ":").split(':').each {|byte|
chr = Integer('0x' + byte).chr
print chr if ((' '..'~').include?(chr) or chr == "\n") or (print_all.downcase == 'all' if print_all)
} if !line.chomp.empty?
}
Examples are:
encode.rb input.txt > output.txt
will export printable text only from input to output
encode.rb input.txt all > output.txt
will export all text from input to output
An easy way of looking at them all that has worked for me is just Right Click -> Follow TCP Stream.
A note: unprintable characters are displayed as .s. If there are a bunch of these interspersed between all the text you want to extract (as there was for me), switch it to ASCII, save it and open it in your favourite text editor (vim for me), then run a search and replace similar to /\.//g.
I don't know how to do it with TNS. but you can do something like this using tshark, for example to look at http requests.
tshark -T fields -e http.request.uri
So if you can look at the options in the TNS decoder, you should be able to grab that field and redirect the output to a file.