[SOLVED] Analysing libpcap capture files automatically/CLI

daljian · 11-04-2011, 06:15 AM

Hi,
I've been coming here many times looking for answers, and it's proven to be a really useful source of information.

Now I have a question on my own which I'm hoping you guys have some ideas about

Really, what I want to do is to capture network traffic continuously so that I keep a day or so of traffic which can be analysed manually.

In addition to this, if I'm looking for something in particular. Ie, I want to find a SIP packages containing a specific header value or something else.
Basically, what I would normally use as display filter in wireshark I want to be able to do in a command line way to see if filter will show zero or more packages.

A bonus would be if I could get text representation of packages that are matched, but that should not be needed.

Any ideas?

BR
Göran

daljian · 11-04-2011, 08:29 AM

Hi,
I found that tshark can do what I need.
It supports display filters with the -R flag as the example below.

tshark -R "http.proxy_connect_host == "id.google.com"" -r /tmp/sample.pcap

daljian · 11-08-2011, 04:38 AM

End result in case someone is interested.

Code:

#!/bin/bash
#
# Configuration
#
#This script allows you to do an automated analysis based on display filter.

#path to save trace
TRACES_DIR=/tmp


HOSTNAME=`hostname`
FILE_NAME="${TRACES_DIR}/traffic_${HOSTNAME}.cap"
FILE_FILTER="${TRACES_DIR}/traffic_${HOSTNAME}*.cap"

#intervals in seconds
CAPTURE_INTERVAL=10
#Keep Analyse interval less than capture interval
let "ANALYSE_INTERVAL=${CAPTURE_INTERVAL} - 1"

#Ie, if you want to save all capture files that has to do with
# http traffic containing the phrase "tbg.nu" you can use the below
# For more on display filters, please have a look at:
# http://www.wireshark.org/docs/dfref/
DISPLAY_FILTER="http contains tbg.nu"
CAPTURE_FILTER="port 80"
MATCH_CRITERIA=".*"
MATCH_ACTION="/bin/gzip"
NO_MATCH_ACTION="/bin/rm"

function analyse
{
	capture_file=$(ls -tr ${FILE_FILTER} | tail -2 | head -1)
	number_of_captures=$(ls ${FILE_FILTER} | wc -l)
	chmod 666 $capture_file
	if [ ! ${capture_file}0 = "0" -a ${number_of_captures} -gt 1 ]; then
		matches=$(tshark -R "${DISPLAY_FILTER}" -r ${capture_file} | grep -c -e"${MATCH_CRITERIA}")
		if [ $matches -gt 0 ]; then
		  $MATCH_ACTION $capture_file
		else
		  $NO_MATCH_ACTION $capture_file
		fi
	fi
}
function capture
{
	#Let's capture 
	# tcp dump version: tcpdump -s 0 -C 12 -W 10  -i any -w /tmp/traffic
	sudo tshark -i any -b duration:${CAPTURE_INTERVAL} -w $FILE_NAME $CAPTURE_FILTER > /dev/null 2>&1
}
function checkroot
{
	if [ "$(id -u)" != "0" ]; then
		echo "This script must be run as root" 1>&2
	exit 1
fi
}


## Script start
checkroot
capture &
while [ true ]
do
   sleep ${ANALYSE_INTERVAL}
   analyse
done

exit 0