Tuesday, December 16, 2008

Afterglow and TShark

Fun with tshark (wireshark) command line


Submitted by daryl on Mon, 11/24/2008 - 23:33



* sniffer


* tshark


* visualization


* wireshark



Get csv output of source and destination IP addresses from a pcap (wireshark or tcpdump) capture file.



tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst



Creates a file similar to:




192.168.1.105,192.168.1.120


192.168.1.105,192.168.1.120


192.168.1.120,192.168.1.105


192.168.1.120,192.168.1.105


72.14.247.83,192.168.1.105


192.168.1.105,72.14.247.83


72.14.247.19,192.168.1.105


192.168.1.105,72.14.247.19


192.168.1.105,74.53.76.3


74.53.76.3,192.168.1.105


192.168.1.105,72.14.247.83


72.14.247.83,192.168.1.105



Then if you have afterglow installed you can create a visualization of the source and destination information by doing the following:



(from the $HOME/afterglow/src/perl/graph directory)



tshark -r file.pcap -T fields -E separator=, -e ip.src -e ip.dst | perl afterglow.pl -c color.properties > file.dot



This creates a filter of the data for drawing a direct graph using neato.



Now using neato create a gif file to display a visualization of the data.




neato -Tgif -o test.gif ./file.dot

0 comments:

Post a Comment

 
Copyright 2009 Security Monkey. Powered by Blogger Blogger Templates create by Deluxe Templates. Sponsored by: Website Templates | Premium Themes. Distributed by: blog template