mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-14 06:54:57 +03:00
mukul975
87 lines
2.1 KiB
Markdown
87 lines
2.1 KiB
Markdown
# Network Traffic Analysis with TShark API Reference
|
|
|
|
## TShark CLI Commands
|
|
|
|
```bash
|
|
# Protocol hierarchy statistics
|
|
tshark -r capture.pcap -q -z io,phs
|
|
|
|
# IP conversations
|
|
tshark -r capture.pcap -q -z conv,ip
|
|
|
|
# TCP conversations
|
|
tshark -r capture.pcap -q -z conv,tcp
|
|
|
|
# Extract specific fields
|
|
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport
|
|
|
|
# DNS query extraction
|
|
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name -e dns.qry.type
|
|
|
|
# HTTP requests
|
|
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
|
|
|
|
# SYN-only packets (port scan detection)
|
|
tshark -r capture.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0" \
|
|
-T fields -e ip.src -e ip.dst -e tcp.dstport
|
|
|
|
# Follow TCP stream
|
|
tshark -r capture.pcap -z follow,tcp,ascii,0
|
|
|
|
# Export objects (HTTP files)
|
|
tshark -r capture.pcap --export-objects http,/tmp/exported/
|
|
|
|
# Read live capture
|
|
tshark -i eth0 -c 1000 -w output.pcap
|
|
```
|
|
|
|
## PyShark Python API
|
|
|
|
```python
|
|
import pyshark
|
|
|
|
# Read PCAP file
|
|
cap = pyshark.FileCapture("capture.pcap")
|
|
for pkt in cap:
|
|
print(pkt.ip.src, pkt.ip.dst)
|
|
|
|
# Live capture with display filter
|
|
cap = pyshark.LiveCapture(interface="eth0", display_filter="http")
|
|
cap.sniff(timeout=30)
|
|
|
|
# Access packet layers
|
|
for pkt in cap:
|
|
if hasattr(pkt, "dns"):
|
|
print(pkt.dns.qry_name)
|
|
if hasattr(pkt, "http"):
|
|
print(pkt.http.host, pkt.http.request_uri)
|
|
|
|
# BPF capture filter
|
|
cap = pyshark.LiveCapture(interface="eth0", bpf_filter="port 53")
|
|
```
|
|
|
|
## Common Display Filters
|
|
|
|
| Filter | Purpose |
|
|
|--------|---------|
|
|
| `dns.qry.name` | DNS queries |
|
|
| `http.request` | HTTP requests |
|
|
| `tcp.flags.syn==1 && tcp.flags.ack==0` | SYN scans |
|
|
| `tls.handshake.type==1` | TLS Client Hello |
|
|
| `ip.addr==10.0.0.1` | Traffic to/from IP |
|
|
| `tcp.analysis.retransmission` | Retransmissions |
|
|
| `frame.len > 1400` | Large frames |
|
|
|
|
## Output Formats
|
|
|
|
```bash
|
|
# JSON output
|
|
tshark -r capture.pcap -T json > output.json
|
|
|
|
# CSV-style fields
|
|
tshark -r capture.pcap -T fields -E separator=, -e ip.src -e ip.dst
|
|
|
|
# PDML (XML)
|
|
tshark -r capture.pcap -T pdml > output.xml
|
|
```
|