Script-Time: mytcpdump
Endlich Übersicht bei der Traffic-Analyse
Dieses kleine Script stellt den neuen Befehl mytcpdump zur Verfügung. Er nimmt die gleichen Parameter entgegen, wie tcpdump selbst. Die Ausgabe ist jedoch leichter zu lesen.
mytcpdump
Mein Script nutzt tshark für die Ausgabe der Pakete. Man muss es daher bereits installiert haben. Fügt man dann Folgendes in der Konsole ein oder kopiert es einfach seine .bashrc, steht der Nutzung nichts mehr im Weg:
mytcpdump() {
# Variable für das Verbose-Flag
verbose=false
# Überprüfen, ob -v in den übergebenen Argumenten enthalten ist
for arg in "$@"; do
if [[ "$arg" == "-v" ]]; then
verbose=true
break
fi
done
# Ausführen von tcpdump und tshark je nach Verbose-Flag
if [ "$verbose" = true ]; then
tcpdump -s 0 -l -w - "$@" | tshark -r - -V -t u -x
else
tcpdump -s 0 -l -w - "$@" | tshark -r - -t u
fi
}Anwendung
Wie man sieht, unterscheide ich, ob die Option -v mitgegeben wird. Leider interpretiert tshark diese Option als Nachfrage nach der Version.
Ohne -v
Rufe ich mytcpdump ohne -v auf, sieht der Output so aus:
# mtcpdump port 443
Running as user "root" and group "root". This could be dangerous.
tcpdump: listening on wlp165s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
1 10:49:29,887707 192.168.101.11 → 192.168.104.11 TLSv1.2 1669 Application Data
2 10:49:29,893678 192.168.104.11 → 192.168.101.11 TCP 66 443 → 55346 [ACK] Seq=1 Ack=1604 Win=1989 Len=0 TSval=1366530496 TSecr=3944055261
3 10:49:29,952902 192.168.104.11 → 192.168.101.11 TLSv1.2 3214 Application Data
4 10:49:29,952957 192.168.101.11 → 192.168.104.11 TCP 66 55346 → 443 [ACK] Seq=1604 Ack=3149 Win=573 Len=0 TSval=3944055326 TSecr=1366530553
5 10:49:30,548530 192.168.101.11 → 185.101.172.237 TLSv1.2 1063 Application Data
6 10:49:30,554485 185.101.172.237 → 192.168.101.11 TCP 66 443 → 59274 [ACK] Seq=1 Ack=998 Win=31481 Len=0 TSval=1069782791 TSecr=423342724
7 10:49:30,598442 185.101.172.237 → 192.168.101.11 TLSv1.2 1225 Application Data
Mit -v
Rufe ich mytcpdump mit -v auf, ändert sich die Ausgabe zu:
Frame 48: 153 bytes on wire (1224 bits), 153 bytes captured (1224 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Oct 27, 2024 11:53:02.627115000 CET
UTC Arrival Time: Oct 27, 2024 10:53:02.627115000 UTC
Epoch Arrival Time: 1730026382.627115000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.002292000 seconds]
[Time delta from previous displayed frame: 0.002292000 seconds]
[Time since reference or first frame: 3.018656000 seconds]
Frame Number: 48
Frame Length: 153 bytes (1224 bits)
Capture Length: 153 bytes (1224 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
Ethernet II, Src: 00:a1:98:00:10:00 (00:a1:98:00:10:00), Dst: Intel_78:92:45 (94:e2:3c:78:92:45)
Destination: Intel_78:92:45 (94:e2:3c:78:92:45)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:a1:98:00:10:00 (00:a1:98:00:10:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
[Stream index: 0]
Internet Protocol Version 4, Src: 192.168.101.254, Dst: 192.168.101.11
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 139
Identification: 0x7aff (31487)
000. .... = Flags: 0x0
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: UDP (17)
Header Checksum: 0xb308 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.101.254
Destination Address: 192.168.101.11
[Stream index: 0]
User Datagram Protocol, Src Port: 53, Dst Port: 57402
Source Port: 53
Destination Port: 57402
Length: 119
Checksum: 0xba66 [unverified]
[Checksum Status: Unverified]
[Stream index: 17]
[Stream Packet Number: 2]
[Timestamps]
[Time since first frame: 0.002292000 seconds]
[Time since previous frame: 0.002292000 seconds]
UDP payload (111 bytes)
Domain Name System (response)
Transaction ID: 0x1b68
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 4
Authority RRs: 0
Additional RRs: 0
Queries
avatars.githubusercontent.com: type A, class IN
Name: avatars.githubusercontent.com
[Name Length: 29]
[Label Count: 3]
Type: A (1) (Host Address)
Class: IN (0x0001)
Answers
avatars.githubusercontent.com: type A, class IN, addr 185.199.109.133
Name: avatars.githubusercontent.com
Type: A (1) (Host Address)
Class: IN (0x0001)
Time to live: 169 (2 minutes, 49 seconds)
Data length: 4
Address: 185.199.109.133
avatars.githubusercontent.com: type A, class IN, addr 185.199.110.133
Name: avatars.githubusercontent.com
Type: A (1) (Host Address)
Class: IN (0x0001)
Time to live: 169 (2 minutes, 49 seconds)
Data length: 4
Address: 185.199.110.133
avatars.githubusercontent.com: type A, class IN, addr 185.199.111.133
Name: avatars.githubusercontent.com
Type: A (1) (Host Address)
Class: IN (0x0001)
Time to live: 169 (2 minutes, 49 seconds)
Data length: 4
Address: 185.199.111.133
avatars.githubusercontent.com: type A, class IN, addr 185.199.108.133
Name: avatars.githubusercontent.com
Type: A (1) (Host Address)
Class: IN (0x0001)
Time to live: 169 (2 minutes, 49 seconds)
Data length: 4
Address: 185.199.108.133
[Request In: 47]
[Time: 0.002292000 seconds]
0000 94 e2 3c 78 92 45 00 a1 98 00 10 00 08 00 45 00 ..<x.E........E.
0010 00 8b 7a ff 00 00 40 11 b3 08 c0 a8 65 fe c0 a8 ..z...@.....e...
0020 65 0b 00 35 e0 3a 00 77 ba 66 1b 68 81 80 00 01 e..5.:.w.f.h....
0030 00 04 00 00 00 00 07 61 76 61 74 61 72 73 11 67 .......avatars.g
0040 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 ithubusercontent
0050 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 .com............
0060 00 00 a9 00 04 b9 c7 6d 85 c0 0c 00 01 00 01 00 .......m........
0070 00 00 a9 00 04 b9 c7 6e 85 c0 0c 00 01 00 01 00 .......n........
0080 00 00 a9 00 04 b9 c7 6f 85 c0 0c 00 01 00 01 00 .......o........
0090 00 00 a9 00 04 b9 c7 6c 85 .......l.
Fazit
Ich finde die Ausgabe ohne die Option -v deutlich übersichtlicher als bei tcpdump. Möchte man jedoch die Pakete im Detail verstehen, ist es nicht ideal, sie zunächst in einer PCAP-Datei speichern zu müssen, dann per SCP auf den lokalen Rechner zu übertragen, um schließlich Wireshark zu starten und die Datei zu importieren. In diesem Fall ist die Option -v sehr hilfreich, da sie eine direkte Analyse der Pakete auf dem Zielrechner selbst ermöglicht.
Wenn du das interessant findest, schau dir auch gerne meine anderen Ideen und Skripte an – vielleicht ist ja noch etwas dabei, das du brauchen kannst:
Script - Meister-Tech-Blog
