Extracting unnamed fields from PCAP using tshark
I'm trying to extract data from PCAPs in order to determine who the user was during the session and / or the host name of the computer.
Most of the time I just do a string search in the packet details for some of the fields listed at the bottom. I tinkered a little with:
tshark -r data.pcap -T fields -e bittorrent.info_hash
and it gave the results, but a lot of empty fields as well.
Two questions. First, how do I tell tshark to only give me output on fields that have data present.
Second, how do I tell it to grep for some of the following examples?
==========
To find the Host Name I do a string search in the packet details for the following:
Host Name:
Host=
NetBIOSName
HostAddress
Server Name (Service and Host): host/[hostname].
NetBIOS Host
DnsDomain
To find the user name I do a string search in the packet details for the following:
Client Name (Principal)
User name:
COOKIE_last_login=
CN=
Filename:
Any help would be greatly appreciated :)
I'm trying to extract data from PCAPs in order to determine who the user was during the session and / or the host name of the computer.
Most of the time I just do a string search in the packet details for some of the fields listed at the bottom. I tinkered a little with:
tshark -r data.pcap -T fields -e bittorrent.info_hash
and it gave the results, but a lot of empty fields as well.
Two questions. First, how do I tell tshark to only give me output on fields that have data present.
Second, how do I tell it to grep for some of the following examples?
==========
To find the Host Name I do a string search in the packet details for the following:
Host Name:
Host=
NetBIOSName
HostAddress
Server Name (Service and Host): host/[hostname].
NetBIOS Host
DnsDomain
To find the user name I do a string search in the packet details for the following:
Client Name (Principal)
User name:
COOKIE_last_login=
CN=
Filename:
Any help would be greatly appreciated :)
No comments:
Post a Comment