Wireshark mailing list archives
Extracting specific fields from a PCAP
From: Joseph Cooper <josephdcooper () gmail com>
Date: Wed, 29 May 2013 16:42:59 +0000 (UTC)
I'm trying to get some sort of script made so I can input a PCAP and have it pull out specific fields. The intent is to make identifying the user and hostname of an infected machine much faster. I usually do a String Search for Packet Details in Wireshark for the following, and it works great, but I'd like to make it automated, if possible, and have it all output in a single txt file. =============================== To find the host name: Workstation Host Name: Host= NetBIOSName NetBIOS Host HostAddress To find the username: Client Name (Principal) User name: COOKIE_last_login= CN= Filename: =============================== Unfortunately most of the fields are listed as "Text" and do not have a specific name like dns.resp.name or dns.qry.name. I've tried using tshark, but the output gives the empty fields, as well as the ones I want. If I output it to a txt file it is usually about 25KB because of all the new lines. For tshark I tried to extract dns.srv.name. In Wireshark it shows the field name with the host name of the computer, but the packet bytes show it in hex. I tried to have the output converted from hex to ascii but couldn't get that to work either. All I would get for the output was a txt file full of new lines and "tcp.local_" I thought I could use ngrep but I can't seen to figure out how to get it to output the contents of the named field (ex: dns.qry.name) Another idea I thought would work would be to use tshark and byte-offsets, but I can't figure out how to get the proper field name, then the bytes after that for the "text" field holding the info I want. I know this is probably a tall order. Any help is greatly appreciated. Let me know if you need more details. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Extracting specific fields from a PCAP Joseph Cooper (May 29)
- Re: Extracting specific fields from a PCAP Joseph Cooper (May 29)