Re: Extracting specific fields from a PCAP

[Joseph Cooper <josephdcooper () gmail com>]

Joseph Cooper <josephdcooper@...> writes:

> I'm trying to get some sort of script made so I can input a PCAP and have it
> pull out specific fields. The intent is to make identifying the user and
> hostname of an infected machine much faster.
>
> I usually do a String Search for Packet Details in Wireshark for the
> following, and it works great, but I'd like to make it automated, if
> possible, and have it all output in a single txt file.
>
> ===============================
> To find the host name:
> Workstation 
> Host Name:
> Host=
> NetBIOSName
> NetBIOS Host
> HostAddress
>
> To find the username:
> Client Name (Principal)
> User name:
> COOKIE_last_login=
> CN=
> Filename:
>
> ===============================
>
> Unfortunately most of the fields are listed as "Text" and do not have a
> specific name like dns.resp.name or dns.qry.name.
>
> I've tried using tshark, but the output gives the empty fields, as well as
> the ones I want. If I output it to a txt file it is usually about 25KB
> because of all the new lines.
>
> For tshark I tried to extract dns.srv.name. In Wireshark it shows the field
> name with the host name of the computer, but the packet bytes show it in
> hex. I tried to have the output converted from hex to ascii but couldn't get
> that to work either. All I would get for the output was a txt file full of
> new lines and "tcp.local_"
>
> I thought I could use ngrep but I can't seen to figure out how to get it to
> output the contents of the named field (ex: dns.qry.name)
>
> Another idea I thought would work would be to use tshark and byte-offsets,
> but I can't figure out how to get the proper field name, then the bytes
> after that for the "text" field holding the info I want.
>
> I know this is probably a tall order. Any help is greatly appreciated. Let
> me know if you need more details.
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@...>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@...?subject=unsubscribe


I've found mostly what I need now. Instead of using the fields below I found
the field names which most closely match and give me the info I need (usually)

Host Name:
dns.resp.name
dns.qry.name
browser.server
kerberos.hostaddresses (outputs only "1", maybe hex raw output converted to
ascii?)
kerberos.hostaddress (same as above)
kerberos.addr_nb (WORKS GREAT)
kerberos.name_string
netlogon.secchan.nl_auth_message.nb_host (WORKS GREAT)
netlogon.secchan.nl_auth_message.nb_host_uft8 (WORKS GREAT)

User Name:
smb2.filename
smb.file
kerberos.name_string (subfield of kerberos.sname)

Now I just need help on getting tshark to just give me the data that exists,
and not the empty fields in the results. Anyone know how to get it to do that?

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe