EXTRACTING DATA

EXPORTING OBJECTS

EXTRACTING FILES

this helps analysts to extract files from DICOM, HTTP, IMF, SMB and TFTP.

root@dco:~$ tshark -r demo.pcapng --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
 
# view the target folder content.
root@dco:~$ ls -l /home/ubuntu/Desktop/extracted-by-tshark/
 total 24
 -rw-r--r-- 1 ubuntu ubuntu  'ads%3fclient=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&o
 -rw-r--r-- 1 ubuntu ubuntu download.html

EXTRACTING CLEARTEXT CREDENTIALS

this helps analysts detect and collect cleartext credentials from FTP, HTTP, IMAP, POP and SMTP

root@dco:~$ tshark -r credentials.pcap -z credentials -q
 ===================================================================
 Packet     Protocol         Username         Info            
 ------     --------         --------         --------
 72         FTP              admin            Username in packet: 37
 80         FTP              admin            Username in packet: 47
 83         FTP              admin            Username in packet: 54
 118        FTP              admin            Username in packet: 93
 123        FTP              admin            Username in packet: 97
 167        FTP              administrator    Username in packet: 133
 207        FTP              administrator    Username in packet: 170
 220        FTP              administrator    Username in packet: 184
 230        FTP              administrator    Username in packet: 193
 ....
===================================================================

EXTRACTING SYSTEM/HOST NAMES (DHCP)

root@dco:~$ tshark -V -r smallFlows.pcap -Y "udp.port==67 or udp.port==68" -T fields -e dhcp.option.hostname | nl | awk NF
 1 student01-PC
 2 vinlap01

PreviousFOLLOWING DATA STREAMS NextPACKET FILTERING

Last updated 4 months ago