naoki86star

このインターネットの片隅で、バルスと唱えてみる

combinates tshark with tcpdump

TSHARK does't accept filters when reading from files, so I combinates tshark with tcpdump.

tcpdump -r something.pcap udp and port 53 -w - | tshark -r - -V | less

you know that tshark filter expression is storonger than tcpdump's.

なんだかなぁ(no way)


By the way,
On a server of mine in internet , in half of days captured pcaps,
I watched INVITATION FOR COOPERATIVE ATTACK(?), ( or just scanning).

The values that X indicates is my address , its unique.

Same of Y is others address, some IP values are counted .


15:35:23.621063 IP Y.Y.Y.Y.39760 > X.X.X.X.53: 61442+ [1au] ANY? com. (32)
        0x0000:  4500 003c d431 0000 f011 df80 YYYY YYYY  E..<.1.......^o.
        0x0010:  XXXX XXXX 9b50 0035 0028 d91a f002 0100  ..\..P.5.(......
        0x0020:  0001 0000 0000 0001 0363 6f6d 0000 ff00  .........com....
        0x0030:  0100 0029 1000 0000 0000 0000            ...)........
16:03:59.663147 IP Y.Y.Y.Y.61354 > X.X.X.X.389: UDP, length 52
        0x0000:  4500 0050 25de 4000 3011 85da YYYY YYYY  E..P%.@.0....i..
        0x0010:  XXXX XXXX efaa 0185 003c 03e0 3084 0000  ..\......<..0...
        0x0020:  002d 0201 0163 8400 0000 2404 000a 0100  .-...c....$.....
        0x0030:  0a01 0002 0100 0201 0001 0100 870b 6f62  ..............ob
        0x0040:  6a65 6374 636c 6173 7330 8400 0000 0000  jectclass0......
05:17:40.340904 IP Y.Y.Y.Y.38896 > X.X.X.X.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
        0x0000:  4500 0047 d431 0000 ea11 2fe3 YYYY YYYY  E..G.1..../.4I..
        0x0010:  XXXX XXXX 97f0 00a1 0033 0000 3029 0201  ..\......3..0)..
        0x0020:  0104 0670 7562 6c69 63a0 1c02 040c d8a2  ...public.......
        0x0030:  6302 0100 0201 0030 0e30 0c06 082b 0601  c......0.0...+..
        0x0040:  0201 0101 0005 00
08:45:00.966687 IP Y.Y.Y.Y.49139 > X.X.X.X.1900: UDP, length 91
        0x0000:  4500 0077 0000 4000 3211 aa77 YYYY YYYY  E..w..@.2..w....
        0x0010:  XXXX XXXX bff3 076c 0063 d96f 4d2d 5345  ..\....l.c.oM-SE
        0x0020:  4152 4348 202a 2048 5454 502f 312e 310d  ARCH.*.HTTP/1.1.
        0x0030:  0a48 6f73 743a 3233 392e 3235 352e 3235  .Host:239.255.25
        0x0040:  352e 3235 303a 3139 3030 0d0a 5354 3a73  5.250:1900..ST:s
        0x0050:  7364 703a 616c 6c0d 0a4d 616e 3a22 7373  sdp:all..Man:"ss
        0x0060:  6470 3a64 6973 636f 7665 7222 0d0a 4d58  dp:discover"..MX
        0x0070:  3a33 0d0a 0d0a 00

I beleaved all of ip address are masked:-p