Tshark | Zeek Copy & Paste

I don't know why but I like this more than wireshark itself

After I create this blog I realized that I shouldn't be creating this, I should create a tool that comprises all of these small scripts, maybe it will lose some of its flexibility but I have a streamlined process, just maybe

Blog that I read

https://darkdefender.medium.com/the-zeek-cut-cheat-sheet-d16663439ef4 (good query strings and stuffs)

Tshark

The best ref is here: https://tshark.dev/

Export file from the pcap

tshark -r ${file} --export-object ${protocol},${path_for_the_output}

Get User-Agent from a pcap file

tshark -r sample.pcap -T fields -e http.user_agent tcp.dstport==80 | sort | uniq -c | sort -n

Zeek

Check SSL Certificate

Most malware and C2 these days will leverage HTTPS so checking whether the SSL certificate is self-sign or not is quite useful

cat ssl.log | zeek-cut id.orig_h id.resp_h id.resp_p validation_status | grep 'self signed' | sort | uniq

Unique DNS

Effective for mass checking something

cat dns.log | zeek-cut -d ts id.orig_h id.resp_h query | awk '{print $4}' | so
rt | uniq -c | sort -na

PreviousThe Basic NextNetwork Analysis Resources

Last updated 2 years ago

Was this helpful?