I don't know why but I like this more than wireshark itself
Last updated 2 years ago
Was this helpful?
After I create this blog I realized that I shouldn't be creating this, I should create a tool that comprises all of these small scripts, maybe it will lose some of its flexibility but I have a streamlined process, just maybe
(good query strings and stuffs)
The best ref is here:
tshark -r ${file} --export-object ${protocol},${path_for_the_output}
tshark -r sample.pcap -T fields -e http.user_agent tcp.dstport==80 | sort | uniq -c | sort -n
Most malware and C2 these days will leverage HTTPS so checking whether the SSL certificate is self-sign or not is quite useful
cat ssl.log | zeek-cut id.orig_h id.resp_h id.resp_p validation_status | grep 'self signed' | sort | uniq
Effective for mass checking something
cat dns.log | zeek-cut -d ts id.orig_h id.resp_h query | awk '{print $4}' | so rt | uniq -c | sort -na
