T2 for Wireshark users
Contents
Introduction
This tutorial presents how to perform some common Wireshark tasks with T2.
File Export Objects FTP-DATA…
Configure ftpDecode as follows:
t2conf ftpDecode -D FTP_SAVE=1
Build ftpDecode:
t2build ftpDecode
Run t2 on your pcap
t2 -r file.pcap
The FTP-DATA objects have been saved into the /tmp/FTPFILES/ folder.
File Export Objects HTTP…
Configure httpSniffer as follows:
t2conf httpSniffer -D HTTP_SAVE_IMAGE=1 -D HTTP_SAVE_VIDEO=1 -D HTTP_SAVE_AUDIO=1 -D HTTP_SAVE_MSG=1 -D HTTP_SAVE_TEXT=1 -D HTTP_SAVE_APPL=1 -D HTTP_SAVE_PUNK=1
Build httpSniffer:
t2build httpSniffer
Run t2 on your pcap
t2 -r file.pcap
Look into the /tmp/ folder, you should see the following folders:
/tmp/httpAppl /tmp/httpMSG /tmp/httpPunk /tmp/httpVideo
/tmp/httpAudio /tmp/httpPicture /tmp/httpText
Note that the files are extracting in the folder matching their mime-type (which may be different from their actual type).
File Export Objects SMB…
Configure smbDecode as follows:
t2conf smbDecode -D SMB1_SAVE_DATA=1 -D SMB2_SAVE_DATA=2
Build smbDecode:
t2build smbDecode
Run t2 on your pcap
t2 -r file.pcap
The SMB objects have been saved into the /tmp/TranSMB/ folder.
File Export Objects TFTP…
Configure tftpDecode as follows:
t2conf tftpDecode -D TFTP_SAVE=1
Build tftpDecode:
t2build tftpDecode
Run t2 on your pcap
t2 -r file.pcap
The TFTP objects have been saved into the /tmp/TFTPFILES/ folder.
Statistics DHCP (BOOTP) Statistics
Configure dhcpDecode as follows:
t2conf dhcpDecode -D DHCPMOTOUT=2
Build dhcpDecode:
t2build dhcpDecode
Run t2 on your pcap
t2 -r file.pcap
Run the following tawk query:
tawk 'dhcp() { aggr($dhcpMTypeNms) }' file_packets.txt
Statistics Protocol Hierarchy
Build the protoStats plugin:
t2build protoStats
Run t2 on your pcap
t2 -r file.pcap
Then use the protStat script to sort your data:
protStat file_protocols.txt
Check the script documentation for more information:
protStat -h
Tawk
Field names
Tranalyzer uses its own names to output various fields, e.g., httpHosts.
Tawk shark() function can be used to query fields according to Wireshark syntax:
tawk 'shark("ip.proto") == "TCP" { print shark("ip.src"), shark("ip.dst") }' file.txt
Check the function documentation for more information:
tawk -d shark
Follow TCP/UDP stream
tawk follow_stream() function can be used to display all the packets of a given flow:
tawk 'follow_stream(1)' file_packets.txt
Check the function documentation for more information:
tawk -d follow_stream
Open the packets of a flow with Wireshark
Build the findexer, basicFlow (for flowInd) and txtSink plugins:
t2build findexer basicFlow txtSink
Run t2 on your pcap
t2 -r file.pcap
Then use tawk -k option:
tawk -k '…' file_flows.txt
Create a pcap that can be opened in Wireshark
Build the findexer, basicFlow (for flowInd) and txtSink plugins:
t2build findexer basicFlow txtSink
Run t2 on your pcap
t2 -r file.pcap
Then use tawk -x option:
tawk -x file.pcap '…' file_flows.txt