Tshark Cheatsheet
- :material-content-copy: ** Copy to Clipboard**
- :material-file-pdf-box: ** Descargar PDF**
■/div titulada
Sinopsis
tshark es la versión de línea de comandos de Wireshark, un potente analizador de protocolo de red. Le permite capturar y analizar el tráfico de red desde la línea de comandos, lo que lo hace ideal para el análisis automatizado, la solución remota de problemas y la integración en scripts y sistemas de monitoreo.
Características clave
- ** Interfaz Command-Line**: Función Wireshark completa sin GUI
- Captura en vivo: captura y análisis en tiempo real
- Análisis de archivos: Lea y analice los archivos de captura existentes
- Flexible Filtering: Powerful display and capture filters
- Multiple Output Formats: Texto, JSON, XML, CSV y más
- Disección del Protocolo: Análisis profundo del paquete para cientos de protocolos
- ** Integración de la Escritura**: Perfecto para automatización y monitoreo
Instalación
Paquete Manager Instalación
# Ubuntu/Debian
sudo apt update
sudo apt install tshark
# RHEL/CentOS/Fedora
sudo yum install wireshark-cli
# or
sudo dnf install wireshark-cli
# Arch Linux
sudo pacman -S wireshark-cli
# macOS (Homebrew)
brew install wireshark
# Windows (Chocolatey)
choco install wireshark
Fuente: Instalación
# Download and compile from source
wget https://www.wireshark.org/download/src/wireshark-latest.tar.xz
tar -xf wireshark-latest.tar.xz
cd wireshark-*
# Install dependencies (Ubuntu/Debian)
sudo apt install cmake build-essential libglib2.0-dev libpcap-dev
# Configure and build
mkdir build && cd build
cmake ..
make -j$(nproc)
sudo make install
Configuración de permisos
# Add user to wireshark group (Linux)
sudo usermod -a -G wireshark $USER
# Set capabilities for non-root capture
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
# Verify permissions
getcap /usr/bin/dumpcap
Uso básico
Interface Management
# List available interfaces
tshark -D
# Capture from specific interface
tshark -i eth0
# Capture from multiple interfaces
tshark -i eth0 -i wlan0
# Capture from any interface
tshark -i any
# Show interface details
tshark -i eth0 --list-interfaces
Captura básica
# Capture packets (Ctrl+C to stop)
tshark -i eth0
# Capture specific number of packets
tshark -i eth0 -c 100
# Capture for specific duration
tshark -i eth0 -a duration:60
# Capture to file
tshark -i eth0 -w capture.pcap
# Capture with ring buffer
tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5
Archivos de captura de lectura
# Read pcap file
tshark -r capture.pcap
# Read specific packets
tshark -r capture.pcap -c 10
# Read with packet range
tshark -r capture.pcap -Y "frame.number >= 100 and frame.number <= 200"
# Show file information
tshark -r capture.pcap -q -z io,stat,0
Mostrar filtros
Filtro básico
# Filter by protocol
tshark -i eth0 -Y "http"
tshark -i eth0 -Y "tcp"
tshark -i eth0 -Y "udp"
tshark -i eth0 -Y "dns"
# Filter by IP address
tshark -i eth0 -Y "ip.addr == 192.168.1.1"
tshark -i eth0 -Y "ip.src == 192.168.1.1"
tshark -i eth0 -Y "ip.dst == 192.168.1.1"
# Filter by port
tshark -i eth0 -Y "tcp.port == 80"
tshark -i eth0 -Y "udp.port == 53"
tshark -i eth0 -Y "tcp.srcport == 443"
Filtro avanzado
# Combine filters with logical operators
tshark -i eth0 -Y "tcp.port == 80 and ip.addr == 192.168.1.1"
tshark -i eth0 -Y "http or https"
tshark -i eth0 -Y "not arp"
# Filter by packet size
tshark -i eth0 -Y "frame.len > 1000"
tshark -i eth0 -Y "tcp.len > 0"
# Filter by time
tshark -i eth0 -Y "frame.time >= \"2024-01-01 00:00:00\""
# Filter by MAC address
tshark -i eth0 -Y "eth.addr == aa:bb:cc:dd:ee:ff"
# Filter by network range
tshark -i eth0 -Y "ip.addr == 192.168.1.0/24"
Filtros de Protocolo Específico
# HTTP filters
tshark -i eth0 -Y "http.request.method == GET"
tshark -i eth0 -Y "http.response.code == 200"
tshark -i eth0 -Y "http.host contains \"example.com\""
# DNS filters
tshark -i eth0 -Y "dns.qry.name contains \"google\""
tshark -i eth0 -Y "dns.flags.response == 1"
# TCP filters
tshark -i eth0 -Y "tcp.flags.syn == 1"
tshark -i eth0 -Y "tcp.flags.reset == 1"
tshark -i eth0 -Y "tcp.analysis.retransmission"
# SSL/TLS filters
tshark -i eth0 -Y "ssl.handshake.type == 1"
tshark -i eth0 -Y "tls.record.content_type == 22"
Filtros de captura
Filtros de captura básica
# Capture specific host
tshark -i eth0 -f "host 192.168.1.1"
# Capture specific port
tshark -i eth0 -f "port 80"
tshark -i eth0 -f "tcp port 443"
tshark -i eth0 -f "udp port 53"
# Capture specific protocol
tshark -i eth0 -f "tcp"
tshark -i eth0 -f "udp"
tshark -i eth0 -f "icmp"
# Capture network range
tshark -i eth0 -f "net 192.168.1.0/24"
Filtros de captura avanzados
# Combine filters
tshark -i eth0 -f "host 192.168.1.1 and port 80"
tshark -i eth0 -f "tcp and not port 22"
# Capture by direction
tshark -i eth0 -f "src host 192.168.1.1"
tshark -i eth0 -f "dst port 443"
# Capture by packet size
tshark -i eth0 -f "greater 1000"
tshark -i eth0 -f "less 64"
# Capture multicast/broadcast
tshark -i eth0 -f "multicast"
tshark -i eth0 -f "broadcast"
Formatos de salida y campos
Formatos de salida
# Default output
tshark -i eth0
# Verbose output
tshark -i eth0 -V
# One-line summary
tshark -i eth0 -T fields -e frame.number -e ip.src -e ip.dst
# JSON output
tshark -i eth0 -T json
# XML output
tshark -i eth0 -T pdml
# CSV output
tshark -i eth0 -T fields -E separator=, -e ip.src -e ip.dst -e tcp.port
Producto de campo personalizado
# Basic fields
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst
# HTTP fields
tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri
# DNS fields
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name -e dns.resp.addr
# TCP fields
tshark -r capture.pcap -Y "tcp" -T fields -e tcp.srcport -e tcp.dstport -e tcp.len
# Custom separator
tshark -r capture.pcap -T fields -E separator="|" -e ip.src -e ip.dst
Extracción de campo
# Extract unique values
tshark -r capture.pcap -T fields -e ip.src | sort | uniq
# Count occurrences
tshark -r capture.pcap -T fields -e ip.src | sort | uniq -c
# Extract HTTP hosts
tshark -r capture.pcap -Y "http" -T fields -e http.host | sort | uniq
# Extract DNS queries
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq
Estadísticas y análisis
Estadísticas básicas
# I/O statistics
tshark -r capture.pcap -q -z io,stat,1
# Protocol hierarchy
tshark -r capture.pcap -q -z phs
# Conversation statistics
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z conv,udp
tshark -r capture.pcap -q -z conv,ip
# Endpoint statistics
tshark -r capture.pcap -q -z endpoints,tcp
tshark -r capture.pcap -q -z endpoints,ip
Estadísticas avanzadas
# HTTP statistics
tshark -r capture.pcap -q -z http,stat
tshark -r capture.pcap -q -z http,tree
# DNS statistics
tshark -r capture.pcap -q -z dns,tree
# Response time statistics
tshark -r capture.pcap -q -z rpc,rtt,tcp
# Packet length statistics
tshark -r capture.pcap -q -z plen,tree
# Expert information
tshark -r capture.pcap -q -z expert
Estadísticas de aduanas
# Count packets by protocol
tshark -r capture.pcap -T fields -e _ws.col.Protocol | sort | uniq -c
# Bandwidth usage by IP
tshark -r capture.pcap -T fields -e ip.src -e frame.len | \
awk '{bytes[$1]+=$2} END {for(ip in bytes) print ip, bytes[ip]}'
# Top talkers
tshark -r capture.pcap -T fields -e ip.src | sort | uniq -c | sort -nr | head -10
# Port usage statistics
tshark -r capture.pcap -Y "tcp" -T fields -e tcp.dstport | sort | uniq -c | sort -nr
Características avanzadas
Decryption
# SSL/TLS decryption with key file
tshark -r capture.pcap -o ssl.keylog_file:sslkeys.log -Y "http"
# WEP decryption
tshark -r capture.pcap -o wlan.wep_key1:"01:02:03:04:05"
# WPA decryption
tshark -r capture.pcap -o wlan.wpa-pwd:"password:SSID"
Disección del Protocolo
# Disable protocol dissection
tshark -r capture.pcap -d tcp.port==8080,http
# Force protocol dissection
tshark -r capture.pcap -d udp.port==1234,dns
# Show available dissectors
tshark -G protocols
# Show protocol fields
tshark -G fields | grep http
Tiempo y Timestamps
# Absolute timestamps
tshark -r capture.pcap -t a
# Relative timestamps
tshark -r capture.pcap -t r
# Delta timestamps
tshark -r capture.pcap -t d
# Epoch timestamps
tshark -r capture.pcap -t e
# Custom time format
tshark -r capture.pcap -t a -T fields -e frame.time_epoch
Scripts de automatización
Network Monitoring Script
#!/bin/bash
# network-monitor.sh
set -e
# Configuration
INTERFACE="${INTERFACE:-eth0}"
CAPTURE_DIR="${CAPTURE_DIR:-/var/log/network-captures}"
ALERT_THRESHOLD="${ALERT_THRESHOLD:-1000}"
MONITORING_DURATION="${MONITORING_DURATION:-300}"
# Create capture directory
mkdir -p "$CAPTURE_DIR"
# Function to capture and analyze traffic
monitor_network() {
local timestamp=$(date +%Y%m%d_%H%M%S)
local capture_file="$CAPTURE_DIR/capture_$timestamp.pcap"
echo "Starting network monitoring on $INTERFACE..."
echo "Capture file: $capture_file"
# Start capture in background
tshark -i "$INTERFACE" -w "$capture_file" -a duration:$MONITORING_DURATION &
local tshark_pid=$!
# Wait for capture to complete
wait $tshark_pid
echo "Capture completed. Analyzing..."
# Analyze capture
analyze_capture "$capture_file"
}
# Function to analyze capture file
analyze_capture() {
local capture_file="$1"
echo "=== Network Analysis Report ==="
echo "File: $capture_file"
echo "Timestamp: $(date)"
echo
# Basic statistics
echo "--- Basic Statistics ---"
tshark -r "$capture_file" -q -z io,stat,0
echo
# Protocol hierarchy
echo "--- Protocol Hierarchy ---"
tshark -r "$capture_file" -q -z phs
echo
# Top talkers
echo "--- Top Source IPs ---"
tshark -r "$capture_file" -T fields -e ip.src | sort | uniq -c | sort -nr | head -10
echo
# Top destinations
echo "--- Top Destination IPs ---"
tshark -r "$capture_file" -T fields -e ip.dst | sort | uniq -c | sort -nr | head -10
echo
# Top ports
echo "--- Top TCP Ports ---"
tshark -r "$capture_file" -Y "tcp" -T fields -e tcp.dstport | sort | uniq -c | sort -nr | head -10
echo
# Security analysis
security_analysis "$capture_file"
}
# Function for security analysis
security_analysis() {
local capture_file="$1"
echo "--- Security Analysis ---"
# Check for suspicious activity
local syn_flood=$(tshark -r "$capture_file" -Y "tcp.flags.syn==1 and tcp.flags.ack==0" | wc -l)
local port_scans=$(tshark -r "$capture_file" -T fields -e ip.src -e tcp.dstport | \
awk '{ports[$1]++} END {for(ip in ports) if(ports[ip]>50) print ip, ports[ip]}')
echo "SYN packets (potential SYN flood): $syn_flood"
if [ "$syn_flood" -gt "$ALERT_THRESHOLD" ]; then
echo "⚠️ WARNING: High number of SYN packets detected!"
send_alert "SYN Flood Alert" "Detected $syn_flood SYN packets"
fi
if [ -n "$port_scans" ]; then
echo "⚠️ WARNING: Potential port scans detected:"
echo "$port_scans"
send_alert "Port Scan Alert" "Potential port scanning activity detected"
fi
# Check for unusual protocols
echo "--- Unusual Protocol Activity ---"
tshark -r "$capture_file" -T fields -e _ws.col.Protocol | sort | uniq -c | sort -nr | head -20
}
# Function to send alerts
send_alert() {
local subject="$1"
local message="$2"
echo "🚨 ALERT: $subject"
echo "Details: $message"
# Send email alert (if configured)
if [ -n "$ALERT_EMAIL" ]; then
echo "$message" | mail -s "$subject" "$ALERT_EMAIL"
fi
# Send to syslog
logger -p local0.warning "Network Monitor Alert: $subject - $message"
}
# Main execution
main() {
case "${1:-monitor}" in
"monitor")
monitor_network
;;
"analyze")
if [ -z "$2" ]; then
echo "Usage: $0 analyze <capture_file>"
exit 1
fi
analyze_capture "$2"
;;
"continuous")
while true; do
monitor_network
sleep 60
done
;;
*)
echo "Usage: $0 {monitor|analyze|continuous}"
exit 1
;;
esac
}
main "$@"
HTTP Traffic Analyzer
#!/usr/bin/env python3
# http-analyzer.py
import subprocess
import json
import sys
import argparse
from collections import defaultdict, Counter
from urllib.parse import urlparse
class HTTPAnalyzer:
def __init__(self, capture_file):
self.capture_file = capture_file
self.http_requests = []
self.http_responses = []
def extract_http_traffic(self):
"""Extract HTTP traffic from capture file"""
print("Extracting HTTP traffic...")
# Extract HTTP requests
cmd_requests = [
'tshark', '-r', self.capture_file,
'-Y', 'http.request',
'-T', 'json'
]
try:
result = subprocess.run(cmd_requests, capture_output=True, text=True, check=True)
if result.stdout.strip():
self.http_requests = json.loads(result.stdout)
except subprocess.CalledProcessError as e:
print(f"Error extracting HTTP requests: {e}")
return False
# Extract HTTP responses
cmd_responses = [
'tshark', '-r', self.capture_file,
'-Y', 'http.response',
'-T', 'json'
]
try:
result = subprocess.run(cmd_responses, capture_output=True, text=True, check=True)
if result.stdout.strip():
self.http_responses = json.loads(result.stdout)
except subprocess.CalledProcessError as e:
print(f"Error extracting HTTP responses: {e}")
return False
return True
def analyze_requests(self):
"""Analyze HTTP requests"""
print("\n=== HTTP Request Analysis ===")
if not self.http_requests:
print("No HTTP requests found")
return
methods = Counter()
hosts = Counter()
user_agents = Counter()
urls = []
for packet in self.http_requests:
try:
http_layer = packet['_source']['layers']['http']
# Extract method
if 'http.request.method' in http_layer:
methods[http_layer['http.request.method']] += 1
# Extract host
if 'http.host' in http_layer:
hosts[http_layer['http.host']] += 1
# Extract User-Agent
if 'http.user_agent' in http_layer:
user_agents[http_layer['http.user_agent']] += 1
# Extract full URL
if 'http.host' in http_layer and 'http.request.uri' in http_layer:
url = f"http://{http_layer['http.host']}{http_layer['http.request.uri']}"
urls.append(url)
except KeyError:
continue
# Print analysis
print(f"Total HTTP requests: {len(self.http_requests)}")
print("\n--- Top HTTP Methods ---")
for method, count in methods.most_common(10):
print(f"{method}: {count}")
print("\n--- Top Hosts ---")
for host, count in hosts.most_common(10):
print(f"{host}: {count}")
print("\n--- Top User Agents ---")
for ua, count in user_agents.most_common(5):
print(f"{ua}: {count}")
print("\n--- Sample URLs ---")
for url in urls[:20]:
print(url)
def analyze_responses(self):
"""Analyze HTTP responses"""
print("\n=== HTTP Response Analysis ===")
if not self.http_responses:
print("No HTTP responses found")
return
status_codes = Counter()
content_types = Counter()
servers = Counter()
for packet in self.http_responses:
try:
http_layer = packet['_source']['layers']['http']
# Extract status code
if 'http.response.code' in http_layer:
status_codes[http_layer['http.response.code']] += 1
# Extract content type
if 'http.content_type' in http_layer:
content_types[http_layer['http.content_type']] += 1
# Extract server
if 'http.server' in http_layer:
servers[http_layer['http.server']] += 1
except KeyError:
continue
# Print analysis
print(f"Total HTTP responses: {len(self.http_responses)}")
print("\n--- Status Codes ---")
for code, count in status_codes.most_common(10):
print(f"{code}: {count}")
print("\n--- Content Types ---")
for ct, count in content_types.most_common(10):
print(f"{ct}: {count}")
print("\n--- Servers ---")
for server, count in servers.most_common(10):
print(f"{server}: {count}")
def security_analysis(self):
"""Perform security analysis"""
print("\n=== Security Analysis ===")
suspicious_patterns = [
'admin', 'login', 'password', 'config', 'backup',
'test', 'debug', 'dev', 'staging', 'api'
]
suspicious_urls = []
for packet in self.http_requests:
try:
http_layer = packet['_source']['layers']['http']
if 'http.request.uri' in http_layer:
uri = http_layer['http.request.uri'].lower()
for pattern in suspicious_patterns:
if pattern in uri:
if 'http.host' in http_layer:
full_url = f"http://{http_layer['http.host']}{http_layer['http.request.uri']}"
suspicious_urls.append(full_url)
break
except KeyError:
continue
if suspicious_urls:
print("⚠️ Potentially suspicious URLs detected:")
for url in set(suspicious_urls[:20]):
print(f" {url}")
else:
print("✅ No obviously suspicious URLs detected")
def generate_report(self, output_file=None):
"""Generate comprehensive report"""
if not self.extract_http_traffic():
print("Failed to extract HTTP traffic")
return
# Redirect output to file if specified
if output_file:
sys.stdout = open(output_file, 'w')
print(f"HTTP Traffic Analysis Report")
print(f"Capture File: {self.capture_file}")
print(f"Generated: {subprocess.run(['date'], capture_output=True, text=True).stdout.strip()}")
print("=" * 50)
self.analyze_requests()
self.analyze_responses()
self.security_analysis()
if output_file:
sys.stdout.close()
sys.stdout = sys.__stdout__
print(f"Report saved to: {output_file}")
def main():
parser = argparse.ArgumentParser(description='HTTP Traffic Analyzer')
parser.add_argument('capture_file', help='Path to capture file')
parser.add_argument('-o', '--output', help='Output report file')
args = parser.parse_args()
analyzer = HTTPAnalyzer(args.capture_file)
analyzer.generate_report(args.output)
if __name__ == "__main__":
main()
DNS Analysis Script
#!/bin/bash
# dns-analyzer.sh
set -e
# Configuration
CAPTURE_FILE="$1"
OUTPUT_DIR="${OUTPUT_DIR:-./dns-analysis}"
if [ -z "$CAPTURE_FILE" ]; then
echo "Usage: $0 <capture_file>"
exit 1
fi
# Create output directory
mkdir -p "$OUTPUT_DIR"
echo "Analyzing DNS traffic in $CAPTURE_FILE..."
# Extract DNS queries
echo "Extracting DNS queries..."
tshark -r "$CAPTURE_FILE" -Y "dns.flags.response == 0" \
-T fields -e frame.time -e ip.src -e dns.qry.name -e dns.qry.type \
> "$OUTPUT_DIR/dns_queries.txt"
# Extract DNS responses
echo "Extracting DNS responses..."
tshark -r "$CAPTURE_FILE" -Y "dns.flags.response == 1" \
-T fields -e frame.time -e ip.src -e dns.qry.name -e dns.resp.addr \
> "$OUTPUT_DIR/dns_responses.txt"
# Analyze queries
echo "Analyzing DNS queries..."
cat > "$OUTPUT_DIR/dns_analysis.txt" << EOF
DNS Traffic Analysis Report
==========================
Capture File: $CAPTURE_FILE
Generated: $(date)
--- Query Statistics ---
Total DNS queries: $(wc -l < "$OUTPUT_DIR/dns_queries.txt")
Total DNS responses: $(wc -l < "$OUTPUT_DIR/dns_responses.txt")
--- Top Queried Domains ---
$(awk '{print $3}' "$OUTPUT_DIR/dns_queries.txt" | sort | uniq -c | sort -nr | head -20)
--- Top Query Types ---
$(awk '{print $4}' "$OUTPUT_DIR/dns_queries.txt" | sort | uniq -c | sort -nr)
--- Top DNS Clients ---
$(awk '{print $2}' "$OUTPUT_DIR/dns_queries.txt" | sort | uniq -c | sort -nr | head -10)
--- Suspicious Domains ---
$(awk '{print $3}' "$OUTPUT_DIR/dns_queries.txt" | grep -E "(\.tk$|\.ml$|\.ga$|\.cf$|dga-|random-)" | sort | uniq || echo "None detected")
EOF
echo "Analysis complete. Results saved to $OUTPUT_DIR/"
echo "Summary:"
cat "$OUTPUT_DIR/dns_analysis.txt"
CI/CD Integration
GitHub Actions
# .github/workflows/network-analysis.yml
name: Network Traffic Analysis
on:
push:
paths:
- 'captures/*.pcap'
workflow_dispatch:
inputs:
capture_file:
description: 'Capture file to analyze'
required: true
jobs:
analyze-traffic:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install tshark
run: |
sudo apt update
sudo apt install -y tshark
- name: Analyze network traffic
run: |
# Create analysis directory
mkdir -p analysis-results
# Find capture files
if [ "${{ github.event.inputs.capture_file }}" ]; then
CAPTURE_FILE="${{ github.event.inputs.capture_file }}"
else
CAPTURE_FILE=$(find captures/ -name "*.pcap" -type f | head -1)
fi
if [ -z "$CAPTURE_FILE" ]; then
echo "No capture file found"
exit 1
fi
echo "Analyzing: $CAPTURE_FILE"
# Basic statistics
tshark -r "$CAPTURE_FILE" -q -z io,stat,0 > analysis-results/basic-stats.txt
# Protocol hierarchy
tshark -r "$CAPTURE_FILE" -q -z phs > analysis-results/protocols.txt
# Top talkers
tshark -r "$CAPTURE_FILE" -T fields -e ip.src | sort | uniq -c | sort -nr | head -20 > analysis-results/top-sources.txt
# HTTP analysis
tshark -r "$CAPTURE_FILE" -Y "http" -T fields -e http.host -e http.request.uri | head -100 > analysis-results/http-requests.txt
# DNS analysis
tshark -r "$CAPTURE_FILE" -Y "dns" -T fields -e dns.qry.name | sort | uniq -c | sort -nr | head -50 > analysis-results/dns-queries.txt
- name: Generate report
run: |
cat > analysis-results/report.md << EOF
# Network Traffic Analysis Report
**File:** $CAPTURE_FILE
**Date:** $(date)
## Basic Statistics
\`\`\`
$(cat analysis-results/basic-stats.txt)
\`\`\`
## Protocol Hierarchy
\`\`\`
$(cat analysis-results/protocols.txt)
\`\`\`
## Top Source IPs
\`\`\`
$(cat analysis-results/top-sources.txt)
\`\`\`
## HTTP Requests (Sample)
\`\`\`
$(cat analysis-results/http-requests.txt)
\`\`\`
## DNS Queries (Top 50)
\`\`\`
$(cat analysis-results/dns-queries.txt)
\`\`\`
EOF
- name: Upload analysis results
uses: actions/upload-artifact@v3
with:
name: network-analysis-results
path: analysis-results/
- name: Comment on PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('analysis-results/report.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: report
});
Jenkins Pipeline
// Jenkinsfile
pipeline {
agent any
parameters {
string(name: 'CAPTURE_FILE', defaultValue: '', description: 'Path to capture file')
choice(name: 'ANALYSIS_TYPE', choices: ['basic', 'security', 'performance'], description: 'Type of analysis')
}
stages {
stage('Setup') {
steps {
script {
// Install tshark if not available
sh '''
if ! command -v tshark &> /dev/null; then
sudo apt update
sudo apt install -y tshark
fi
'''
}
}
}
stage('Validate Input') {
steps {
script {
if (!params.CAPTURE_FILE) {
error("CAPTURE_FILE parameter is required")
}
if (!fileExists(params.CAPTURE_FILE)) {
error("Capture file does not exist: ${params.CAPTURE_FILE}")
}
}
}
}
stage('Basic Analysis') {
steps {
script {
sh """
mkdir -p analysis-results
# Basic statistics
tshark -r "${params.CAPTURE_FILE}" -q -z io,stat,0 > analysis-results/basic-stats.txt
# Protocol hierarchy
tshark -r "${params.CAPTURE_FILE}" -q -z phs > analysis-results/protocols.txt
# Conversation statistics
tshark -r "${params.CAPTURE_FILE}" -q -z conv,tcp > analysis-results/tcp-conversations.txt
tshark -r "${params.CAPTURE_FILE}" -q -z conv,udp > analysis-results/udp-conversations.txt
"""
}
}
}
stage('Security Analysis') {
when {
expression { params.ANALYSIS_TYPE == 'security' }
}
steps {
script {
sh """
# Check for suspicious activity
echo "=== Security Analysis ===" > analysis-results/security-analysis.txt
# SYN flood detection
SYN_COUNT=\$(tshark -r "${params.CAPTURE_FILE}" -Y "tcp.flags.syn==1 and tcp.flags.ack==0" | wc -l)
echo "SYN packets: \$SYN_COUNT" >> analysis-results/security-analysis.txt
# Port scan detection
echo "Potential port scans:" >> analysis-results/security-analysis.txt
tshark -r "${params.CAPTURE_FILE}" -T fields -e ip.src -e tcp.dstport | \\
awk '{ports[\$1]++} END {for(ip in ports) if(ports[ip]>50) print ip, ports[ip]}' >> analysis-results/security-analysis.txt
# Suspicious DNS queries
echo "Suspicious DNS queries:" >> analysis-results/security-analysis.txt
tshark -r "${params.CAPTURE_FILE}" -Y "dns" -T fields -e dns.qry.name | \\
grep -E "(\.tk\$|\\.ml\$|\\.ga\$|\\.cf\$)" | sort | uniq >> analysis-results/security-analysis.txt || true
"""
}
}
}
stage('Performance Analysis') {
when {
expression { params.ANALYSIS_TYPE == 'performance' }
}
steps {
script {
sh """
# Performance metrics
echo "=== Performance Analysis ===" > analysis-results/performance-analysis.txt
# Bandwidth usage
tshark -r "${params.CAPTURE_FILE}" -T fields -e ip.src -e frame.len | \\
awk '{bytes[\$1]+=\$2} END {for(ip in bytes) print ip, bytes[ip]}' | \\
sort -k2 -nr | head -20 >> analysis-results/performance-analysis.txt
# Response time analysis
tshark -r "${params.CAPTURE_FILE}" -q -z rpc,rtt,tcp >> analysis-results/performance-analysis.txt || true
# Packet size distribution
tshark -r "${params.CAPTURE_FILE}" -q -z plen,tree >> analysis-results/performance-analysis.txt
"""
}
}
}
stage('Generate Report') {
steps {
script {
sh '''
# Create comprehensive report
cat > analysis-results/report.html << EOF
<!DOCTYPE html>
<html>
<head>
<title>Network Analysis Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
pre { background: #f5f5f5; padding: 10px; overflow-x: auto; }
.section { margin: 20px 0; }
</style>
</head>
<body>
<h1>Network Analysis Report</h1>
<p><strong>File:</strong> ${CAPTURE_FILE}</p>
<p><strong>Analysis Type:</strong> ${ANALYSIS_TYPE}</p>
<p><strong>Generated:</strong> $(date)</p>
<div class="section">
<h2>Basic Statistics</h2>
<pre>$(cat analysis-results/basic-stats.txt)</pre>
</div>
<div class="section">
<h2>Protocol Hierarchy</h2>
<pre>$(cat analysis-results/protocols.txt)</pre>
</div>
EOF
# Add security analysis if available
if [ -f analysis-results/security-analysis.txt ]; then
cat >> analysis-results/report.html << EOF
<div class="section">
<h2>Security Analysis</h2>
<pre>$(cat analysis-results/security-analysis.txt)</pre>
</div>
EOF
fi
# Add performance analysis if available
if [ -f analysis-results/performance-analysis.txt ]; then
cat >> analysis-results/report.html << EOF
<div class="section">
<h2>Performance Analysis</h2>
<pre>$(cat analysis-results/performance-analysis.txt)</pre>
</div>
EOF
fi
echo "</body></html>" >> analysis-results/report.html
'''
}
}
}
}
post {
always {
archiveArtifacts artifacts: 'analysis-results/**', fingerprint: true
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'analysis-results',
reportFiles: 'report.html',
reportName: 'Network Analysis Report'
])
}
failure {
emailext (
subject: "Network Analysis Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "The network analysis job failed. Please check the console output for details.",
to: "${env.CHANGE_AUTHOR_EMAIL}"
)
}
}
}
Solución de problemas
Cuestiones comunes
# Permission denied errors
sudo usermod -a -G wireshark $USER
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
# Interface not found
tshark -D
ip link show
# Capture file corruption
tshark -r capture.pcap -q -z io,stat,0
# Memory issues with large files
tshark -r large_capture.pcap -c 1000
# Display filter syntax errors
tshark -Y "invalid filter" 2>&1 | grep -i error
Optimización del rendimiento
# Use capture filters to reduce data
tshark -i eth0 -f "port 80 or port 443"
# Limit capture size
tshark -i eth0 -s 96
# Use ring buffer for continuous capture
tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:10
# Disable name resolution
tshark -i eth0 -n
# Use specific protocols only
tshark -i eth0 -Y "tcp or udp"
Debugging
# Verbose output for debugging
tshark -i eth0 -V
# Show field names
tshark -G fields | grep -i http
# Test display filters
tshark -Y "tcp.port == 80" -c 1
# Check tshark version and capabilities
tshark -v
tshark -G protocols | wc -l
Buenas prácticas
Capture Guidelines
- Utilizar filtros de captura: Aplicar filtros a tiempo de captura para reducir el tamaño del archivo
- Limit Packet Size: Use
-sopción para capturas de cabecera solo cuando corresponda - ** Buffers de viaje**: Use búferes de anillo para monitorización continua
- ** Permisos del programa**: Establecer permisos adecuados para capturas no arraigadas
- Manejo de almacenamiento: Implementar la rotación de registros para capturas a largo plazo
Análisis Mejores Prácticas
- Iniciar con Estadísticas: Use
-q -z_ opciones para obtener información rápida - ** Filtro progresivo**: Comience amplio, luego reduzca con filtros específicos
- Guardar resultados intermedios: Guardar resultados filtrados para un análisis más profundo
- Document Findings: Mantener notas detalladas de los pasos de análisis
- Tareas repetitivas automatizadas: Utilice scripts para patrones de análisis comunes
Consideraciones de seguridad
- ** Datos positivos**: Tenga en cuenta los datos confidenciales en las capturas
- ** Control de acceso**: Restrict access to capture files
- Encryption: Considere la posibilidad de cifrar archivos de captura almacenados
- Políticas de retención: Implementar políticas apropiadas de retención de datos
- Cumplimiento legal: Asegurar el cumplimiento de las leyes y reglamentos locales
Esta completa hoja de trampa tshark proporciona todo lo necesario para el análisis profesional de la red, desde la captura de paquetes básicos hasta escenarios avanzados de automatización e integración.