Ask Your Question
0

show tcp streams which don't include string

asked 2021-01-28 12:14:14 +0000

quas gravatar image

updated 2021-01-28 13:26:31 +0000

Hello!

On an e-mail relay I get various requests from the same IP from which prtg (monitoring tool) also connects to check the health of the mail relay server. What I'm interested in is to find all tcp streams which do not contain the smtp.command_line string "EHLO Monitoring", so that I know if any clients actually connect to the mail relay to send emails. This works if I want to exclude the packages itself: smtp.command_line != "EHLO Monitoring\x0d\x0a" The issue with this, of course, is that all the other packages belonging to that tcp stream are also show. Mostly they contain the smtp "QUIT" command.

Actually, now, while writing this post, I realise that there aren't any other packages belonging to other streams, because the only packages that are being shown are those sending the "QUIT" command, so no hellos, which leads to me to believe, that no other clients connect to it.

In any case, I would still like to see if there's a possibility of excluding tcp stream altogether based on certain search criteria.

Thanks.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-01-28 13:50:09 +0000

grahamb gravatar image

Not directly, the display filter capabilities of Wireshark are "per-packet", i.e. is this packet to be displayed or not. There isn't a direct mechanism to say display this packet because of some condition in another packet.

MATE might be a possible solution as:

MATE's goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other.

You could also use tshark, some scripting and post-processing, e.g. run a first pass on the capture to only include SMTP frames with an EHLO but not the extra text, output the tcp stream numbers for those frames and use that to build a filter for a second pass on the capture to output those streams. Some ideas for this can be found in the SharkFest'18 presentation by @SYN-bit here.

edit flag offensive delete link more
0

answered 2021-02-01 13:43:46 +0000

SYN-bit gravatar image

You can split the filter into the two elements, command and parameter. That way you can see all "EHLO" command lines that do not use the parameter "Monitoring\x0d\x0a" by using the following filter:

smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a"

If you want the full TCP sessions of these packets, you can use something like this in a bash shell:

tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(tshark -r in.pcap -Y 'smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a" ' -T fields -e tcp.stream | xargs)}"

Drilled down:

  • tshark -r in.pcap -Y <filter> -T fields -e tcp.stream will print all the tcp.stream numbers of the packets that match the filter
  • the | xargs will create a list of these stream numbers, separated by spaces
  • and tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(<command>)}" takes the list of stream numbers and uses it as a filter to create a new file with the full TCP sessions
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-01-28 12:14:14 +0000

Seen: 61 times

Last updated: Feb 01