Score:1

How to analyze packets from tshark in realtime via bash?

us flag
Maf

I need to analyze the IPSec packages from this command in real time:

sudo tshark -i <My_Interface> -Y '(ip.addr == <My_IP>)'

I need to check whether an isakmp package is sent to set a variable as true. I can't wait until the whole sniffing process is finished to be able to read it from a pcap file!

Score:1
it flag

You might also want to look into the netsniff-ng package in apt. It is a packet sniffing toolkit specifically built for Linux networks.

It works great for things like analyzing signals of pci / usb devices that do not follow their respective data protocols, in order to write custom drivers.

The following is a list of included tools, including descriptions, obtained from the output of apt info netsniff-ng:

  • netsniff-ng: a zero-copy packet analyzer, pcap capturing/replaying tool
  • trafgen: a multithreaded low-level zero-copy network packet generator
  • mausezahn: high-level packet generator for appliances with Cisco-CLI
  • ifpps: a top-like kernel networking and system statistics tool
  • curvetun: a lightweight curve25519-based multiuser IP tunnel
  • astraceroute: an autonomous system trace route and DPI testing utility
  • flowtop: a top-like netfilter connection tracking tool
  • bpfc: a [seccomp-]BPF (Berkeley packet filter) compiler, JIT disassembler

To find out more, you can visit the netsniff-ng website:

http://netsniff-ng.org/

Maf avatar
us flag
Maf
I'll take a look on that. Thanks. So far I've been working with `tshark/wireshark` and `tcpdump`
Score:1
us flag
Maf

After some workarounds, we have a solution:

while IFS= read -r line; do if [[ $line =~ 'ISAKMP' ]]; then echo $line; fi; done < <(sudo tshark -i <My_Interface>)

Instead of this simple string 'ISAKMP' we can check anything else. The echo command may be any other command (setting an environment variable, etc.)

Nate T avatar
it flag
should there be two space characters between `IFS=` and `read`? As is, you are testing that IFS is set to an empty string, and not a space character. Does the command work like this?
Maf avatar
us flag
Maf
A single space. IFS=' ' IFS stands for internal field separator, I just knew it that yesterday.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.