From 4f36bfe755df7284fc46a6552887c095227e16ba Mon Sep 17 00:00:00 2001 From: Andreas Fankhauser Date: Wed, 16 Nov 2022 19:12:15 +0100 Subject: Add bunch of existing files (primarily notes) --- doc/note/tcpdump/tcpdump.txt | 60 ++++++++++++++++++++++++++++++++++++++++++ doc/note/tcpdump/wireshark.txt | 13 +++++++++ 2 files changed, 73 insertions(+) create mode 100644 doc/note/tcpdump/tcpdump.txt create mode 100644 doc/note/tcpdump/wireshark.txt (limited to 'doc/note/tcpdump') diff --git a/doc/note/tcpdump/tcpdump.txt b/doc/note/tcpdump/tcpdump.txt new file mode 100644 index 0000000..163c921 --- /dev/null +++ b/doc/note/tcpdump/tcpdump.txt @@ -0,0 +1,60 @@ + +Tcpdump +================ + + +## Realtime Download: + + scriptlee -W OcChunkDownload.lua -n OC_PROJ --scan-delay 10 --workdir ../../../../../tmp --pod-pattern 'houston.%d' --file-pattern 'houston.STAGE.tcp.*gz' --skip 1 + + + +## Base (inclusive blacklist brox, fluentd, ...): + +redis=6379, brox=7022, fluentd=7099 + + cd /tmp && timeout --foreground -s INT 180 tcpdump -ni any -C 50M -W 999 -w houston-STAGE-tcp-`date -u +%Y%m%d-%H%M%S`.pcap "not port 443 and not port 6379 and not port 7022 and not port 7099" -z gzip + + + +## pcap cli PreProcessing + +Tips: "https://chrissanders.org/2018/06/large-captures4-filter-whittling/" + + mergecap.exe -a -w OUTFILE INFILES_GLOB + + -Y 'http.request.uri.query contains "expand"' + -Y 'http.time < 2.0 or http.request' + + + +## Accept HTTP POST requests: + + "tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354" + + + +## Copy result to local machine (the boring way) + + oc rsync :/remote/dir/filename . + + + +## Special filters + + "tcp[tcpflags] & (tcp-syn|tcp-ack|tcp-fin|tcp-rst) != 0" + + "ip 1.2.3.4" + + "net 172.18.0.0/16" + + + +## Extract hosts file from DNS traffic + +Not perfect because needs manual fine-tuning. But can be helpful anyway. + + -Y 'dns.a and dns.resp.name' -Tfields -edns.a -edns.resp.name + +Vielleicht auch mal option "-zhosts" ausprobieren. Sollte auch sowas tun. + diff --git a/doc/note/tcpdump/wireshark.txt b/doc/note/tcpdump/wireshark.txt new file mode 100644 index 0000000..1c498f2 --- /dev/null +++ b/doc/note/tcpdump/wireshark.txt @@ -0,0 +1,13 @@ + +Wireshark +================ + + +## Slow http responses + + (http and frame.time_delta_displayed > 1) + + (http.response && tcp.time_delta > 5) + + + -- cgit v1.1