tshark 편하게 쓰기
Tshark를 처음 익힐 때 옵션을 외우기 힘들어서 간단하게 만들기 시작했습니다.
그 후 사용하다 보니 주로 사용하는 명령어는 정해져 있는 것 같아서 만들어봤습니다.
간단한 설명서
배포를 목적으로 만들지 않아 사소한 오류들이 있을 수 있으나 로컬에 영향을 주지는 않습니다.
배치스크립트로 만들었으며 컴퓨터에 와이어샤크를 설치할때 같이 설치되는 tshark가 시스템환경변수에 등록되어 있어야 사용할 수 있습니다.
@echo off
:SELECT
set add_option=
set add_field=
echo -------------------------------------------------------------------------------------------------
echo "(!) Please check the list you want to run. | /texit : go to main menu"
echo -------------------------------------------------------------------------------------------------
echo 1. Network scan
echo.
echo 2. Capture
echo.
echo 3. Analysis pcap
echo.
echo 4. Custom
echo.
echo 5. END
echo -------------------------------------------------------------------------------------------------
set /p Select=(!) input num :
cls
if "%Select%"=="/texit" (GOTO:Back_main)
if "%Select%"=="1" (set _access=scan)
if "%Select%"=="2" (set _access=Detect_SNI_Field)
if "%Select%"=="3" (set _access=Analysis_Pcap)
if "%Select%"=="4" (set _access=Custom)
if "%Select%"=="5" (set _access=END)
if "%_access%"=="scan" GOTO:scan
if "%_access%"=="Detect_SNI_Field" GOTO:Detect_SNI_Field
if "%_access%"=="Analysis_Pcap" GOTO:Analysis_Pcap
if "%_access%"=="Custom" GOTO:Custom
if "%_access%"=="END" GOTO:SELECT
::NIC 스캔(1)
:scan
echo -------------------------------------------------------------------------------------------------
echo NIC scan
echo -------------------------------------------------------------------------------------------------
tshark.exe -D
GOTO:SELECT
::SNI_Field 출력(2)
:Detect_SNI_Field
echo -------------------------------------------------------------------------------------------------
echo Print Capture
echo -------------------------------------------------------------------------------------------------
echo 1. print SNI Field from NIC
echo.
echo 2. Custom Option
echo -------------------------------------------------------------------------------------------------
set /p SNI_Select=(!) input num :
if "%SNI_Select%"=="/texit" (GOTO:Back_main)
if "%SNI_Select%"=="1" (GOTO:Net_Input)
if "%SNI_Select%"=="2" (GOTO:Custom_Option_2)
:Net_Input
set /p NET=(!) input Network :
:SNI_Print
cls
:: set SNI_Print_Command=tshark.exe -i %NET% -Y "tls.handshake.extensions_server_name" -T fields -e tls.handshake.extensions_server_name
echo Select Print Type
echo -------------------------------------------------------------------------------------------------
echo 1. fields
echo.
echo 2. json
echo.
echo 3. psml
echo.
echo 4. ek
echo.
echo 5. go to main menu
echo -------------------------------------------------------------------------------------------------
set /p SNI_Option_Select=(!) input num :
if "%SNI_Option_Select%"=="/texit" (GOTO:Back_main)
if "%SNI_Option_Select%"=="1" (set SNI_Option=fields)
if "%SNI_Option_Select%"=="2" (set SNI_Option=json)
if "%SNI_Option_Select%"=="3" (set SNI_Option=psml)
if "%SNI_Option_Select%"=="4" (set SNI_Option=ek)
if "%SNI_Option_Select%"=="5" (GOTO:Back_main)
set SNI_Print_Command=tshark.exe -i %NET% -Y "tls.handshake.extensions_server_name" -T %SNI_Option% -e tls.handshake.extensions_server_name
%SNI_Print_Command%
GOTO:SELECT
:Back_main
cls
GOTO:SELECT
:Custom_Option_2
cls
set /p NET=(!) input Network :
set /p Display_Fields=(!) input Display field :
:loop2
echo Select Print Type
echo -------------------------------------------------------------------------------------------------
echo 1. ip.ttl 2. ip.src 3. ip.dst
echo.
echo 4. frame.number 5. frame.time 6. frame.time_epoch
echo.
echo 7. tcp 8. tcp.port 9. tcp.urgent_pointer
echo.
echo 10. dns 11. dns.qry.name 12. .
echo.
echo 13. http.cookie 14. http.host 15. http.referer
echo.
echo 16. text 17. . 18. tls.handshake.extensions_server_name
echo.
echo 0. custom x : finish
echo -------------------------------------------------------------------------------------------------
set /p Custom_Option2=(!) input :
if "%Custom_Option2%"=="1" (set text=ip.ttl)
if "%Custom_Option2%"=="2" (set text=ip.src)
if "%Custom_Option2%"=="3" (set text=ip.dst)
if "%Custom_Option2%"=="4" (set text=frame.number)
if "%Custom_Option2%"=="5" (set text=frame.time)
if "%Custom_Option2%"=="6" (set text=frame.time_epoch)
if "%Custom_Option2%"=="7" (set text=tcp)
if "%Custom_Option2%"=="8" (set text=tcp.port)
if "%Custom_Option2%"=="9" (set text=tcp.urgent_pointer)
if "%Custom_Option2%"=="10" (set text=dns)
if "%Custom_Option2%"=="11" (set text=dns.qry.name)
if "%Custom_Option2%"=="12" (set text=)
if "%Custom_Option2%"=="13" (set text=http.cookie)
if "%Custom_Option2%"=="14" (set text=http.host)
if "%Custom_Option2%"=="15" (set text=http.referer)
if "%Custom_Option2%"=="16" (set text=text)
if "%Custom_Option2%"=="17" (set text=)
if "%Custom_Option2%"=="18" (set text=tls.handshake.extensions_server_name)
if "%Custom_Option2%"=="0" (GOTO:Op2_input)
if "%Custom_Option2%"=="x" (GOTO:Op2_Print)
if "%Custom_Option2%"=="/texit" (GOTO:Back_main)
:return_Op2
set add_option=-e %text%
set add_field=%add_field% %add_option%
cls
echo %add_field%
goto loop2
:Op2_input
set /p text=(!) input Option :
GOTO:return_Op2
:Op2_Print
cls
echo Select Print Type
echo -------------------------------------------------------------------------------------------------
echo 1. fields
echo.
echo 2. json
echo.
echo 3. psml
echo.
echo 4. ek
echo.
echo 5. go to main menu
echo -------------------------------------------------------------------------------------------------
set /p SNI_Option_Select=(!) input num :
if "%SNI_Option_Select%"=="/texit" (GOTO:Back_main)
if "%SNI_Option_Select%"=="1" (set SNI_Option=fields)
if "%SNI_Option_Select%"=="2" (set SNI_Option=json)
if "%SNI_Option_Select%"=="3" (set SNI_Option=psml)
if "%SNI_Option_Select%"=="4" (set SNI_Option=ek)
if "%SNI_Option_Select%"=="5" (GOTO:Back_main)
cls
set Op2_print_result=tshark.exe -i %NET% -Y %Display_Fields% -T fields%add_field%
echo %Op2_print_result%
%Op2_print_result%
set add_option=
set add_field=
GOTO:SELECT
::Pcap 분석(3)
:Analysis_Pcap
echo -------------------------------------------------------------------------------------------------
echo Pcap_Analysis
echo -------------------------------------------------------------------------------------------------
set /p Pcap_PATH=(!) input pcap PATH :
if "%Pcap_PATH%"=="/texit" (GOTO:Back_main)
set Pcap_Default=tshark -r %Pcap_PATH%
echo -------------------------------------------------------------------------------------------------
echo 1. No Option
echo.
echo 2. Custom Option to save
echo.
echo 3. Statistics
echo.
echo 4. export
echo -------------------------------------------------------------------------------------------------
set /p Pcap_Analysis_Select=(!) input num :
if "%Pcap_Analysis_Select%"=="/texit" (GOTO:Back_main)
if "%Pcap_Analysis_Select%"=="1" (GOTO:Pcap_1)
if "%Pcap_Analysis_Select%"=="2" (GOTO:Pcap_2)
if "%Pcap_Analysis_Select%"=="3" (GOTO:Pcap_3)
if "%Pcap_Analysis_Select%"=="4" (GOTO:Pcap_4)
:Pcap_1
set /p Pcap_Custom_yn=(!) are you want save?(Y/N)
if "%Pcap_Custom_yn%"=="/texit" (GOTO:Back_main)
if "%Pcap_Custom_yn%"=="Y" (GOTO:Pcapsave1)
if "%Pcap_Custom_yn%"=="y" (GOTO:Pcapsave1)
if "%Pcap_Custom_yn%"=="n" (GOTO:Pcap1_print)
if "%Pcap_Custom_yn%"=="N" (GOTO:Pcap1_print)
:Pcapsave1
set /p Pcap_Save_Name=(!) input name :
if "%Pcap_Save_Name%"=="/texit" (GOTO:Back_main)
set Psave=-w %Pcap_Save_Name%.pcap
%Pcap_Default% %Psave%
GOTO SELECT
:Pcap1_print
%Pcap_Default%
GOTO SELECT
:Pcap_2
echo -------------------------------------------------------------------------------------------------
echo ex) http.request tcp.request
echo ex) -Y "tcp.port == 80 && ip.addr == 192.168.1.10"
echo ex) -Y http.request -T fields -e http.host -e ip.dst -e http.request.full_uri
echo -------------------------------------------------------------------------------------------------
set /p Option_Str=(!) input Option :
if "%Option_Str%"=="/texit" (GOTO:Back_main)
set /p Pcap_Custom_yn=(!) are you want save?(Y/N)
if "%Pcap_Custom_yn%"=="/texit" (GOTO:Back_main)
if "%Pcap_Custom_yn%"=="Y" (GOTO:Pcapsave2)
if "%Pcap_Custom_yn%"=="y" (GOTO:Pcapsave2)
if "%Pcap_Custom_yn%"=="n" (GOTO:Pcap2_print)
if "%Pcap_Custom_yn%"=="N" (GOTO:Pcap2_print)
:Pcapsave2
set /p Pcap_Save_Name=(!) input name :
if "%Pcap_Save_Name%"=="/texit" (GOTO:Back_main)
set Psave=-w %Pcap_Save_Name%.pcap
%Pcap_Default% %Option_Str% %Psave%
GOTO:SELECT
:Pcap2_print
%Pcap_Default% %Option_Str%
GOTO:SELECT
:Pcap_3
echo Select Print Type
echo -------------------------------------------------------------------------------------------------
echo 1. conv,eth 2. conv,ip 3. conv,tcp
echo.
echo 4. conv,udp 5. conv,wlan 6. conv,zbee_nwk
echo.
echo 7. endpoints,eth 8. endpoints,ip 9. endpoints,tcp
echo.
echo 10. endpoints,udp 11. endpoints,wlan 12. endpoints,zbee_nwk
echo.
echo 13. hosts 14. dns,tree 15. http,stat
echo.
echo 16. http,tree 17. http_req,tree 18. http_seq,tree
echo.
echo 19. ip_hosts,tree 20. ip_srcdst,tree 0. custom
echo -------------------------------------------------------------------------------------------------
set /p Pcap_Option=(!) input num:
if "%Pcap_Option%"=="1" (set pcap_op_text=conv,eth)
if "%Pcap_Option%"=="2" (set pcap_op_text=conv,ip)
if "%Pcap_Option%"=="3" (set pcap_op_text=conv,tcp)
if "%Pcap_Option%"=="4" (set pcap_op_text=conv,udp)
if "%Pcap_Option%"=="5" (set pcap_op_text=conv,wlan)
if "%Pcap_Option%"=="6" (set pcap_op_text=conv,zbee_nwk)
if "%Pcap_Option%"=="7" (set pcap_op_text=endpoints,eth)
if "%Pcap_Option%"=="8" (set pcap_op_text=endpoints,ip)
if "%Pcap_Option%"=="9" (set pcap_op_text=endpoints,tcp)
if "%Pcap_Option%"=="10" (set pcap_op_text=endpoints,udp)
if "%Pcap_Option%"=="11" (set pcap_op_text=endpoints,wlan)
if "%Pcap_Option%"=="12" (set pcap_op_text=endpoints,zbee_nwk)
if "%Pcap_Option%"=="13" (set pcap_op_text=hosts)
if "%Pcap_Option%"=="14" (set pcap_op_text=dns,tree)
if "%Pcap_Option%"=="15" (set pcap_op_text=http,stat)
if "%Pcap_Option%"=="16" (set pcap_op_text=http,tree)
if "%Pcap_Option%"=="17" (set pcap_op_text=http_req,tree)
if "%Pcap_Option%"=="18" (set pcap_op_text=http_seq,tree)
if "%Pcap_Option%"=="19" (set pcap_op_text=ip_hosts,tree)
if "%Pcap_Option%"=="20" (set pcap_op_text=ip_srcdst,tree)
if "%Pcap_Option%"=="0" (GOTO:Pcap_Op_input)
if "%Pcap_Option%"=="/texit" (GOTO:Back_main)
:return_Pcap_op
cls
%Pcap_Default% -qz %pcap_op_text%
pause
GOTO:Pcap_3
:Pcap_Op_input
set /p pcap_op_text=(!) input Option :
GOTO:return_Pcap_op
:Pcap_4
echo -------------------------------------------------------------------------------------------------
echo 1. dicom
echo.
echo 2. ftp-data
echo.
echo 3. http
echo.
echo 4. imf
echo.
echo 5. smb
echo.
echo 6. tftp
echo -------------------------------------------------------------------------------------------------
set /p protocol_select=(!) protocol:
if "%protocol_select%"=="1" (set protocol=dicom)
if "%protocol_select%"=="2" (set protocol=ftp_data)
if "%protocol_select%"=="3" (set protocol=http)
if "%protocol_select%"=="4" (set protocol=imf)
if "%protocol_select%"=="5" (set protocol=smb)
if "%protocol_select%"=="6" (set protocol=tftp)
set /p save_dir=(!) save_dir:
if not exist %save_dir% (mkdir %save_dir%)
set export_command=tshark -nr "%Pcap_PATH%" -q --export-objects %protocol%,%save_dir%
%export_command%
echo export complete
GOTO:SELECT
::Custom(4)
:Custom
echo -------------------------------------------------------------------------------------------------
echo Custom command
echo -------------------------------------------------------------------------------------------------
echo /thelp : Mostly used commands
set /p custom_tshark=(!) input command :
if "%custom_tshark%"=="/thelp" (GOTO:thelp)
if "%custom_tshark%"=="/texit" (GOTO:Back_main)
%custom_tshark%
GOTO:Custom
:thelp
echo -------------------------------------------------------------------------------------------------
echo tshark -h (Check Command)
echo tshark -D (Check NIC)
echo tshark -t a (Timestamp Print)
echo tshark -V (pirnt detail info)
echo tshark -c (limit capture count)
echo tshark -r (packet file Analysis)
echo tshark -z (print statistic info)
echo tshark -e (print special info)
echo ex) tshark -r example.pcap -Y http.request -T fields -e tcp.port
echo tshark -nr (export to packet file)
echo ex) tshark -nr test.pcap --export-objects smb,tmpfolder → export SMB stream file and save to tmpfolder
echo ex) tshark -nr test.pcap --export-objects http,tmpfolder → export HTTP stream file and save to tmpfolder
GOTO:Custom
:texit
GOTO:SELECT
::END(5)
:END
exit()
'공부..' 카테고리의 다른 글
| Powershell을 사용한 간단한 Port Scanning (0) | 2024.06.03 |
|---|
