First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
0

show tcp streams which don't include string

  • retag add tags

Hello!

On an e-mail relay I get various requests from the same IP from which prtg (monitoring tool) also connects to check the health of the mail relay server. What I'm interested in is to find all tcp streams which do not contain the smtp.command_line string "EHLO Monitoring", so that I know if any clients actually connect to the mail relay to send emails. This works if I want to exclude the packages itself: smtp.command_line != "EHLO Monitoring\x0d\x0a" The issue with this, of course, is that all the other packages belonging to that tcp stream are also show. Mostly they contain the smtp "QUIT" command.

Actually, now, while writing this post, I realise that there aren't any other packages belonging to other streams, because the only packages that are being shown are those sending the "QUIT" command, so no hellos, which leads to me to believe, that no other clients connect to it.

In any case, I would still like to see if there's a possibility of excluding tcp stream altogether based on certain search criteria.

Thanks.

quas's avatar
1
quas
asked 2021-01-28 12:14:14 +0000, updated 2021-01-28 13:26:31 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Not directly, the display filter capabilities of Wireshark are "per-packet", i.e. is this packet to be displayed or not. There isn't a direct mechanism to say display this packet because of some condition in another packet.

MATE might be a possible solution as:

MATE's goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other.

You could also use tshark, some scripting and post-processing, e.g. run a first pass on the capture to only include SMTP frames with an EHLO but not the extra text, output the tcp stream numbers for those frames and use that to build a filter for a second pass on the capture to output those streams. Some ideas for this can be found in the SharkFest'18 presentation by @SYN-bit here.

grahamb's avatar
23.8k
grahamb
answered 2021-01-28 13:50:09 +0000
edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments
0

You can split the filter into the two elements, command and parameter. That way you can see all "EHLO" command lines that do not use the parameter "Monitoring\x0d\x0a" by using the following filter:

smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a"

If you want the full TCP sessions of these packets, you can use something like this in a bash shell:

tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(tshark -r in.pcap -Y 'smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a" ' -T fields -e tcp.stream | xargs)}"

Drilled down:

  • tshark -r in.pcap -Y <filter> -T fields -e tcp.stream will print all the tcp.stream numbers of the packets that match the filter
  • the | xargs will create a list of these stream numbers, separated by spaces
  • and tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(<command>)}" takes the list of stream numbers and uses it as a filter to create a new file with the full TCP sessions
SYN-bit's avatar
18.5k
SYN-bit
answered 2021-02-01 13:43:46 +0000
edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer