Dshell
阳宗清
[url]https://github.com/USArmyResearchLab/Dshell[/url]
(一)安装
1. 安装依赖
2. 把GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat移到/share/GeoIP/文件夹下
3. make
4. ./dshell
如果出现Dshell>,那么成功
(二)使用
[quote]1. decode -l
列举可使用的decoder和他们的基本信息
2. decode -h
大部分decoder的共同信息
3. decode -d <decoder>
显示一个decoder的信息
4. decode -d <decoder> <pcap>
在指定的pcap上运行decoder[/quote]
(三)使用例子
显示DNS查询,样本[url]http://wiki.wireshark.org/SampleCaptures#General_.2F_Unsorted[/url]
[quote]
[color=blue]Dshell> decode -d dns ~/pcap/dns.cap[/color]
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 39867 PTR? 66.192.9.104 / PTR: 66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 30144 A? www.netbsd.org / A: 204.152.190.12 (ttl 82159s) **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 61652 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 32569 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 36275 AAAA? www.google.com / CNAME: www.l.google.com **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 9837 AAAA? www.example.notginh / NXDOMAIN **
dns 2005-03-30 03:52:17 192.168.170.8:32796 <- 192.168.170.20:53 ** 23123 PTR? 127.0.0.1 / PTR: localhost **
dns 2005-03-30 03:52:25 192.168.170.56:1711 <- 217.13.4.24:53 ** 30307 A? GRIMM.utelsystems.local / NXDOMAIN **
dns 2005-03-30 03:52:17 192.168.170.56:1710 <- 217.13.4.24:53 ** 53344 A? GRIMM.utelsystems.local / NXDOMAIN **
[/quote]
汇集一个通信流
[quote]
[color=blue]Dshell> decode -d followstream ~/pcap/v6-http.cap[/color]
Connection 1 (TCP)
Start: 2007-08-05 19:16:44.189852 UTC
End: 2007-08-05 19:16:44.204687 UTC
2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 -> 2001:6f8:900:7c0::2:80 (240 bytes)
2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 (2259 bytes)
GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b
HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a> <a href="?C=M;O=A">Last modified</a> <a href="?C=S;O=A">Size</a> <a href="?C=D;O=A">Description</a><hr><img src="/icons/folder.gif" alt="[DIR]"> <a href="202-vorbereitung/">202-vorbereitung/</a> 06-Jul-2007 14:31 -
<img src="/icons/layout.gif" alt="[ ]"> <a href="Efficient_Video_on_demand_over_Multicast.pdf">Efficient_Video_on_d..></a> 19-Dec-2006 03:17 291K
<img src="/icons/unknown.gif" alt="[ ]"> <a href="Welcome%20Stranger!!!">Welcome Stranger!!!</a> 28-Dec-2006 03:46 0
<img src="/icons/text.gif" alt="[TXT]"> <a href="barschel.htm">barschel.htm</a> 31-Jul-2007 02:21 44K
<img src="/icons/folder.gif" alt="[DIR]"> <a href="bnd/">bnd/</a> 30-Dec-2006 08:59 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="cia/">cia/</a> 28-Jun-2007 00:04 -
<img src="/icons/layout.gif" alt="[ ]"> <a href="cisco_ccna_640-801_command_reference_guide.pdf">cisco_ccna_640-801_c..></a> 28-Dec-2006 03:48 236K
<img src="/icons/folder.gif" alt="[DIR]"> <a href="doc/">doc/</a> 19-Sep-2006 01:43 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="freenetproto/">freenetproto/</a> 06-Dec-2006 09:00 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="korrupt/">korrupt/</a> 03-Jul-2007 11:57 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="mp3_technosets/">mp3_technosets/</a> 04-Jul-2007 08:56 -
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz.htm">neues_von_rainald_go..></a> 21-Mar-2007 23:27 31K
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz0.htm">neues_von_rainald_go..></a> 21-Mar-2007 23:29 36K
<img src="/icons/layout.gif" alt="[ ]"> <a href="pruef.pdf">pruef.pdf</a> 28-Dec-2006 07:48 88K
<hr></pre>
</body></html>
[/quote]
连接decoder来查询国家的code
[quote]
Dshell> decode -d country+netflow --country_code=JP ~/pcap/SkypeIRC.cap
2006-08-25 19:32:20.651502 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33436 1 0 36 0 0.0000s
2006-08-25 19:32:20.766761 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33438 1 0 36 0 0.0000s
2006-08-25 19:32:20.634046 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33435 1 0 36 0 0.0000s
2006-08-25 19:32:20.747503 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33437 1 0 36 0 0.0000s
[/quote]
收集vlan头,然后追踪一个指定的IP
[quote]
[color=blue]Dshell> decode -d netflow ~/pcap/vlan.cap[/color]
1999-11-05 18:20:43.170500 131.151.20.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:42.063074 131.151.32.71 -> 131.151.32.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s
1999-11-05 18:20:43.096540 131.151.1.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.079765 131.151.5.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:41.521798 131.151.104.96 -> 131.151.107.255 (US -> US) UDP 137 137 3 0 150 0 1.5020s
1999-11-05 18:20:43.087010 131.151.6.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.368210 131.151.111.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.250410 131.151.32.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.115330 131.151.10.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.375145 131.151.115.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.363348 131.151.107.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:40.112031 131.151.5.55 -> 131.151.5.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s
1999-11-05 18:20:43.183825 131.151.32.79 -> 131.151.32.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s
[/quote]
(一)安装
1. 安装依赖
sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap
sudo pip install pygeoip2. 把GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat移到/share/GeoIP/文件夹下
3. make
4. ./dshell
如果出现Dshell>,那么成功
(二)使用
[quote]1. decode -l
列举可使用的decoder和他们的基本信息
2. decode -h
大部分decoder的共同信息
3. decode -d <decoder>
显示一个decoder的信息
4. decode -d <decoder> <pcap>
在指定的pcap上运行decoder[/quote]
(三)使用例子
显示DNS查询,样本[url]http://wiki.wireshark.org/SampleCaptures#General_.2F_Unsorted[/url]
[quote]
[color=blue]Dshell> decode -d dns ~/pcap/dns.cap[/color]
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 39867 PTR? 66.192.9.104 / PTR: 66-192-9-104.gen.twtelecom.net **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 30144 A? www.netbsd.org / A: 204.152.190.12 (ttl 82159s) **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 61652 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 32569 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 36275 AAAA? www.google.com / CNAME: www.l.google.com **
dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 9837 AAAA? www.example.notginh / NXDOMAIN **
dns 2005-03-30 03:52:17 192.168.170.8:32796 <- 192.168.170.20:53 ** 23123 PTR? 127.0.0.1 / PTR: localhost **
dns 2005-03-30 03:52:25 192.168.170.56:1711 <- 217.13.4.24:53 ** 30307 A? GRIMM.utelsystems.local / NXDOMAIN **
dns 2005-03-30 03:52:17 192.168.170.56:1710 <- 217.13.4.24:53 ** 53344 A? GRIMM.utelsystems.local / NXDOMAIN **
[/quote]
汇集一个通信流
[quote]
[color=blue]Dshell> decode -d followstream ~/pcap/v6-http.cap[/color]
Connection 1 (TCP)
Start: 2007-08-05 19:16:44.189852 UTC
End: 2007-08-05 19:16:44.204687 UTC
2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 -> 2001:6f8:900:7c0::2:80 (240 bytes)
2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 (2259 bytes)
GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b
HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon "> <a href="?C=N;O=D">Name</a> <a href="?C=M;O=A">Last modified</a> <a href="?C=S;O=A">Size</a> <a href="?C=D;O=A">Description</a><hr><img src="/icons/folder.gif" alt="[DIR]"> <a href="202-vorbereitung/">202-vorbereitung/</a> 06-Jul-2007 14:31 -
<img src="/icons/layout.gif" alt="[ ]"> <a href="Efficient_Video_on_demand_over_Multicast.pdf">Efficient_Video_on_d..></a> 19-Dec-2006 03:17 291K
<img src="/icons/unknown.gif" alt="[ ]"> <a href="Welcome%20Stranger!!!">Welcome Stranger!!!</a> 28-Dec-2006 03:46 0
<img src="/icons/text.gif" alt="[TXT]"> <a href="barschel.htm">barschel.htm</a> 31-Jul-2007 02:21 44K
<img src="/icons/folder.gif" alt="[DIR]"> <a href="bnd/">bnd/</a> 30-Dec-2006 08:59 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="cia/">cia/</a> 28-Jun-2007 00:04 -
<img src="/icons/layout.gif" alt="[ ]"> <a href="cisco_ccna_640-801_command_reference_guide.pdf">cisco_ccna_640-801_c..></a> 28-Dec-2006 03:48 236K
<img src="/icons/folder.gif" alt="[DIR]"> <a href="doc/">doc/</a> 19-Sep-2006 01:43 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="freenetproto/">freenetproto/</a> 06-Dec-2006 09:00 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="korrupt/">korrupt/</a> 03-Jul-2007 11:57 -
<img src="/icons/folder.gif" alt="[DIR]"> <a href="mp3_technosets/">mp3_technosets/</a> 04-Jul-2007 08:56 -
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz.htm">neues_von_rainald_go..></a> 21-Mar-2007 23:27 31K
<img src="/icons/text.gif" alt="[TXT]"> <a href="neues_von_rainald_goetz0.htm">neues_von_rainald_go..></a> 21-Mar-2007 23:29 36K
<img src="/icons/layout.gif" alt="[ ]"> <a href="pruef.pdf">pruef.pdf</a> 28-Dec-2006 07:48 88K
<hr></pre>
</body></html>
[/quote]
连接decoder来查询国家的code
[quote]
Dshell> decode -d country+netflow --country_code=JP ~/pcap/SkypeIRC.cap
2006-08-25 19:32:20.651502 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33436 1 0 36 0 0.0000s
2006-08-25 19:32:20.766761 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33438 1 0 36 0 0.0000s
2006-08-25 19:32:20.634046 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33435 1 0 36 0 0.0000s
2006-08-25 19:32:20.747503 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33437 1 0 36 0 0.0000s
[/quote]
收集vlan头,然后追踪一个指定的IP
[quote]
[color=blue]Dshell> decode -d netflow ~/pcap/vlan.cap[/color]
1999-11-05 18:20:43.170500 131.151.20.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:42.063074 131.151.32.71 -> 131.151.32.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s
1999-11-05 18:20:43.096540 131.151.1.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.079765 131.151.5.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:41.521798 131.151.104.96 -> 131.151.107.255 (US -> US) UDP 137 137 3 0 150 0 1.5020s
1999-11-05 18:20:43.087010 131.151.6.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.368210 131.151.111.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.250410 131.151.32.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.115330 131.151.10.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.375145 131.151.115.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:43.363348 131.151.107.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s
1999-11-05 18:20:40.112031 131.151.5.55 -> 131.151.5.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s
1999-11-05 18:20:43.183825 131.151.32.79 -> 131.151.32.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s
[/quote]
类似资料: