I'm trying to extract PCAP using Tshark tool. Is there any way to get the file information like source and destination IP, source and destination port and timestamp of each file extracted from the Tshark?
For example.
I'm extracting file sample.pcap with command for http :
tshark -q -r sample.pcap --export-objects 'http,tshark_extract_directory'
Following files are generated,
%2f
gSEUozajoHorzUcfwjgep5-0HOV5tn4pzQS8exfGPXFOBGBQWrEcD1wKpJQk2T59
3h251q2c35
qxrWmriaPVb2cBLwxw1uR_EEnOuZR9mgVr3ReB3-1yiVm9H15-VbU3vylDw4RGW3
d2a42e1f7d9a1021bd7d93af414c95c4(1).php%3fq=70a9b40eb73da11445c3a3609c8241d9'
RSBbr6XDxZwv-i2lhZFras66SJRIL5vez28iuddGQjo94jue4fGqpAN9QPAW_yPY
d2a42e1f7d9a1021bd7d93af414c95c4.php%3fq=70a9b40eb73da11445c3a3609c8241d9'
xEztiZ7NM12Vj9c2RTB_MT0UEYH_re0UqLWZq_vBhBZGq0KGVP1BTVXxVeSy3Veo
d6bc1dc7da4ed54a62b93b5d0f1cc40c.swf
Extracted files seems to have no proper naming and even if I look inside the files, I can hardly find the information I needed.
Is it possible to get the source and destination ip or port for eg '3h251q2c35' file? If possible how?
You can use -T & -e option which can extract individual fields from the pcap file
Example with -Tjson
tshark -r <pcap_file> -Y <filter> -Tjson -e ipv6.src -e ipv6.dst -e tcp.srcport -e tcp.dstport -e frame.time
You should get something like
[
{
"_index": "packets-2019-08-12",
"_type": "pcap_file",
"_score": null,
"_source": {
"layers": {
"ipv6.src": [
"xxxxxx"
],
"ipv6.dst": [
"xxxxxx"
],
"tcp.srcport": [
"1"
],
"tcp.dstport": [
"2"
],
"frame.time": [
"<time>"
]
}
}
}
]
Hope that helps!
Related
What I do:
RESPONSE_TEMPLATES=$(curl "https://maydomain.com/test)
I get back JSON which looks like this:
{
"templateId": "test",
"id": 1621030
}
{
"templateId": "test1",
"id": 5014
}
{
"templateId": "test3",
"id": 5015
}
echo $(${RESPONSE_TEMPLATES} | jq -r '.[]'| {templateId,id}')
Problem is that I always get error: [{"id":1386084,"templateId":"test: command not found
I do not know how I should write 3 steps so that it will display this as a string and not use after ""test: " as command.
With your shown samples please try following jq code. Using -r option to enable raw-mode option of jq then in main block using select function to check if component .templateId is test if yes then print its related id component value.
echo "${RESPONSE_TEMPLATES}" | jq -r 'select(.templateId=="test").id'
I'm new to scripting in bash and would like to retrieve all user names of a Linux system along with their home directories. Each username got to be in a single line.
Is this is the best way to do this? or is there any better way?
#! /bin/bash
# list all users accounts using the /etc/passwd file
cat /etc/passwd | awk -F: '{print $1," ",$6}'
I ask you kindly to advise
As #chepner commented, awk -F: '{print $1," ",$6}' /etc/passwd is better.
You can try the following :
wget https://raw.githubusercontent.com/mbareck7/python_journey/main/nakerah/milestone00.py
cp /etc/passwd milestone_00.txt
python3 milestone00.py
It's a a python script which takes as input /etc/password file, and return a JSON list as bellow.
[
{
"user_name": "root",
"user_id": "0",
"home_dir": "/root",
"login_shell": "/bin/bash",
"normal_user": false
},
{
"user_name": "daemon",
"user_id": "1",
"home_dir": "/usr/sbin",
"login_shell": "/usr/sbin/nologin",
"normal_user": false
},......
.........
]
I have automated a image build process in a cloud environment using packer tool.
It installs lot of tools and applies lot of patches using linux path tool.
Everything is working as expected when doing manually. But with packer automation I'm facing one issue with apllying patch.
There is a config file at /etc/myprogram/myconfig.cfg.
I'm running patch like this.
pushd /etc/myprogram
patch -p 0 < myconfig.cfg.patch
Patch is applying successfully when running manually. But with packer that target file is becoming empty.
But in stdout of packer build i can see output like 2 hunks applied.
What cloud be the issue ? Please some suggestions to debug this.
packer build base.json
base.json
{
"builders": [
{
"flavor": "general1-8",
"image_name": "Havell Build {{ timestamp }}",
"source_image": "d944e490-f615-49a5-97f7-b80a8b0398d4",
"ssh_keypair_name": "packer-manual",
"ssh_private_key_file": "packer-manual.key",
"ssh_username": "root",
"type": "openstack"
}
],
"provisioners": [
{ "type": "shell",
"inline": "mkdir -p /tmp/patches/"
},
{
"type": "file",
"source": "patches/",
"destination": "/tmp/patches/"
},
{
"script": "apply_patches.sh",
"type": "shell"
}
]
}
apply_patches.sh
#!/bin/bash
set -ex
echo "*********************before************************"
echo "***************************************************"
cat /etc/myprogram/myconfig.cfg
echo "***************************************************"
echo "***************************************************"
pushd /etc/myprogram
patch -p 0 < myconfig.cfg.patch
echo "***********************after***********************"
echo "***************************************************"
cat /etc/myprogram/myconfig.cfg
echo "***************************************************"
echo "***************************************************"
exit 0
Change your script to read:
pushd /etc/myprogram
patch -p 0 < /tmp/patches/myconfig.cfg.patch
Echo Nest API is supposed to be 100% compatible with Spotify ID's, but I am unable to create an Echo Nest Taste Profile based on Spotify Track ID's.
I've tried the following:
create the Taste Profile
curl -F "api_key={api_key}" -F "type=song" -F "name=spotify-tracks" "http://developer.echonest.com/api/v4/catalog/create"
update the profile with json file containing tracks and their Spotify ID's
curl -X POST "http://developer.echonest.com/api/v4/tasteprofile/update" -F "api_key={api_key}" -F "id={taste_profile_id}" -F "data=#/spotify-tracks.json"
Here are the contents of spotify-tracks.json (just one track for testing):
[
{
"action": "update",
"item":
{
"item_id": "1",
"track_id": "spotify:track:3HWxpLKnTlz6jE3Vi5dTF2"
}
}
]
But, when I check the update status it can't ever resolve the track:
{
"response": {
"items_updated": 1,
"percent_complete": 100.0,
"status": {
"code": 0,
"message": "Success",
"version": "4.2"
},
"ticket_status": "complete",
"total_items": 1,
"update_info": [
{
"info": "couldn't resolve item",
"item_id": "1"
}
]
}
}
I've tried a number of different ways including using 'song_id' or 'item_id' rather than 'track_id' in the json input file, creating a 'general' Taste Profile rather than 'song' Taste Profile, using different Spotify tracks, and a couple other variations to no avail.
Without the ability to use Spotify Id's I would have to query each track individually to get the ENID, so I'm hoping I'm just missing something here.
OK, the answer is yes. The problem was with the format of my JSON input file. I should have used just the Spotify track ID for the value, not the full URI. Also, I needed to use "song_id" rather than "track_id" for the key to have it resolve to an EN Song instead of an EN Track. Like this:
[
{
"action": "update",
"item":
{
"item_id": "1",
"song_id": "SOEGJUJ12AF729D40A"
}
}
]
This isn't super clear in the Echo Nest documentation, but I probably should have tried this out originally.
I'm trying to write script in bash, for AWS Autoscaling Group. That means even if instance is terminated, Autoscaling Group reinstall instance and all packages from tags by Package name and Value Package number.
Here is LaunchConfiguration group from AWS Cloudformation template:
"WorkerLC": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"ImageId": {"Ref" : "SomeAMI"},
"InstanceType" : "m3.medium",
"SecurityGroups" : [{"Ref": "SecurityGroup"}],
"UserData" : {
"Fn::Base64": {
"Fn::Join": [ "", [
{"Fn::Join": ["", ["Engine=", {"Ref": "Env"},".app.net"," \n"]]},
{"Fn::Join": ["", [
"#!/bin/bash\n",
"cd /app/\n",
"./worker-install-package.sh"
]]}
]]
}
}
}
}
And I want to take from tags of AutoscalingGroup like that:
"Worker": {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"LaunchConfigurationName": {"Ref": "Worker"},
"LoadBalancerNames": [{"Ref": "WorkerELB"}],
"AvailabilityZones": {"Ref": "AZs"},
"MinSize" : "1",
"MaxSize" : "1",
"HealthCheckGracePeriod": 300,
"Tags" : [
{"Key": "WorkersScalingGroup", "Value": {"Fn::Join": ["", ["Offering-", {"Ref": "Env"} "-Worker-1"]]}, "PropagateAtLaunch": true},
{"Key": "EIP", "Value": {"Ref": "WorkerIP"}, "PropagateAtLaunch": true},
{"Key": "Environment", "Value": {"Ref": "Env"}, "PropagateAtLaunch": true}
]
}
}
So, now is hard part. Now I tried to find in Userdata tags with text "worker". Because I have couple types of instances and each one comes with other couple packages.
It first time when I wrote something in bash.
Here is worker-install-package.sh:
#read tag for the installed package
EC2_REGION='us-east-1'
AWS_ACCESS_KEY='xxxxx'
AWS_SECRET_ACCESS_KEY='xxxxxxxxxxxxxxxxxx'
InstanceID=`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/instance-id`
PackageName=`/opt/aws/apitools/ec2/bin/ec2-describe-tags -O $AWS_ACCESS_KEY -W $AWS_SECRET_ACCESS_KEY --filter resource-id=$InstanceID --filter key='worker' | cut -f5`
while read line
if [ "$PackageNmae" = "worker" ]; then
sudo -- sh -c "./install-package.sh ${PackageName} ${Value}"
/opt/aws/apitools/ec2/bin/ec2-create-tags $InstanceID -O $AWS_ACCESS_KEY -W $AWS_SECRET_ACCESS_KEY --tag "worker-${PackageName}"=$Value
fi
done
I have two questions. First, if I'm doing that in right way. And second, is How I can take value of package name value(it some number of package version)?
Thanks!
First of all, as a best practice don't include your AWS keys in your script. Instead attach a role to your instance at launch (this can be done in the launch configuration of your autoscaling group).
Secondly, what you do is one way to go, and it can definitely work. Another way (proper but slightly more complex) to achieve this would be to use a tool like puppet or AWS opsworks.
However, I don't really get what you are doing in your script, which seem overcomplicated for this purpose: why don't you include your package name in your userdata script? If this is only a matter of agility when it comes to change/update the script, you can outsource this script to an S3 bucket and have the instances download / execute it at creation time. This way you don't need to read from the tags.
That been said, and more as a comment, if you do want to remain reading tags, then I don't really understand you script. If you do need help on the script, please provide more details in that sense (e.g debug samples etc):
when you evaluate PackageName, does this work?
PackageName=`/opt/aws/apitools/ec2/bin/ec2-describe-tags -O $AWS_ACCESS_KEY -W $AWS_SECRET_ACCESS_KEY --filter resource-id=$InstanceID --filter key='worker' | cut -f5`
not sure why you filter with "key=worker", and not "WorkersScalingGroup"
Then you call the below if condition:
if [ "$PackageNmae" = "worker" ]; then
(I assume there is typo here, and should be PackageName) and right below you call:
"worker-${PackageName}"
which would give "worker-worker"?