Wireshark-users: Re: [Wireshark-users] TShark -T fields and kerberos decryption
From: Nicolas BONNAND <nbonnand@xxxxxxx>
Date: Fri, 18 Sep 2009 17:15:36 +0200
*Hi, I'm facing the same problem as Guy. What I need: -------------------To write a perl script that uses tshark output to retrieve client name principals in kerberos AS-REQ packets in order to make stats and early detect password attacks. This script triggers an alarm if too many password attempts come from the same host.
In this case, I want to be informed what principal name was used. I have: ----------------------- **- capture file with thousands of Kerberos AS-REQ packets.* *- tshark 1.2.2 - perl - linux What I would like: ------------------------------**To have a tshark 3 columns output with: ipsource, ipdest and clientnameprincipal*
*( This output will be processed by a perl script. ) **What my problem is: ------------------------------**When using tshark -T fields -e 'ip.src' -e 'ip.dst' -e 'kerberos.name_string', it seems unfortunately that server name is displayed rather than client name principal.
When I analyze my capture file with wireshark, I can see hundreds of client name principals. When I analyze my capture file with tshark **-T fields -e 'kerberos.name_string' , I can see none of them and get server names and realms instead ... :-(*
* I'm only able to see client name principals: a) while using tshark -V but I don't want that option because it's far too verbose. b) while using **tshark -T fields -e 'kerberos.name_string' -w outputfile but client name principals are lost among binary stuff in outputfile In both case a) and b) output data is not simple to parse. **By the way, in wireshark , whether I select "Kerberos AS_REQ/KDC_REQ_BODY / Server Name / Name" or "**Kerberos AS_REQ/KDC_REQ_BODY/Client Name Principal/Name" **and then I click on "apply as filter": I can see that filter has exactly the same name "kerberos.name_string" !!! As far as I understand, **kerberos.name_string is not related to a particular field in kerberos part, it simply means: match to whatever string wherever it is in kerberos part.*
* My question is --------------------What is the most correct way, and what are right tshark arguments to use in order to catch **client name principals with tshark ?* *Is it possible to use some syntax looking like **tshark -T fields -e 'kerberos[x:y]' to display only y bytes starting from byte x in kerberos part of packet ?
** Regards Nicolas BONNAND >From*: j.snelders@xxxxxxxxxx <mailto:[email protected]> *>Date*: Sun, 19 Jul 2009 20:10:25 +0200 >
Hi Guy, Are you looking for this: $ tshark -r dc3-dc4_Stream_8364.pcap -T fields -e kerberos.name_string | sort | uniq Output: Administrator added key in 4 added key in 5 woohoo decrypted keytype:23 in frame:4 woohoo decrypted keytype:23 in frame:5 HTH JoanOn Sun, 19 Jul 2009 11:32:56 +0200 Guy Shtub wrote: Hi, I'm using TShark to capture SMB packets, using the "-T fields" flag to get specific fields of the packets that interest me. I'm able to decrypt kerberos (krb5) using a keytab file. I can not find a way to get the decrypted Client Name (Principal) when using the -T fields option. If I run TShark in verbose mode -V I can get the client name. If I run it with -x mode to display all bytes, I get all the bytes encrypted followed by all the bytes decrypted. Is there a way to get just the client name field decrypted with the -T fields option? Regards, Guy.
