Wireshark Analyser
This page runs Tshark with a given Pcap file and a defined filter. First select your Wireshark trace:
Trace name: /log/hydra_ftp.zip
Tshark Output
Click here for the Pcap file. The Tshark output is:
c:\program files\wireshark\tshark.exe -Y "tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==0" -r hydra_ftp.pcap 1 0.000000 192.168.75.1 → 192.168.75.132 TCP 74 18157 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457661 TSecr=0 5 0.015974 192.168.75.1 → 192.168.75.132 TCP 74 18158 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457662 TSecr=0 9 0.023855 192.168.75.1 → 192.168.75.132 TCP 74 18159 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457663 TSecr=0 13 0.024718 192.168.75.1 → 192.168.75.132 TCP 74 18160 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457663 TSecr=0 16 0.025483 192.168.75.1 → 192.168.75.132 TCP 74 18161 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457663 TSecr=0 20 0.026456 192.168.75.1 → 192.168.75.132 TCP 74 18162 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457663 TSecr=0 24 0.027526 192.168.75.1 → 192.168.75.132 TCP 74 18163 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457663 TSecr=0 27 0.028390 192.168.75.1 → 192.168.75.132 TCP 74 18164 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457664 TSecr=0 33 0.040104 192.168.75.1 → 192.168.75.132 TCP 74 18165 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457665 TSecr=0 34 0.040903 192.168.75.1 → 192.168.75.132 TCP 74 18166 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457665 TSecr=0 35 0.041592 192.168.75.1 → 192.168.75.132 TCP 74 18167 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457665 TSecr=0 36 0.043101 192.168.75.1 → 192.168.75.132 TCP 74 18169 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457665 TSecr=0 37 0.043783 192.168.75.1 → 192.168.75.132 TCP 74 18170 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457665 TSecr=0 53 0.050571 192.168.75.1 → 192.168.75.132 TCP 74 18168 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457666 TSecr=0 54 0.051163 192.168.75.1 → 192.168.75.132 TCP 74 18171 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457666 TSecr=0 61 0.057815 192.168.75.1 → 192.168.75.132 TCP 74 18172 → 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1 TSval=7457666 TSecr=0 |
Rules file
tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==0
Examples
The following uses the Wireshark display filter:
- PNG Filter: http contains "\x89\x50\x4E\x47". Trace with a PNG and PNG filter: Test. Pcap
- PDF Filter: http contains "%PDF". Trace with a PDF and PDF filter: Test. Pcap
- GIF Filter: http contains "GIF89a". Trace with a GIF and GIF filter: Test. Pcap
- ZIP Filter: http contains "\x50\x4B\x03\x04". Trace with a ZIP and ZIP filter: Test. Pcap
- JPEG Filter: http contains "\xff\xd8". Trace with a JPEG and JPEG filter: Test. Pcap
- MP3 Filter: http contains "\x49\x44\x33". Trace with an MP3 and MP3 filter: Test. Pcap
- RAR Filter: http contains "\x52\x61\x72\x21\x1A\x07\x00". Trace with a RAR and RAR filter: Test. Pcap
- AVI Filter: http contains "\x52\x49\x46\x46". Trace with a AVI and AVI filter: Test. Pcap
- SWF Filter: http contains "\x46\x57\x53". Trace with a SWF and SWF filter: Test. Pcap
- GZip Filter: http contains "\x1F\x8B\x08". Trace with a GZIP and GZIP filter: Test. Pcap
- Email address Filter: smtp matches ""[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._%+-]"". Trace with an email and Email regex filter: Test. Pcap
- IP address Filter: http matches ""[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}"". Trace with HTTP traffic and IP address regex filter: Test. Pcap
- Credit card details (Mastercard) Filter: smtp matches ""5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}"". Trace with an email and Mastercard regex filter: Test. Pcap
- Credit card details (Visa) Filter: smtp matches ""4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}"". Trace with an email and Visa filter regex filter: Test. Pcap
- Credit card details (Am Ex) Filter: smtp matches ""3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}"". Trace with an email and Am Ex regex filter: Test. Pcap
- Domain name Filter: http matches ""[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)"". Trace with an email and Email regex filter: Test. Pcap
- FTP User/Password Crack Filter: ftp contains \"530 User\". Trace with FTP Hydra and 530 filter: Test. Pcap
- FTP Login Filter: tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==1. Trace with FTP Hydra and SYN/Port 21 filter: Test. Pcap
- Telnet Login Filter: tcp.port==23 && tcp.flags.syn==0 && tcp.flags.ack==0. Trace with Telnet Hydra and SYN/Port 23 filter: Test. Pcap
- Telnet Login Filter: telnet contains "login": Test. Pcap
- Telnet Login Filter: telnet contains "Failed": Test. Pcap
- Hping DoS Filter: tcp.flags.syn==1 && tcp.flags.ack==0. Trace with Hping and SYN flag filter: Test. Pcap