1

I need to analyze the IPSec packages from this command in real time:

sudo tshark -i <My_Interface> -Y '(ip.addr == <My_IP>)'

I need to check whether an isakmp package is sent to set a variable as true. I can't wait until the whole sniffing process is finished to be able to read it from a pcap file!

Maf
  • 134

2 Answers2

1

After some workarounds, we have a solution:

while IFS= read -r line; do if [[ $line =~ 'ISAKMP' ]]; then echo $line; fi; done < <(sudo tshark -i <My_Interface>)

Instead of this simple string 'ISAKMP' we can check anything else. The echo command may be any other command (setting an environment variable, etc.)

Maf
  • 134
1

You might also want to look into the netsniff-ng package in apt. It is a packet sniffing toolkit specifically built for Linux networks.

It works great for things like analyzing signals of pci / usb devices that do not follow their respective data protocols, in order to write custom drivers.

The following is a list of included tools, including descriptions, obtained from the output of apt info netsniff-ng:

  • netsniff-ng: a zero-copy packet analyzer, pcap capturing/replaying tool
  • trafgen: a multithreaded low-level zero-copy network packet generator
  • mausezahn: high-level packet generator for appliances with Cisco-CLI
  • ifpps: a top-like kernel networking and system statistics tool
  • curvetun: a lightweight curve25519-based multiuser IP tunnel
  • astraceroute: an autonomous system trace route and DPI testing utility
  • flowtop: a top-like netfilter connection tracking tool
  • bpfc: a [seccomp-]BPF (Berkeley packet filter) compiler, JIT disassembler

To find out more, you can visit the netsniff-ng website:

http://netsniff-ng.org/

Nate T
  • 1,590