+1-323-909-4740 [email protected]

https://xn--blgg-hra.no/2015/03/ids-with-mikrotik-and-snort/

tzsp2pcap

https://github.com/thefloweringash/tzsp2pcap

compile and prereqs

apt-get install vim curl sudo build-essential libpcap-dev libpcap0.8

git clone https://github.com/thefloweringash/tzsp2pcap.git

make

Running Wireshark

# ./tzsp2pcap -f | wireshark -i –

using this strips the tzsp headers and encapsulation headers

Using wireshark SSH remote capture

Debian 11 Notes

sha1 ciphers are removed by default, need to use dev chain of wireshark with never libssh for sshdump

Using dumpcap

/usr/bin/dumpcap -P -w – -i ztrf25twc4

With Filter Applied

/usr/sbin/dumpcap -i eth0 -f “host xxx.xxx.xxx.xxx” -w –

MQTT

-n vs -P n verses old pcap format

/usr/bin/dumpcap -n -w – -i br0 -f “port 1883”