{"id":1193,"date":"2020-06-14T23:11:51","date_gmt":"2020-06-14T13:11:51","guid":{"rendered":"https:\/\/blog.hegars.com\/?p=1193"},"modified":"2021-12-29T13:54:51","modified_gmt":"2021-12-29T03:54:51","slug":"tzsp-to-pcap","status":"publish","type":"post","link":"https:\/\/blog.hegars.com\/?p=1193","title":{"rendered":"TZSP to PCAP"},"content":{"rendered":"\n

<\/p>\n\n\n\n

https:\/\/xn--blgg-hra.no\/2015\/03\/ids-with-mikrotik-and-snort\/<\/a><\/p>\n\n\n\n

tzsp2pcap<\/h2>\n\n\n\n

https:\/\/github.com\/thefloweringash\/tzsp2pcap<\/a><\/p>\n\n\n\n

compile and prereqs<\/h3>\n\n\n\n

apt-get install vim curl sudo build-essential libpcap-dev libpcap0.8<\/p>\n\n\n\n

git clone https:\/\/github.com\/thefloweringash\/tzsp2pcap.git<\/p>\n\n\n\n

make<\/p>\n\n\n\n

Running Wireshark<\/h2>\n\n\n\n

# .\/tzsp2pcap -f | wireshark -i –<\/p>\n\n\n\n

using this strips the tzsp headers and encapsulation headers<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using wireshark SSH remote capture<\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Debian 11 Notes<\/h2>\n\n\n\n

sha1 ciphers are removed by default, need to use dev chain of wireshark with never libssh for sshdump<\/p>\n\n\n\n

<\/p>\n\n\n\n

Using dumpcap<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\/usr\/bin\/dumpcap -P -w – -i ztrf25twc4<\/p>\n\n\n\n

With Filter Applied<\/p>\n\n\n\n

\/usr\/sbin\/dumpcap -i eth0 -f “host xxx.xxx.xxx.xxx” -w –<\/p>\n\n\n\n

MQTT<\/h2>\n\n\n\n

-n vs -P n verses old pcap format<\/p>\n\n\n\n

\/usr\/bin\/dumpcap -n -w – -i br0 -f “port 1883”<\/p>\n","protected":false},"excerpt":{"rendered":"

https:\/\/xn--blgg-hra.no\/2015\/03\/ids-with-mikrotik-and-snort\/ tzsp2pcap https:\/\/github.com\/thefloweringash\/tzsp2pcap compile and prereqs apt-get install vim curl sudo build-essential libpcap-dev libpcap0.8 git clone https:\/\/github.com\/thefloweringash\/tzsp2pcap.git make Running Wireshark # .\/tzsp2pcap -f | wireshark -i – using this strips the tzsp headers and encapsulation headers Using wireshark SSH remote capture Debian 11 Notes sha1 ciphers are removed by default, need to use dev chain […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[6,36,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.hegars.com\/index.php?rest_route=\/wp\/v2\/posts\/1193"}],"collection":[{"href":"https:\/\/blog.hegars.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hegars.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hegars.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hegars.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1193"}],"version-history":[{"count":8,"href":"https:\/\/blog.hegars.com\/index.php?rest_route=\/wp\/v2\/posts\/1193\/revisions"}],"predecessor-version":[{"id":1852,"href":"https:\/\/blog.hegars.com\/index.php?rest_route=\/wp\/v2\/posts\/1193\/revisions\/1852"}],"wp:attachment":[{"href":"https:\/\/blog.hegars.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hegars.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hegars.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}