diff --git a/Forensics/Wireshark.md b/Forensics/Wireshark.md index f14507a..1f17a3d 100644 --- a/Forensics/Wireshark.md +++ b/Forensics/Wireshark.md @@ -18,6 +18,17 @@ Autostop `-a` and ringbuffer `-b` arguments may be set to stop or split files at defined duration `duration:10`, sizes `filesize:100`, and count of files `files:5`. +Use `-z help` to see options of possible statistics, use `-q` to suppress +packet details. + +## Find Credentials + +Tshark can list all found credentials via the following command + +```sh +tshark -r file.pcap -z credentials -q +``` + ## Extracting USB Keystrokes Data between USB devices and the host can be filtered via tshark in order to @@ -27,7 +38,8 @@ display just the payload, e.g. keystrokes in the following way tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt ``` -A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) +A lookup table is needed to [convert the USBHID data to ASCII +values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) ```sh python keystrokedecoder.py output.txt