Originally published December 26, 2017 @ 10:42 pm
Here’s a quick example of using tshark to extract email addresses from TCP streams. Let’s say some application on your server is sending emails and you want to find out who is receiving those emails.
You can find more useful tshark filters here. The capture will take place on the system’s primary NIC. You can change that by setting the nic variable manually. The other variable you may want to adjust is duration. The default value is 10 seconds. This means that tshark will spend 10 seconds gathering a list of steams and then 10 seconds capturing traffic on each stream. You may want to use different variables for these two steps. Another potential improvement is to follow steams in parallel using xargs or somesuch.
duration=10 #capture duration to get streams and then capture duration per stream
nic=$(route | grep -m1 ^default | awk '{print $NF}')
for stream in $(tshark -nl -i ${nic} -a duration:${duration} -R tcp.flags.syn==1 -T fields -e tcp.stream 2>/dev/null | sort -n | uniq); do
echo "Processing stream $stream"
tshark -nl -i ${nic} -a duration:${duration} -q -z "follow,tcp,ascii,$stream" 2>/dev/null
done | grep -Po '(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,6}\b' | sort -u
john.smith@domain.com
jane.doe@domain.com
Experienced Unix/Linux System Administrator with 20-year background in Systems Analysis, Problem Resolution and Engineering Application Support in a large distributed Unix and Windows server environment. Strong problem determination skills. Good knowledge of networking, remote diagnostic techniques, firewalls and network security. Extensive experience with engineering application and database servers, high-availability systems, high-performance computing clusters, and process automation.
