Wireshark Analyser
This page runs Tshark with a given Pcap file and a defined filter. First select your Wireshark trace:
Trace name: /log/hydra_ftp.zip
Tshark Output
Click here for the Pcap file. The Tshark output is:
c:\program files\wireshark\tshark.exe -Y "ftp contains \"530 User\"" -r hydra_ftp.pcap 108 0.249901 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 109 0.253149 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 110 0.254313 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 111 0.262104 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 112 0.263001 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 113 0.263725 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 114 0.264400 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 115 0.265129 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 148 0.370754 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 149 0.376095 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 150 0.376929 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 151 0.377657 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 152 0.378313 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 153 0.379611 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 154 0.380442 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in. 176 0.400756 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in. 178 0.403931 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 182 0.407960 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 186 0.410437 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 191 0.414570 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 194 0.416728 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in. 203 0.466306 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 204 0.467274 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 207 0.470962 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 215 0.491074 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 216 0.492581 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 223 0.505707 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 228 0.519620 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User fred cannot log in. 231 0.527366 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 251 0.550265 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 252 0.551355 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 261 0.568358 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 262 0.569555 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 271 0.585008 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 272 0.585866 192.168.75.132 → 192.168.75.1 FTP 98 Response: 530 User napier cannot log in. 281 0.599650 192.168.75.132 → 192.168.75.1 FTP 105 Response: 530 User Administrator cannot log in. 286 0.603026 192.168.75.132 → 192.168.75.1 FTP 105 Response: 530 User Administrator cannot log in. 287 0.603970 192.168.75.132 → 192.168.75.1 FTP 105 Response: 530 User Administrator cannot log in. 288 0.605125 192.168.75.132 → 192.168.75.1 FTP 105 Response: 530 User Administrator cannot log in. 301 0.615556 192.168.75.132 → 192.168.75.1 FTP 105 Response: 530 User Administrator cannot log in. 303 0.617127 192.168.75.132 → 192.168.75.1 FTP 105 Response: 530 User Administrator cannot log in. |
Rules file
ftp contains \"530 User\"
Examples
The following uses the Wireshark display filter:
- PNG Filter: http contains "\x89\x50\x4E\x47". Trace with a PNG and PNG filter: Test. Pcap
- PDF Filter: http contains "%PDF". Trace with a PDF and PDF filter: Test. Pcap
- GIF Filter: http contains "GIF89a". Trace with a GIF and GIF filter: Test. Pcap
- ZIP Filter: http contains "\x50\x4B\x03\x04". Trace with a ZIP and ZIP filter: Test. Pcap
- JPEG Filter: http contains "\xff\xd8". Trace with a JPEG and JPEG filter: Test. Pcap
- MP3 Filter: http contains "\x49\x44\x33". Trace with an MP3 and MP3 filter: Test. Pcap
- RAR Filter: http contains "\x52\x61\x72\x21\x1A\x07\x00". Trace with a RAR and RAR filter: Test. Pcap
- AVI Filter: http contains "\x52\x49\x46\x46". Trace with a AVI and AVI filter: Test. Pcap
- SWF Filter: http contains "\x46\x57\x53". Trace with a SWF and SWF filter: Test. Pcap
- GZip Filter: http contains "\x1F\x8B\x08". Trace with a GZIP and GZIP filter: Test. Pcap
- Email address Filter: smtp matches ""[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._%+-]"". Trace with an email and Email regex filter: Test. Pcap
- IP address Filter: http matches ""[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}"". Trace with HTTP traffic and IP address regex filter: Test. Pcap
- Credit card details (Mastercard) Filter: smtp matches ""5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}"". Trace with an email and Mastercard regex filter: Test. Pcap
- Credit card details (Visa) Filter: smtp matches ""4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}"". Trace with an email and Visa filter regex filter: Test. Pcap
- Credit card details (Am Ex) Filter: smtp matches ""3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}"". Trace with an email and Am Ex regex filter: Test. Pcap
- Domain name Filter: http matches ""[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)"". Trace with an email and Email regex filter: Test. Pcap
- FTP User/Password Crack Filter: ftp contains \"530 User\". Trace with FTP Hydra and 530 filter: Test. Pcap
- FTP Login Filter: tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==1. Trace with FTP Hydra and SYN/Port 21 filter: Test. Pcap
- Telnet Login Filter: tcp.port==23 && tcp.flags.syn==0 && tcp.flags.ack==0. Trace with Telnet Hydra and SYN/Port 23 filter: Test. Pcap
- Telnet Login Filter: telnet contains "login": Test. Pcap
- Telnet Login Filter: telnet contains "Failed": Test. Pcap
- Hping DoS Filter: tcp.flags.syn==1 && tcp.flags.ack==0. Trace with Hping and SYN flag filter: Test. Pcap