At the beginning of this module, we mentioned that TShark is considered a command line version of Wireshark. In addition to sharing the same display filters, TShark can accomplish several features of Wireshark explained below.
Three important points when using Wireshark-like features:
These options are applied to all packets in scope unless a display filter is provided.
Most of the commands shown below are CLI versions of the Wireshark features discussed in Wireshark: Packet Operations (Task 2).
TShark explains the parameters used at the beginning of the output line.
For example, you will use the phs option to view the protocol hierarchy. Once you use this command, the result will start with the "Packet Hierarchy Statistics" header.
Parameter
Purpose
--color
Wireshark-like colourised output.
tshark --color
-z
Statistics
There are multiple options available under this parameter. You can view the available filters under this parameter with:
tshark -z help
Sample usage.
tshark -z filter
Each time you filter the statistics, packets are shown first, then the statistics provided. You can suppress packets and focus on the statistics by using the -q parameter.
Colourised Output
TShark can provide colourised outputs to help analysts speed up the analysis and spot anomalies quickly. If you are more of a Wireshark person and feel the need for a Wireshark-style packet highlighting this option does that. The colour option is activated with the --color parameter, as shown below.
user@ubuntu$ tshark -r colour.pcap --color
Statistics | Protocol Hierarchy
Protocol hierarchy helps analysts to see the protocols used, frame numbers, and size of packets in a tree view based on packet numbers. As it provides a summary of the capture, it can help analysts decide the focus point for an event of interest. Use the -z io,phs -q parameters to view the protocol hierarchy.
After viewing the entire packet tree, you can focus on a specific protocol as shown below. Add the udp keyword to the filter to focus on the UDP protocol.
user@ubuntu$ tshark -r demo.pcapng -z io,phs,udp -q
===================================================================
Protocol Hierarchy Statistics
Filter: udp
eth frames:2 bytes:277
ip frames:2 bytes:277
udp frames:2 bytes:277
dns frames:2 bytes:277
===================================================================
Statistics | Packet Lengths Tree
The packet lengths tree view helps analysts to overview the general distribution of packets by size in a tree view. It allows analysts to detect anomalously big and small packets at a glance! Use the -z plen,tree -q parameters to view the packet lengths tree.
The endpoint statistics view helps analysts to overview the unique endpoints. It also shows the number of packets associated with each endpoint. If you are familiar with Wireshark, you should know that endpoints can be viewed in multiple formats. Similar to Wireshark, TShark supports multiple source filtering options for endpoint identification. Use the -z endpoints,ip -q parameters to view IP endpoints. Note that you can choose other available protocols as well.
Filters for the most common viewing options are explained below.
The conversations view helps analysts to overview the traffic flow between two particular connection points. Similar to endpoint filtering, conversations can be viewed in multiple formats. This filter uses the same parameters as the "Endpoints" option. Use the -z conv,ip -q parameters to view IP conversations.
The expert info view helps analysts to view the automatic comments provided by Wireshark. If you are unfamiliar with the "Wireshark Expert Info", visit task 4 in the Wireshark: The Basics room of the Wireshark module. Use the -z expert -q parameters to view the expert information.
user@ubuntu$ tshark -r demo.pcapng -z expert -q
Notes (3)
=============
Frequency Group Protocol Summary
1 Sequence TCP This frame is a (suspected) spurious retransmission
1 Sequence TCP This frame is a (suspected) retransmission
1 Sequence TCP Duplicate ACK (#1)
Chats (8)
=============
Frequency Group Protocol Summary
1 Sequence TCP Connection establish request (SYN): server port 80
1 Sequence TCP Connection establish acknowledge (SYN+ACK): server port 80
1 Sequence HTTP GET /download.html HTTP/1.1\r\n
1 Sequence HTTP GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020
2 Sequence HTTP HTTP/1.1 200 OK\r\n
2 Sequence TCP Connection finish (FIN)
Q & A
1) Use the "write-demo.pcap" to answer the questions. What is the byte value of the TCP protocol?
tshark -r write-demo.pcap -z io,phs -q
Answer: 62
2) In which packet lengths row is our packet listed?
tshark -r write-demo.pcap -z plen,tree -q
3) What is the summary of the expert info?
tshark -r write-demo.pcap -z expert -q
Answer: Connection establish request (SYN): server port 80
4) List the communications. What is the IP address that exists in all IPv4 conversations?
tshark -r demo.pcapng -z conv,ip -q
Answer: 145[.]254[.]160[.]237
Command-Line Wireshark Features II | Specific Filters for Particular Protocols
There are plenty of filters designed for multiple protocols. The common filtering options for specific protocols are explained below. Note that most of the commands shown below are CLI versions of the Wireshark features discussed in Wireshark: Packet Operations (Task 3)
Statistics | IPv4 and IPv6
This option provides statistics on IPv4 and IPv6 packets, as shown below. Having the protocol statistics helps analysts to overview packet distribution according to the protocol type. You can filter the available protocol types and view the details using the -z ptype,tree -q parameters.
user@ubuntu$ tshark -r demo.pcapng -z ptype,tree -q
==========================================================================================================================
IPv4 Statistics/IP Protocol Types:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
--------------------------------------------------------------------------------------------------------------------------
IP Protocol Types 43 0.0014 100 0.0400 2.554
TCP 41 0.0013 95.35 0.0300 0.911
UDP 2 0.0001 4.65 0.0100 2.554
--------------------------------------------------------------------------------------------------------------------------
Having the summary of the hosts in a single view is useful as well. Especially when you are working with large captures, viewing all hosts with a single command can help you to detect an anomalous host at a glance. You can filter all IP addresses using the parameters given below.
IPv4: -z ip_hosts,tree -q
IPv6: -z ipv6_hosts,tree -q
user@ubuntu$ tshark -r demo.pcapng -z ip_hosts,tree -q
===========================================================================================================================
IPv4 Statistics/All Addresses:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
---------------------------------------------------------------------------------------------------------------------------
All Addresses 43 0.0014 100 0.0400 2.554
145.254.160.237 43 0.0014 100.00 0.0400 2.554
65.208.228.223 34 0.0011 79.07 0.0300 0.911
---------------------------------------------------------------------------------------------------------------------------
For complex cases and in-depth analysis, you will need to correlate the finding by focusing on the source and destination addresses. You can filter all source and destination addresses using the parameters given below.
In some cases, you will need to focus on the outgoing traffic to spot the used services and ports. You can filter all outgoing traffic by using the parameters given below.
This option provides statistics on DNS packets by summarising the available info. You can filter the packets and view the details using the -z dns,tree -q parameters.
user@ubuntu$ tshark -r demo.pcapng -z dns,tree -q
===========================================================================================================================
DNS:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
---------------------------------------------------------------------------------------------------------------------------
Total Packets 2 0.0055 100 0.0100 2.554
rcode 2 0.0055 100.00 0.0100 2.554
No error 2 0.0055 100.00 0.0100 2.554
opcodes 2 0.0055 100.00 0.0100 2.554
Standard query 2 0.0055 100.00 0.0100 2.554
...
-------------------------------------------------------------------------------------------------------------------------
Statistics | HTTP
This option provides statistics on HTTP packets by summarising the load distribution, requests, packets, and status info. You can filter the packets and view the details using the parameters given below.
Packet and status counter for HTTP: -z http,tree -q
Packet and status counter for HTTP2: -z http2,tree -q
Command-Line Wireshark Features III | Streams, Objects and Credentials
There are plenty of filters designed for multiple purposes. The common filtering options for specific operations are explained below. Note that most of the commands shown below are CLI versions of the Wireshark features discussed in the Wireshark module.
Follow Stream
This option helps analysts to follow traffic streams similar to Wireshark. The query structure is explained in the table given below.
Main Parameter
Protocol
View Mode
Stream Number
-z follow
TCP
UDP
HTTP
HTTP2
HEX
ASCII
0 | 1 | 2 | 3 ...
Note: Streams start from "0". You can filter the packets and follow the streams by using the parameters given below.
# Extract the files from HTTP traffic.
user@ubuntu$ tshark -r demo.pcapng --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
# view the target folder content.
user@ubuntu$ ls -l /home/ubuntu/Desktop/extracted-by-tshark/
total 24
-rw-r--r-- 1 ubuntu ubuntu 'ads%3fclient=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&o
-rw-r--r-- 1 ubuntu ubuntu download.html
Credentials
This option helps analysts to detect and collect cleartext credentials from FTP, HTTP, IMAP, POP and SMTP. You can filter the packets and find the cleartext credentials using the parameters below.
-z credentials -q
user@ubuntu$ tshark -r credentials.pcap -z credentials -q
===================================================================
Packet Protocol Username Info
------ -------- -------- --------
72 FTP admin Username in packet: 37
80 FTP admin Username in packet: 47
83 FTP admin Username in packet: 54
118 FTP admin Username in packet: 93
123 FTP admin Username in packet: 97
167 FTP administrator Username in packet: 133
207 FTP administrator Username in packet: 170
220 FTP administrator Username in packet: 184
230 FTP administrator Username in packet: 193
....
===================================================================
Q & A
1) Follow the "UDP stream 0". What is the "Node 0" value?
tshark -r demo.pcapng -z follow,udp,ascii,0 -q
Answer: 145[.]254[.]160[.]237:3009
2) Follow the "HTTP stream 1". What is the "Referer" value?
3) Use the "credentials.pcap" to answer the question. What is the total number of detected credentials?
tshark -r credentials.pcap -z credentials -q | nl
By excluding the first 3 lines and the last line, we get 75
Answer: 75
Advanced Filtering Options | Contains, Matches and Extract Fields
Accomplishing in-depth packet analysis sometimes ends up with a special filtering requirement that cannot be covered with default filters. TShark supports Wireshark's "contains" and "matches" operators, which are the key to the advanced filtering options. You can visit the Wireshark: Packet Operations room (Task 6) if you are unfamiliar with these filters.
Note: The "contains" and "matches" operators cannot be used with fields consisting of "integer" values.
Tip: Using HEX and regex values instead of ASCII always has a better chance of a match.
Extract Fields
This option helps analysts to extract specific parts of data from the packets. In this way, analysts have the opportunity to collect and correlate various fields from the packets. It also helps analysts manage the query output on the terminal. The query structure is explained in the table given below.
Main Filter
Target Field
Show Field Name
-T fields
-e <field name>
-E header=y
Note: You need to use the -e parameter for each field you want to display.
You can filter any field by using the field names as shown below.
When investigating a case, a security analyst should know how to extract hostnames, DNS queries, and user agents to hunt low-hanging fruits after viewing the statistics and creating an investigation plan. The most common four use cases for every security analyst are demonstrated below. If you want to learn more about the mentioned protocols and benefits of the extracted info, please refer to the Wireshark Traffic Analysis room.
The above example shows how to extract hostnames from DHCP packets with TShark. However, the output is hard to manage when multiple duplicate values exist. A skilled analyst should know how to use native Linux tools/utilities to manage and organise the command line output, as shown below.