TShark: The Basics
Command-Line Packet Analysis Hints
TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools. The most common tools used in packet analysis are listed below.
capinfos
A program that provides details of a specified capture file. It is suggested to view the summary of the capture file before starting an investigation.
grep
Helps search plain-text data.
cut
Helps cut parts of lines from a specified data source.
uniq
Filters repeated lines/values.
nl
Views the number of shown lines.
sed
A stream editor.
awk
Scripting language that helps pattern search and processing.
Note: Sample usage of these tools is covered in the Zeek room.
Open the terminal and follow the given instructions. You can follow along with the interactive materials by switching to the following directory.
cd Desktop/exercise-files/
Q & A
1) View the details of the demo.pcapng file with "capinfos". What is the "RIPEMD160" value?
Answer: 6ef5f0c165a1db4a3cad3116b0c5bcc0cf6b9ab7
Command-Line Interface and Parameters
TShark is a text-based (command-line) tool. Therefore, conducting an in-depth and consecutive analysis of the obtained results is easy. Multiple built-in options are ready to use to help analysts conduct such investigations. However, learning the parameters is essential; you will need the built-in options and associated parameters to keep control of the output and not be flooded with the detailed output of TShark. The most common parameters are explained in the given table below. Note that TShark requires superuser privileges to sniff live traffic and list all available interfaces.
-h
Display the help page with the most common features.
tshark -h
-v
Show version info.
tshark -v
-D
List available sniffing interfaces.
tshark -D
-i
Choose an interface to capture live traffic.
tshark -i 1
tshark -i ens55
No Parameter
Sniff the traffic like tcpdump.
tshark
Let's view the version info of the TShark instance in the given VM. Open the terminal and follow the given instructions.
Sniffing
Sniffing is one of the essential functionalities of TShark. A computer node can have multiple network interfaces that allow the host to communicate and sniff the traffic through the network. Specific interfaces might be associated with particular tasks/jobs. Therefore, the ability to choose a sniffing interface helps users decide and set the proper interface for sniffing.
Let's view the available interfaces in the given VM.
Sniffing can be done with and without selecting a specific interface. When a particular interface is selected, TShark uses that interface to sniff the traffic. TShark will use the first available interface when no interface is selected, usually listed as 1 in the terminal. Having no interface argument is an alias for -i 1
. You can also set different sniffing interfaces by using the parameter -i
. TShark always echoes the used interface name at the beginning of the sniffing.
Q & A
1) What is the installed TShark version in the given VM?
2) List the available interfaces with TShark. What is the number of available interfaces in the given VM?
Command-Line Interface and Parameters II
Let's continue discovering main parameters of TShark.
-r
Read/input function. Read a capture file.
tshark -r demo.pcapng
-c
Packet count. Stop after capturing a specified number of packets.
E.g. stop after capturing/filtering/reading 10 packets.
tshark -c 10
-w
Write/output function. Write the sniffed traffic to a file.
tshark -w sample-capture.pcap
-V
Verbose.
Provide detailed information for each packet. This option will provide details similar to Wireshark's "Packet Details Pane".
tshark -V
-q
Silent mode.
Suspress the packet outputs on the terminal.
tshark -q
-x
Display packet bytes.
Show packet details in hex and ASCII dump for each packet.
tshark -x
Read Capture Files
TShark can also process PCAP files. You can use the -r
parameter to process the file and investigate the packets. You can limit the number of shown packets using the -c
parameter.
Write Data
TShark can also write the sniffed or filtered packets to a file. You can save the sniffed traffic to a file using the -w
parameter. This option helps analysts to separate specific packets from the file/traffic and save them for further analysis. It also allows analysts to share only suspicious packets/scope with higher-level investigators.
Show Packet Bytes
TShark can show packet details in hex and ASCII format. You can view the dump of the packets by using the -x
parameter. Once you use this parameter, all packets will be shown in hex and ASCII format. Therefore, it might be hard to spot anomalies at a glance, so using this option after reducing the number of packets will be much more efficient.
Verbosity
Default TShark packet processing and sniffing operations provide a single line of information and exclude verbosity. The default approach makes it easy to follow the number of processed/sniffed packets; however, TShark can also provide verbosity for each packet when instructed. Verbosity is provided similarly to Wireshark's "Packet Details Pane". As verbosity offers a long list of packet details, it is suggested to use that option for specific packets instead of a series of packets.
Verbosity provides full packet details and makes it difficult to investigate (long and complex terminal output for each packet). However, it is still helpful for in-depth packet analysis and scripting, making TShark stand out. Remember, the best utilisation time of verbosity is after filtering the packets. You can compare the above output with the below screenshot and see the scripting, carving, and correlation opportunities you have!
Q & A
1) Read the "demo.pcapng" file with TShark. What are the assigned TCP flags in the 29th packet?
Or
Answer: PSH, ACK
2) What is the "Ack" value of the 25th packet?
Answer: 12421
3) What is the "Window size value" of the 9th packet?
Answer: 9660
Capture Condition Parameters
As a network sniffer and packet analyser, TShark can be configured to count packets and stop at a specific point or run in a loop structure. The most common parameters are explained below.
Define capture conditions for a single run/loop. STOP after completing the condition. Also known as "Autostop".
-a
Duration: Sniff the traffic and stop after X seconds. Create a new file and write output to it.
tshark -w test.pcap -a duration:1
Filesize: Define the maximum capture file size. Stop after reaching X file size (KB).
tshark -w test.pcap -a filesize:10
Files: Define the maximum number of output files. Stop after X files.
tshark -w test.pcap -a filesize:10 -a files:3
Ring buffer control options. Define capture conditions for multiple runs/loops. (INFINITE LOOP).
-b
Duration: Sniff the traffic for X seconds, create a new file and write output to it.
tshark -w test.pcap -b duration:1
Filesize: Define the maximum capture file size. Create a new file and write output to it after reaching filesize X (KB).
tshark -w test.pcap -b filesize:10
Files: Define the maximum number of output files. Rewrite the first/oldest file after creating X files.
tshark -w test.pcap -b filesize:10 -b files:3
Capture condition parameters only work in the "capturing/sniffing" mode. You will receive an error message if you try to read a pcap file and apply the capture condition parameters. The idea is to save the capture files in specific sizes for different purposes during live capturing. If you need to extract sorts of packets from a specific capture file, you will need to use the read&write options discussed in the previous task.
Hint: TShark supports combining autostop (-a
) parameters with ring buffer control parameters (-b
). You can combine the parameters according to your needs. Use the infinite loop options carefully; remember, you must use at least one autostop parameter to stop the infinite loop.
Q & A
1) Which parameter can help analysts to create a continuous capture dump?
Answer: -b
2) Can we combine autostop and ring buffer parameters with TShark? y/n
Answer: y
Packet Filtering Parameters | Capture & Display Filters
There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets. A quick recap from the Wireshark: Packet Operations room:
Capture Filters
Live filtering options. The purpose is to save only a specific part of the traffic. It is set before capturing traffic and is not changeable during live capture.
Display Filters
Post-capture filtering options. The purpose is to investigate packets by reducing the number of visible packets, which is changeable during the investigation.
Capture filters are used to have a specific type of traffic in the capture file rather than having everything. Capture filters have limited filtering features, and the purpose is to implement a scope by range, protocol, and direction filtering. This might sound like bulk/raw filtering, but it still provides organised capture files with reasonable file size. The display filters investigate the capture files in-depth without modifying the packet.
-f
Capture filters. Same as BPF syntax and Wireshark's capture filters.
-Y
Display filters. Same as Wireshark's display filters.
Check out the Wireshark: Packet Operations room (Task 4 & 5) if you want to review the principles of packet filtering.
Q & A
1) Which parameter is used to set "Capture Filters"?
Answer: -f
2) Which parameter is used to set "Display Filters"?
Answer: -Y
Capture Filters
Wireshark's capture filter syntax is used here. The basic syntax for the Capture/BPF filter is shown below. You can read more on capture filter syntax here and here. Boolean operators can also be used in both types of filters.
Type
Target match type. You can filter IP addresses, hostnames, IP ranges, and port numbers. Note that if you don't set a qualifier, the "host" qualifier will be used by default.
host | net | port | portrange
Filtering a host
tshark -f "host 10.10.10.10"
Filtering a network range
tshark -f "net 10.10.10.0/24"
Filtering a Port
tshark -f "port 80"
Filtering a port range
tshark -f "portrange 80-100"
Direction
Target direction/flow. Note that if you don't use the direction operator, it will be equal to "either" and cover both directions.
src | dst
Filtering source address
tshark -f "src host 10.10.10.10"
Filtering destination address
tshark -f "dst host 10.10.10.10"
Protocol
Target protocol.
arp | ether | icmp | ip | ip6 | tcp | udp
Filtering TCP
tshark -f "tcp"
Filtering MAC address
tshark -f "ether host F8:DB:C5:A2:5D:81"
You can also filter protocols with IP Protocol numbers assigned by IANA.
Filtering IP Protocols 1 (ICMP)
tshark -f "ip proto 1"
We need to create traffic noise to test and simulate capture filters. We will use the "terminator" terminal instance to have a split-screen view in a single terminal. The "terminator" will help you craft and sniff packets using a single terminal interface. Now, run the terminator
command and follow the instructions using the new terminal instance.
First, run the given TShark command in Terminal-1 to start sniffing traffic.
Then, run the given cURL command in Terminal-2 to create network noise.
View sniffed packets results in Terminal-1.
Being comfortable with the command line and TShark filters requires time and practice. You can use the below table to practice TShark capture filters.
Host Filtering
Capturing traffic to or from a specific host.
Traffic generation with cURL. This command sends a default HTTP query to a specified address.
curl tryhackme.com
TShark capture filter for a host
tshark -f "host tryhackme.com"
IP Filtering
Capturing traffic to or from a specific port. We will use the Netcat tool to create noise on specific ports.
Traffic generation with Netcat. Here Netcat is instructed to provide details (verbosity), and timeout is set to 5 seconds.
nc 10.10.10.10 4444 -vw 5
TShark capture filter for specific IP address
tshark -f "host 10.10.10.10"
Port Filtering
Capturing traffic to or from a specific port. We will use the Netcat tool to create noise on specific ports.
Traffic generation with Netcat. Here Netcat is instructed to provide details (verbosity), and timeout is set to 5 seconds.
nc 10.10.10.10 4444 -vw 5
TShark capture filter for port 4444
tshark -f "port 4444"
Protocol Filtering
Capturing traffic to or from a specific protocol. We will use the Netcat tool to create noise on specific ports.
Traffic generation with Netcat. Here Netcat is instructed to use UDP, provide details (verbosity), and timeout is set to 5 seconds.
nc -u 10.10.10.10 4444 -vw 5
TShark capture filter for
tshark -f "udp"
Q & A
1) What is the number of packets with SYN bytes?
Answer: 2
2) What is the number of packets sent to the IP address "10.10.10.10"?
Answer: 7
3) What is the number of packets with ACK bytes?
Answer: 8
Display Filters
Wireshark's display filter syntax is used here. You can use the official Display Filter Reference to find the protocol breakdown for filtering. Additionally, you can use Wireshark's build-in "Display Filter Expression" menu to break down protocols for filters. Note that Boolean operators can also be used in both types of filters. Common filtering options are shown in the given table below.
Note: Using single quotes for capture filters is recommended to avoid space and bash expansion problems. Once again, you can check the Wireshark: Packet Operations room (Task 4 & 5) if you want to review the principles of packet filtering.
Protocol: IP
Filtering an IP without specifying a direction.
tshark -Y 'ip.addr == 10.10.10.10'
Filtering a network range
tshark -Y 'ip.addr == 10.10.10.0/24'
Filtering a source IP
tshark -Y 'ip.src == 10.10.10.10'
Filtering a destination IP
tshark -Y 'ip.dst == 10.10.10.10'
Protocol: TCP
Filtering TCP port
tshark -Y 'tcp.port == 80'
Filtering source TCP port
tshark -Y 'tcp.srcport == 80'
Protocol: HTTP
Filtering HTTP packets
tshark -Y 'http'
Filtering HTTP packets with response code "200"
tshark -Y "http.response.code == 200"
Protocol: DNS
Filtering DNS packets
tshark -Y 'dns'
Filtering all DNS "A" packets
tshark -Y 'dns.qry.type == 1'
We will use the "demo.pcapng" to test display filters. Let's see the filters in action!
The above terminal demonstrates using the "IP filtering" option. TShark filters the packets and provides the output in our terminal. It is worth noting that TShark doesn't count the "total number of filtered packets"; it assigns numbers to packets according to the capture time, but only displays the packets that match our filter.
Look at the above example. There are two matched packets, but the associated numbers don't start from zero or one; "13" and "17" are assigned to these filtered packets. Keeping track of these numbers and calculating the "total number of filtered packets" can be confusing if your filter retrieves more than a handful of packets. Another example is shown below.
You can use the nl
command to get a numbered list of your output. Therefore you can easily calculate the "total number of filtered packets" without being confused with "assigned packet numbers". The usage of the nl
command is shown below.
Q & A
1) What is the number of packets with a "65.208.228.223" IP address?
Answer: 34
2) What is the number of packets with a "TCP port 3371"?
3) What is the number of packets with a "145.254.160.237" IP address as a source address?
Answer: 20
4) What is the packet number of the "Duplicate" packet?
Answer: 37
Last updated