In this short course, we covered the command line version of Wireshark, that is, Tshark. We discussed difference between Wireshark and Tshark, operations mode of Tshark such as live capture and PCAP analysis, Tshark filters, advanced filtering, conditional data extraction and extracting analytical insights by following streams, conversations and exporting objects. In the practical scenario, we solved the following rooms from TryHackMe:
- TShark: The Basics
- TShark: CLI Wireshark Features
- TShark Challenge I: Teamwork
- TShark Challenge II: Directory
The course contains the below contents:
– Intro to Tshark & Wireshark vs Tshark
– Sniffing packets
– PCAP Analysis
– Display filters vs capture filters
– Extracting statistics, protocol breakdown, conversations and endpoints
– Following streams, exporting objects and credentials
-Advanced filtering, field extraction and conditional extraction
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Network Packets Analysis Study Notes
What is Tshark?
TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.
Sniffing Packets with Tshark
Sniffing can be done with and without selecting a specific interface. When a particular interface is selected, TShark uses that interface to sniff the traffic. TShark will use the first available interface when no interface is selected, usually listed as 1 in the terminal. Having no interface argument is an alias for -i 1
. You can also set different sniffing interfaces by using the parameter -i
. TShark always echoes the used interface name at the beginning of the sniffing.
tshark
Tshark Capture Filters
The purpose of capture filters is to save only a specific part of the traffic. It is set before capturing traffic and is not changeable during live capture. Usually to use capture filters, we specify the options -f
in the command line followed by the type of operator (ip,net,host,etc).
Tshark Display Filters
The purpose of display filters is to investigate packets after finishing live traffic. We usually do it with the options -Y
followed by the operator.
Protocol hierarchy & Stats
Protocol hierarchy helps analysts to see the protocols used, frame numbers, and size of packets in a tree view based on packet numbers. As it provides a summary of the capture, it can help analysts decide the focus point for an event of interest. Use the -z io,phs -q
parameters to view the protocol hierarchy
Room Answers | TShark: The Basics
- View the details of the demo.pcapng file with “capinfos”.
- What is the “RIPEMD160” value?
6ef5f0c165a1db4a3cad3116b0c5bcc0cf6b9ab7
What is the installed TShark version in the given VM?
3.2.3
- List the available interfaces with TShark.
- What is the number of available interfaces in the given VM?
12
- Read the “demo.pcapng” file with TShark.
- What are the assigned TCP flags in the 29th packet?
PSH, ACK
What is the “Ack” value of the 25th packet?
12421
What is the “Window size value” of the 9th packet?
9660
Which parameter can help analysts to create a continuous capture dump?
-b
Can we combine autostop and ring buffer parameters with TShark? y/n
y
Which parameter is used to set “Capture Filters”?
-f
Which parameter is used to set “Display Filters”?
-Y
What is the number of packets with SYN bytes?
2
What is the number of packets sent to the IP address “10.10.10.10”?
7
What is the number of packets with ACK bytes?
8
What is the number of packets with a “65.208.228.223” IP address?
34
What is the number of packets with a “TCP port 3371”?
7
What is the number of packets with a “145.254.160.237” IP address as a source address?
20
- Rerun the previous query and look at the output.
- What is the packet number of the “Duplicate” packet?
37
TShark: CLI Wireshark Features
- Use the “write-demo.pcap” to answer the questions.
- What is the byte value of the TCP protocol?
62
In which packet lengths row is our packet listed?
40-79
What is the summary of the expert info?
Connection establish request (SYN): server port 80
- Use the “demo.pcapng” to answer the question.
- List the communications. What is the IP address that exists in all IPv4 conversations?
- Enter your answer in defanged format.
145[.]254[.]160[.]237
- Use the “demo.pcapng” to answer the questions.
- Which IP address has 7 appearances?
- Enter your answer in defanged format.
216[.]239[.]59[.]99
What is the “destination address percentage” of the previous IP address?
6.98%
- Which IP address constitutes “2.33% of the destination addresses”?
- Enter your answer in defanged format.
145[.]253[.]2[.]203
What is the average “Qname Len” value?
29.00
- Use the “demo.pcapng” to answer the questions.
- Follow the “UDP stream 0”.
- What is the “Node 0” value?
- Enter your answer in defanged format.
145[.]254[.]160[.]237:3009
- Follow the “HTTP stream 1”.
- What is the “Referer” value?
- Enter your answer in defanged format.
hxxp[://]www[.]ethereal[.]com/download[.]html
- Use the “credentials.pcap” to answer the question.
- What is the total number of detected credentials?
75
- Use the “demo.pcapng” to answer questions.
- What is the HTTP packet number that contains the keyword “CAFE”?
27
- Filter the packets with “GET” and “POST” requests and extract the packet frame time.
- What is the first time value found?
May 13, 2004 10:17:08.222534000 UTC
- Use the “hostnames.pcapng” to answer the questions.
- What is the total number of unique hostnames?
30
What is the total appearance count of the “prus-pc” hostname?
12
- Use the “dns-queries.pcap” to answer the question.
- What is the total number of queries of the most common DNS query?
472
- Use the “user-agents.pcap” to answer questions.
- What is the total number of the detected “Wfuzz user agents”?
12
- What is the “HTTP hostname” of the nmap scans?
- Enter your answer in defanged format.
172[.]16[.]172[.]129
Room answers | TShark Challenge I: Teamwork
Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is the full URL of the malicious/suspicious domain address?
Enter your answer in defanged format.
hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/
When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?
2017-04-17 22:52:53 UTC
Which known service was the domain trying to impersonate?
PayPal
What is the IP address of the malicious domain?
Enter your answer in defanged format.
184[.]154[.]127[.]226
What is the email address that was used?
Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)
johnny5alive[at]gmail[.]com
Room Answers | TShark Challenge II: Directory
Investigate the DNS queries.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is the name of the malicious/suspicious domain?
Enter your answer in a defanged format.
jx2-bavuong[.]com
What is the total number of HTTP requests sent to the malicious domain?
14
What is the IP address associated with the malicious domain?
Enter your answer in a defanged format.
141[.]164[.]41[.]174
What is the server info of the suspicious domain?
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Follow the “first TCP stream” in “ASCII”.
Investigate the output carefully.
What is the number of listed files?
3
What is the filename of the first file?
Enter your answer in a defanged format.
123[.]php
Export all HTTP traffic objects.
What is the name of the downloaded executable file?
Enter your answer in a defanged format.
vlauto[.]exe
What is the SHA256 value of the malicious file?
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
Search the SHA256 value of the file on VirtusTotal.
What is the “PEiD packer” value?
.NET executable
Search the SHA256 value of the file on VirtusTotal.
What does the “Lastline Sandbox” flag this as?
MALWARE TROJAN
Full Video Course