In this post, we solve the room named TryHackMe TShark: CLI Wireshark Features

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Network Packets Analysis Study Notes

OSCP Study Notes

What is Tshark?

TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.

TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools.

Extracting Statistics with Tshark

Protocol hierarchy helps analysts to see the protocols used, frame numbers, and size of packets in a tree view based on packet numbers. As it provides a summary of the capture, it can help analysts decide the focus point for an event of interest. Use the -z io,phs -q parameters to view the protocol hierarchy.

tshark -r demo.pcapng -z io,phs -q

After viewing the entire packet tree, you can focus on a specific protocol as shown below. Add the udp keyword to the filter to focus on the UDP protocol.

tshark -r demo.pcapng -z io,phs,udp -q

The packet lengths tree view helps analysts to overview the general distribution of packets by size in a tree view. It allows analysts to detect anomalously big and small packets at a glance! Use the -z plen,tree -q parameters to view the packet lengths tree.

tshark -r demo.pcapng -z plen,tree -q

Exporting Objects & Extracting Credentials with Tshark

This option helps analysts to extract files from DICOM, HTTP, IMF, SMB and TFTP. The query structure is explained in the command given below.

tshark -r demo.pcapng --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q

 You can filter the packets and find the cleartext credentials using the parameters below.

tshark -r credentials.pcap -z credentials -q

Display Filters vs Capture Filters

There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets.

TryHackMe TShark: CLI  Wireshark Features | Room Answers

  • Use the “write-demo.pcap” to answer the questions.
  • What is the byte value of the TCP protocol?

62

In which packet lengths row is our packet listed?

40-79

What is the summary of the expert info?

Connection establish request (SYN):  server port 80

  • Use the “demo.pcapng” to answer the question.
  • List the communications. What is the IP address that exists in all IPv4 conversations?
  • Enter your answer in defanged format.

145[.]254[.]160[.]237

  • Use the “demo.pcapng” to answer the questions.
  • Which IP address has 7 appearances?
  • Enter your answer in defanged format.

216[.]239[.]59[.]99

What is the “destination address percentage” of the previous IP address?

6.98%

  • Which IP address constitutes “2.33% of the destination addresses”?
  • Enter your answer in defanged format.

145[.]253[.]2[.]203

What is the average “Qname Len” value?

29.00

  • Use the “demo.pcapng” to answer the questions.
  • Follow the “UDP stream 0”.
  • What is the “Node 0” value?
  • Enter your answer in defanged format.

145[.]254[.]160[.]237:3009

  • Follow the “HTTP stream 1”.
  • What is the “Referer” value?
  • Enter your answer in defanged format.

hxxp[://]www[.]ethereal[.]com/download[.]html

  • Use the “credentials.pcap” to answer the question.
  • What is the total number of detected credentials?

75

  • Use the “demo.pcapng” to answer questions.
  • What is the HTTP packet number that contains the keyword “CAFE”?

27

  • Filter the packets with “GET” and “POST” requests and extract the packet frame time.
  • What is the first time value found?

May 13, 2004 10:17:08.222534000 UTC

  • Use the “hostnames.pcapng” to answer the questions.
  • What is the total number of unique hostnames?

30

What is the total appearance count of the “prus-pc” hostname?

12

  • Use the “dns-queries.pcap” to answer the question.
  • What is the total number of queries of the most common DNS query?

472

  • Use the “user-agents.pcap” to answer questions.
  • What is the total number of the detected “Wfuzz user agents”?

12

  • What is the “HTTP hostname” of the nmap scans?
  • Enter your answer in defanged format.

172[.]16[.]172[.]129

Full Video Course

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles