In this post, we solve the room named TryHackMe TShark: The Basics
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Network Packets Analysis Study Notes
What is Tshark?
TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.
TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools.
Sniffing Packets with Tshark
Sniffing can be done with and without selecting a specific interface. When a particular interface is selected, TShark uses that interface to sniff the traffic. TShark will use the first available interface when no interface is selected, usually listed as 1 in the terminal. Having no interface argument is an alias for -i 1
. You can also set different sniffing interfaces by using the parameter -i
. TShark always echoes the used interface name at the beginning of the sniffing.
Reading & Analyzing Packet Capture Files with Tshark
TShark can also process PCAP files. You can use the -r
parameter to process the file and investigate the packets. You can limit the number of shown packets using the -c
parameter.
user@ubuntu$ tshark -r demo.pcapng
TShark can also write the sniffed or filtered packets to a file. You can save the sniffed traffic to a file using the -w
parameter. This option helps analysts to separate specific packets from the file/traffic and save them for further analysis. It also allows analysts to share only suspicious packets/scope with higher-level investigators.
tshark -r demo.pcapng -c 1 -w write-demo.pcap
Display Filters vs Capture Filters
There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets.
Room Answers | TShark: The Basics
- View the details of the demo.pcapng file with “capinfos”.
- What is the “RIPEMD160” value?
6ef5f0c165a1db4a3cad3116b0c5bcc0cf6b9ab7
What is the installed TShark version in the given VM?
3.2.3
- List the available interfaces with TShark.
- What is the number of available interfaces in the given VM?
12
- Read the “demo.pcapng” file with TShark.
- What are the assigned TCP flags in the 29th packet?
PSH, ACK
What is the “Ack” value of the 25th packet?
12421
What is the “Window size value” of the 9th packet?
9660
Which parameter can help analysts to create a continuous capture dump?
-b
Can we combine autostop and ring buffer parameters with TShark? y/n
y
Which parameter is used to set “Capture Filters”?
-f
Which parameter is used to set “Display Filters”?
-Y
What is the number of packets with SYN bytes?
2
What is the number of packets sent to the IP address “10.10.10.10”?
7
What is the number of packets with ACK bytes?
8
What is the number of packets with a “65.208.228.223” IP address?
34
What is the number of packets with a “TCP port 3371”?
7
What is the number of packets with a “145.254.160.237” IP address as a source address?
20
- Rerun the previous query and look at the output.
- What is the packet number of the “Duplicate” packet?
37
Full Video Course