🌞   πŸŒ›
archonblue

2022s

  • tshark

    What is tshark?

    tshark is the command line version of Wireshark. It’s faster than Wireshark in processing packets, but not as performant as tcpdump.

    Notes and Quirks about tshark

    • tshark like wireshark will do some processing of packet data. For example, if you look at ICMP error messages, the first 64 bytes of the original packet are included in the packet, so tshark can find that data where tcpdump would not find it with a similar filter.
      • tcpdump-n -r icmp-error.pcap’net 10' | wc-l
      • tshark-n -r icmp-error.pcap-Y ‘ip.addr== 10.0.0.0/8’ | wc-l
    • tshark -c # will look through the # of packets specified. It will NOT give you the first # results based on your query/filter. This is different than tcpdump -c # which will give you # results of the query/filter. z

    tshark Options

    • -q (quiet display, reduce extra display info)
    • -r (read a pcap file)
    • -n (no DNS resolution)
    • -Y ‘wireshark-filter’ (add a wireshark filter)
    • -w (write a pcap file)
    • -T fields -e <fields> (-T determines the type of output. -e which fields to display)
      • tcp.strem
      • eth.src
      • eth.dst
      • tcp.dstport
      • tcp.srcport
      • ip.src
      • ip.dst
      • dns.id
      • dns.qry.name
      • dns.a
    • -z <statistics>
      • http
      • tree
      • http_req
      • follow,tcp,ascii, <#>

    Sample Commands

    Using tshark with ICMP

    Using tshark to get HTTP information

    tshark -r <pcap-file> -n -q -z http,tree tshark -r -n -q -z http_req,tree

    Using tshark to find and follow a stream

    tshark -n -r <pcap-file> -Y 'tcp.srcport == 5678 and tcp.dstport == 80' -T fields -e tcp.stream | uniq tshark -n -r -q -z follow,tcp,ascii,98 | more

    Using tshark with DNS

    `tshark -n -r -Y ‘ip.addr == 192.168.11.175 and ip.addr == 192.168.11.26 and udp.port == 53’ -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst -e dns.id -e dns.qry.name -e dns.a

    Bonus

    When you get a base64 encoded payload, you can create a file and use this to decode it. `base64 –decode -i attachment.txt > /tmp/attachment.bin

  • Wireshark

    Start analysis with Statistics. Capture File properties for a summary of traffic. Protocol Hierarchy for traffic by layers and stats. Conversations provides insight into IPs and Ports. Large file transfers. And small mapping activity can be found here.

    Analyze TCP Session can show an entire conversation.

    Find a Packet by String and Packet Bytes. Then Follow the Stream for the whole conversation.

    Use Profiles to customize your view of Wireshark. If you do common tasks and focus on certain items, create views and switch between them to speed analysis.

  • Use tcpdump to find and isolate packets/sessions/events of interest. Use Wireshark to inspect details.

  • This is the start of something new…