What is tshark?

tshark is the command line version of Wireshark. It’s faster than Wireshark in processing packets, but not as performant as tcpdump.

Notes and Quirks about tshark

  • tshark like wireshark will do some processing of packet data. For example, if you look at ICMP error messages, the first 64 bytes of the original packet are included in the packet, so tshark can find that data where tcpdump would not find it with a similar filter.
    • tcpdump-n -r icmp-error.pcap’net 10' | wc-l
    • tshark-n -r icmp-error.pcap-Y ‘ip.addr== 10.0.0.0/8’ | wc-l
  • tshark -c # will look through the # of packets specified. It will NOT give you the first # results based on your query/filter. This is different than tcpdump -c # which will give you # results of the query/filter. z

tshark Options

  • -q (quiet display, reduce extra display info)
  • -r (read a pcap file)
  • -n (no DNS resolution)
  • -Y ‘wireshark-filter’ (add a wireshark filter)
  • -w (write a pcap file)
  • -T fields -e <fields> (-T determines the type of output. -e which fields to display)
    • tcp.strem
    • eth.src
    • eth.dst
    • tcp.dstport
    • tcp.srcport
    • ip.src
    • ip.dst
    • dns.id
    • dns.qry.name
    • dns.a
  • -z <statistics>
    • http
    • tree
    • http_req
    • follow,tcp,ascii, <#>

Sample Commands

Using tshark with ICMP

Using tshark to get HTTP information

tshark -r <pcap-file> -n -q -z http,tree tshark -r -n -q -z http_req,tree

Using tshark to find and follow a stream

tshark -n -r <pcap-file> -Y 'tcp.srcport == 5678 and tcp.dstport == 80' -T fields -e tcp.stream | uniq tshark -n -r -q -z follow,tcp,ascii,98 | more

Using tshark with DNS

`tshark -n -r -Y ‘ip.addr == 192.168.11.175 and ip.addr == 192.168.11.26 and udp.port == 53’ -T fields -e eth.src -e eth.dst -e ip.src -e ip.dst -e dns.id -e dns.qry.name -e dns.a

Bonus

When you get a base64 encoded payload, you can create a file and use this to decode it. `base64 –decode -i attachment.txt > /tmp/attachment.bin