cbless.de

Traffic Analysis with tshark

Mi 25 März 2020 by Christoph Bleß Tags tshark / traffic analysis / pcap analysis / live capture

Basic usage

The first option we can use is to read packets from a pcap file. The filename must be specified by parameter -r.

tshark -r file.pcap

Another option is to read packets direcly from a live capture. Therefore you need to specify the interface by using the parameter -i.

tshark -i eth0

Additionally you can use tshark to produce a capture file. The name of the output filemust be specified by parameter -w.

tshark -i eth0 -w file.pcap

Display statistics about PCAP files

To get a brief overview what kind of traffic has been captured the protocol hierarchy can be used.

tshark -Q -r file.pcap -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:170574 bytes:165271675
  ip                                     frames:167829 bytes:165118368
    tcp                                  frames:166836 bytes:164972597
      http                               frames:1169 bytes:1113141
        data-text-lines                  frames:141 bytes:68030
          tcp.segments                   frames:121 bytes:55944
        media                            frames:13 bytes:8526
          tcp.segments                   frames:13 bytes:8526
[...]

Another useful feature is the endpoint statistic. The following example displays all IPv4 endpoints within the given capture file.

tshark -Q -r file.pcap -z endpoints,ip

Result:

================================================================================
IPv4 Endpoints
Filter:<No Filter>
                        |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.16.31.1              142285     145306928     107742       142895090       34543         2411838   
10.16.31.4              142285     145306928      34543         2411838      107742       142895090   
[...]
================================================================================

The next example can be used to display all IPv4 and IPv6 endpoints within the given capture file.

tshark -Q -r file.pcap -z endpoints,ipv6 -z endpoints,ip

Result:

================================================================================
IPv4 Endpoints
Filter:<No Filter>
                        |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.16.31.1              142285     145306928     107742       142895090       34543         2411838   
10.16.31.4              142285     145306928      34543         2411838      107742       142895090   
[...]
================================================================================
================================================================================
IPv6 Endpoints
Filter:<No Filter>
                        |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
ff02::1:2                     19          2857          0               0          19            2857   
fe80::cd42:fe8a:AAAA:1234          14          2072         14            2072           0               0   
[...]

Extract files from pcaps files

The following example shows how to extract objects from a pcap containing SMB traffic.

tshark -Q -r file.pcap  --export-objects smb,outdir

The following example shows how to extract objects from a pcap which were transmitted via HTTP.

tshark -Q -r file.pcap  --export-objects http,outdir

Analyze traffic within pcap files

Analyze HTTP traffic

The following example can be used to display information from HTTP responses. In this case the server ip as well as the server header are displayed. To remove duplicated entries the tools sort and uniq are used.

tshark -r file.pcap -Y "http.response" -T fields -e ip.src -e http.server | sort |uniq

To analyze HTTP request you can use the filter "http.request". In this case we display the source ip, destination ip, destination port, request method, hostname, requested URI as well as the user agent.

tshark -r file.pcap -Y "http.request" -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.request.method -e http.host -e http.request.uri -e http.user_agent | sort |uniq

Modbus Traffic

The next example displays die IP addresses of the Modbus-Master, Modbus slave and the requested Modbus function code.

tshark -r file.pcap -Y "modbus && tcp.dstport == 502" -T fields -e ip.src -e ip.dst -e modbus.func_code

10.21.10.10 10.21.10.24 15
10.21.10.10 10.21.10.24 15

Telnet

The following example can be used to display all data transmitted via Telnet.

tshark -r file.pcap -Y "telnet" -T fields -e telnet.data

DNS traffic

Display IP addresses from all DNS requests within a pcap file. Since we filter for DNS traffic with destination port 53 all DNS clients can be identified by the source address. We pass the results to sort and uniq to remove duplicate entries.

tshark -r file.pcap -Y "dns.qry.name && udp.dstport==53 " -T fields -e ip.src -e ip.dst  | sort | uniq

192.168.1.24    192.168.1.1
[...]

To display requested hostnames from DNS queries. If you are reading from pcap you can use sort and uniq to remove duplicate entries.

tshark -r file.pcap -Y "dns.qry.name && udp.dstport==53" -T fields -e dns.qry.name  | sort | uniq

www.heise.de
www.google.com
[...]