Search

Type and hit enter to search

Ads by Google

Filter

Tcpdump

Define TCP IP

IP Network

Home | Topics | Links | About

Tshark examples: howto capture and dissect network traffic

Live Exploits Seminar

Advanced Windows Exploitation Lab

Environment - Reserve Your Seat
Offensive-Security.com/AWE

Upgrade Network Server

Upgrade to Efficient Dell Servers! Ensure

better Server performance
www.Dell.com/Servers

Carbon Capture

Get all the info on CO2 capture Pre &

Post Combustion, Oxyfuel
www.ico2n.com

This page contains a collection of useful examples for using tshark, the network traffic capture and analysis tool.

Network Traffic Capture

tshark can be used to dump network traffic into capture files for later processing. For this, we need to tell tshark which interface to listen to and which
traffic to capture. This is an example.
tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap

The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be
captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured.
The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.
The -w flag is used to specify a file where the captured traffic will be saved for later processing.

Network capture rules

Network capture rules or filters, specified by the -f option allows you to tell tshark which packets should be captured. The syntax for network capture
filters is the same as tcpdump filters. For details on capture filters see man tcpdump. Byte matching is an advanced capture filter in tshark that I
previously introduced in Tshark byte matching for selective packet capture .

Packet display rules

Packet display rules or filters as their name imply, allow you to control which packets are displayed by tshark when performing live network capture or when
tshark is reading a capture file. The selection criteria is specified using the -R flag and a display filter expression. This is a simple example :
tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap

This example displays only IP packets that are issued by or in destination to the IP address 192.168.0.1.
The filter expression can be a logical combination of other filter expressions. Here is a list of various display filters for your reference (do man
wireshark-filters for more details of display filters):
Ethernet address 00:08:15:00:08:15

eth.addr == 00:08:15:00:08:15

Ethernet type 00806 (ARP)

eth.type == 00806

Ethernet broadcast

eth.addr == ff:ff:ff:ff:ff:ff

No ARP

not arp

IP only

ip

IP address 192.168.0.1

ip.addr == 192.168.0.1

IP address isn't 192.168.0.1, don't use != for this! !(ip.addr == 192.168.0.1)

IPX only

ipx

TC P only

tcp

UDP only

udp

UDP port isn't 53 (not DNS), don't use != for this! !(tcp.port == 53)
TC P or UDP port is 80 (HTTP)

tcp.port == 80 || udp.port == 80

HTTP

http

No ARP and no DNS

not arp and not (udp.port == 53)

Non-HTTP and non-SMTP to/from 192.168.0.1

not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1

Network Traffic Dissection

Tshark can process network capture files and produce an output that can be exploited for analyzing and troubleshooting network protocols. The dissection
capability allows for example to display some specific fields/information about each packet in a network traffic capture file.
One of the dissection methods in tshark is by using the '-z' option as explained below (from man tshark) :
-z proto,colinfo,filter,field
Append all field values for the packet to the Info column
of the one-line summary output. This feature can be
used to append arbitrary fields to the Info column in
addition to the normal content of that column. field is
the display-filter name of a field which value should
be placed in the Info column. filter is a filter string
that controls for which packets the field value will be
presented in the info column. field will only be presented
in the Info column for the packets which match filter.
NOTE: In order for TShark to be able to extract the
field value from the packet, field MUST be part of the
filter string. If not, TShark will not be able to extract
its value.
For a simple example to add the "nfs.fh.hash" field to the
Info column for all packets containing the "nfs.fh.hash"
field, use

This is a simple example of the -z proto,colinfo usage. The command asks tshark to display the source port of all tcp packets in the file /tmp/capture.cap.
tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap

Here is a more advanced example:

tshark -R "http.response and http.content_type contains image" \
-z "proto,colinfo,http.content_length,http.content_length" \
-z "proto,colinfo,http.content_type,http.content_type" \
-r /tmp/capture.tmp

The example above asks tshark to display the content_type field and content_length field of all HTTP response packets carrying an image. The result is
something that looks like this :
439
452
479
499
506
514
519
523
561
805

12.717117 66.249.89.127 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 35
12.828186 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 477
13.046184 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 105
13.075361 203.190.124.6 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 35
13.177414 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 4039
13.190000 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (JPEG JFIF image) http.content_type == "image/jpeg" http.content_length == 11997
13.231228 66.114.48.56 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (JPEG JFIF image) http.content_type == "image/jpeg" http.content_length == 1033
13.273888 72.233.69.4 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (PNG) http.content_type == "image/png" http.content_length == 1974
728 19.096984 60.254.185.58 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 592
19.471444 60.254.185.58 -> 192.168.1.108 HTTP HTTP/1.1 200 OK (GIF89a) http.content_type == "image/gif" http.content_length == 259

This output shown above can be used for example to extract statistical information on image types and their sizes in a given HTTP traffic.
The command below counts the number of GIF images downloaded through HTTP.
tshark -R "http.response and http.content_type contains image" \
-z "proto,colinfo,http.content_length,http.content_length" \
-z "proto,colinfo,http.content_type,http.content_type" \
-r /tmp/capture.tmp | grep "image/gif" | wc -l

Links
Tshark byte matching for selective packet capture
Capture and Analysis of RADIUS traffic using tshark
Wireshark Display Filters [http://wiki.wireshark.org/DisplayFilters]
Wireshark Capture Filters [http://wiki.wireshark.org/CaptureFilters]

Expert Exploit Course

Advanced Windows Exploitation Lab

Environment - Reserve Your Seat
www.Offensive-Security.com

Network Servers

Visit Dell for Free Migration Tips. And high

end backup technology
www.Dell.com/Servers

Network Troubleshooting

Collect data and solve problems Track trace

routes over time
www.pingplotter.com/networktroubles

Labels: howto, unix

Comment

Subscribe for more

Via RSS

Or, via email

Subscribe

Anonymous Internet
Multiple Offshore World Services VPN, SSH, Hosting, Secure
eMail,VPS
www.trilightzone.org
Your Ad Here