Packet Analysis with tshark
Why tshark?
Good question to ask, what can tshark do that wireshark can’t. It is much easier when you are trying to dive deeper into a packet with tshark than wireshark. I like to use wireshark initially just because of the profiles you can use to make your searches a bit more standardized, but when it comes to trying to get a more specific answer, the ability on the command line to sort and manipulate the data gives you a bit more flexibility.
tshark Fields to analyze PCAPs
You are going to want to get to know these types of options to help you narrow down the data you are looking for. There a lots of fields you can look at, however, you will want to develop some sort of methodology so it is not just taking wild stabs at a pcap in the dark
Fields (few examples)
- ip.src
- ip.dst
- ip.proto
- udp.dstport
- dns.query
- http.user_agent
- http.request.method
- http.request.uri
- http.request.full_uri
Example Queries with T-Shark
I will provide some queries that you may find useful when looking through data. Gear it towards finding anomalies in the traffic, things that are not expected in your normal baseline of traffic such as non standard user agents. This is increasing difficult with a network that allows personal devices with a wide variety of devices in the Internet of Things (IoT).
Carving out User Agents example
Example Queries with T-Shark
I will provide some queries that you may find useful when looking through data. Gear it towards finding anomalies in the traffic, things that are not expected in your normal baseline of traffic such as non standard user agents. This is increasing difficult with a network that allows personal devices with a wide variety of devices in the Internet of Things (IoT).
Carving out User Agents example
tshark -r 3a86135ddc91dd726f831d9020a9a3d7fe7c0747ebda91f02fc477f2ae1331e6.pcap -T fields -e ip.src -e http.user_agent | awk '{print $1,$2;}' | sort | uniq -c | sort -nr
with this query, i extracted the source IP and User Agent, then used awk to print the fields I wanted and sorted it from highest to lowest. If you look at the picture, you will see that Mozilla/5.0 appeared 33 times in this particular packet from the IP address of 172.16.2.96. As you can seem there is a lot of potential with this. You can use grep to pull out certain user agents if you’d like. That is up to you, but these types of things can later be automated.
We can clean that up a little as well. This time we will have it output just the IP addresses that have a user agent associated.
tshark -r 3a86135ddc91dd726f831d9020a9a3d7fe7c0747ebda91f02fc477f2ae1331e6.pcap -T fields -e ip.src -e http.user_agent | awk '{if ($2) print $0;}' | sort | uniq -c | sort -nr
Too accomplish this, we have an if condition that there must be data in the user agent field for it to print the output. See the example output below.
Carving out ICMP codes with a display filter
tshark -r sample.pcap -Y 'icmp' -T fields -e icmp.type -e icmp.code | sort | uniq -c | sort -n
As you can see, this query carved out data with the display filter ‘icmp’ and extracting the icmp type and icmp code, sorting from low to high. You can reverse the order if you wish as well. But this can be very useful and much more efficient than trying to accomplish the same thing in wireshark.
You can also do the same thing with arp / smb ect. Example code below for each
arptshark -r sample.pcap -Y 'arp'
smbtshark -r sample.pcap -Y 'smb'
Expect More Updates To This Page
I will consider this a living document or page, so expect more content to come along as I work with tshark more to really get some more content on here.
