For The Love of Network Protocols and The Command Line
If there’s one thing that a Cybersecurity student should learn, it’s network protocols … IP, TCP, HTTP, SMTP, Telnet, DNS, and so on. The ability to understand the key elements of a network connection must be at the core of their education. In many cases, we thus want to be able to detect something coming in or leaving our network, and possibly log or block it. We also need to search for things. For this, we often are trying to find the needle in the haystack, and then determine timelines of activity.
It is to Wireshark that many people will turn to for the detail of a connection, but the captured files may be Gigabytes in size, so there’s often a better solution: Tshark. With Tshark we can simply load up a PCAP file at any time, and then run the search parameters that we would use within the GUI.
So, let’s say we would like to search for a MAC address that contains “89:50:4E:47” in the traffic [here]:
C:\>"c:\Program Files\Wireshark"\tshark -Y "http contains "89:50:4E:47"" -r with_png.pcapOr we might be searching for all the PNG files in a tracek:
c:\program files\wireshark\tshark.exe -Y "http contains "89:50:4E:47"" -r with_png.pcap
109 19.292671…
