TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.

Command-Line Packet Analysis Hints

TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools. The most common tools used in packet analysis are listed below.

Tool/Utility	Purpose and Benefit
capinfos	A program that provides details of a specified capture file. It is suggested to view the summary of the capture file before starting an investigation.
grep	Helps search plain-text data.
cut	Helps cut parts of lines from a specified data source.
uniq	Filters repeated lines/values.
nl	Views the number of shown lines.
sed	A stream editor.
awk	Scripting language that helps pattern search and processing.

Command-Line Interface and Parameters

TShark is a text-based (command-line) tool. Therefore, conducting an in-depth and consecutive analysis of the obtained results is easy. Multiple built-in options are ready to use to help analysts conduct such investigations. However, learning the parameters is essential; you will need the built-in options and associated parameters to keep control of the output and not be flooded with the detailed output of TShark. The most common parameters are explained in the given table below. Note that TShark requires superuser privileges to sniff live traffic and list all available interfaces.

Parameter	Purpose
-h	• Display the help page with the most common features. • tshark -h
-v	• Show version info. • tshark -v
-D	• List available sniffing interfaces. • tshark -D
-i	• Choose an interface to capture live traffic. • tshark -i 1 • tshark -i ens55
No Parameter	• Sniff the traffic like tcpdump. • tshark

 Command-Line Interface and Parameters II

Let's continue discovering main parameters of TShark.

Parameter	Purpose
-r	• Read/input function. Read a capture file. • tshark -r demo.pcapng
-c	• Packet count. Stop after capturing a specified number of packets. • E.g. stop after capturing/filtering/reading 10 packets. • tshark -c 10
-w	• Write/output function. Write the sniffed traffic to a file. • tshark -w sample-capture.pcap
-V	• Verbose. • Provide detailed information for each packet. This option will provide details similar to Wireshark's "Packet Details Pane". • tshark -V
-q	• Silent mode. • Suspress the packet outputs on the terminal. • tshark -q
-x	• Display packet bytes. • Show packet details in hex and ASCII dump for each packet. • tshark -x

Capture Condition Parameters

As a network sniffer and packet analyser, TShark can be configured to count packets and stop at a specific point or run in a loop structure. The most common parameters are explained below.

Parameter	Purpose
	Define capture conditions for a single run/loop. STOP after completing the condition. Also known as "Autostop".
-a	• Duration: Sniff the traffic and stop after X seconds. Create a new file and write output to it. ◦ tshark -w test.pcap -a duration:1 • Filesize: Define the maximum capture file size. Stop after reaching X file size (KB). ◦ tshark -w test.pcap -a filesize:10 • Files: Define the maximum number of output files. Stop after X files. ◦ tshark -w test.pcap -a filesize:10 -a files:3
	Ring buffer control options. Define capture conditions for multiple runs/loops. (INFINITE LOOP).
-b	• Duration: Sniff the traffic for X seconds, create a new file and write output to it.  ◦ tshark -w test.pcap -b duration:1 • Filesize: Define the maximum capture file size. Create a new file and write output to it after reaching filesize X (KB). ◦ tshark -w test.pcap -b filesize:10 • Files: Define the maximum number of output files. Rewrite the first/oldest file after creating X files. ◦ tshark -w test.pcap -b filesize:10 -b files:3

Capture condition parameters only work in the "capturing/sniffing" mode. You will receive an error message if you try to read a pcap file and apply the capture condition parameters. The idea is to save the capture files in specific sizes for different purposes during live capturing. If you need to extract sorts of packets from a specific capture file, you will need to use the read&write options discussed in the previous task.

Hint: TShark supports combining autostop (-a) parameters with ring buffer control parameters (-b). You can combine the parameters according to your needs. Use the infinite loop options carefully; remember, you must use at least one autostop parameter to stop the infinite loop.

Packet Filtering Parameters | Capture & Display Filters

Capture Filters Live filtering options. The purpose is to save only a specific part of the traffic. It is set before capturing traffic and is not changeable during live capture.

Display Filters Post-capture filtering options. The purpose is to investigate packets by

reducing the number of visible packets, which is changeable during the investigation.

Parameter	Purpose
-f	Capture filters. Same as BPF syntax and Wireshark's capture filters.
-Y	Display filters. Same as Wireshark's display filters.

Capture Filters

Wireshark's capture filter syntax is used here. The basic syntax for the Capture/BPF filter is shown below. You can read more on capture filter syntax here and here. Boolean operators can also be used in both types of filters.

Qualifier	Details and Available Options
Type	Target match type. You can filter IP addresses, hostnames, IP ranges, and port numbers. Note that if you don't set a qualifier, the "host" qualifier will be used by default. • host | net | port | portrange • Filtering a host ◦ tshark -f "host 10.10.10.10" • Filtering a network range  ◦ tshark -f "net 10.10.10.0/24" • Filtering a Port ◦ tshark -f "port 80" • Filtering a port range ◦ tshark -f "portrange 80-100"
Direction	Target direction/flow. Note that if you don't use the direction operator, it will be equal to "either" and cover both directions. • src | dst • Filtering source address ◦ tshark -f "src host 10.10.10.10" • Filtering destination address ◦ tshark -f "dst host 10.10.10.10"
Protocol	Target protocol. • arp | ether | icmp | ip | ip6 | tcp | udp • Filtering TCP ◦ tshark -f "tcp" • Filtering MAC address ◦ tshark -f "ether host F8:DB:C5:A2:5D:81" • You can also filter protocols with IP Protocol numbers assigned by IANA. • Filtering IP Protocols 1 (ICMP) ◦ tshark -f "ip proto 1" ◦ Assigned Internet Protocol Numbers

Capture Filter Category	Details
Host Filtering	Capturing traffic to or from a specific host. • Traffic generation with cURL. This command sends a default HTTP query to a specified address. ◦ curl tryhackme.com • TShark capture filter for a host ◦ tshark -f "host tryhackme.com"
IP Filtering	Capturing traffic to or from a specific port. We will use the Netcat tool to create noise on specific ports. • Traffic generation with Netcat. Here Netcat is instructed to provide details (verbosity), and timeout is set to 5 seconds. ◦ nc 10.10.10.10 4444 -vw 5 • TShark capture filter for specific IP address ◦ tshark -f "host 10.10.10.10"
Port Filtering	Capturing traffic to or from a specific port. We will use the Netcat tool to create noise on specific ports. • Traffic generation with Netcat. Here Netcat is instructed to provide details (verbosity), and timeout is set to 5 seconds. ◦ nc 10.10.10.10 4444 -vw 5 • TShark capture filter for port 4444 ◦ tshark -f "port 4444"
Protocol Filtering	Capturing traffic to or from a specific protocol. We will use the Netcat tool to create noise on specific ports. • Traffic generation with Netcat. Here Netcat is instructed to use UDP, provide details (verbosity), and timeout is set to 5 seconds. ◦ nc -u 10.10.10.10 4444 -vw 5 • TShark capture filter for ◦ tshark -f "udp"

Display Filters

Wireshark's display filter syntax is used here. You can use the official Display Filter Reference to find the protocol breakdown for filtering. Additionally, you can use Wireshark's build-in "Display Filter Expression" menu to break down protocols for filters. Note that Boolean operators can also be used in both types of filters. Common filtering options are shown in the given table below.

Note: Using single quotes for capture filters is recommended to avoid space and bash expansion problems. Once again, you can check the Wireshark: Packet Operations room (Task 4 & 5) if you want to review the principles of packet filtering.

Display Filter Category	Details and Available Options
Protocol: IP	• Filtering an IP without specifying a direction. ◦ tshark -Y 'ip.addr == 10.10.10.10' • Filtering a network range  ◦ tshark -Y 'ip.addr == 10.10.10.0/24' • Filtering a source IP ◦ tshark -Y 'ip.src == 10.10.10.10' • Filtering a destination IP ◦ tshark -Y 'ip.dst == 10.10.10.10'
Protocol: TCP	• Filtering TCP port ◦ tshark -Y 'tcp.port == 80' • Filtering source TCP port ◦ tshark -Y 'tcp.srcport == 80'
Protocol: HTTP	• Filtering HTTP packets ◦ tshark -Y 'http' • Filtering HTTP packets with response code "200" ◦ tshark -Y "http.response.code == 200"
Protocol: DNS	• Filtering DNS packets ◦ tshark -Y 'dns' • Filtering all DNS "A" packets ◦ tshark -Y 'dns.qry.type == 1'

Command-Line Wireshark Features I | Statistics

At the beginning of this module, we mentioned that TShark is considered a command line version of Wireshark. In addition to sharing the same display filters, TShark can accomplish several features of Wireshark explained below.

Three important points when using Wireshark-like features:

• These options are applied to all packets in scope unless a display filter is provided.
• Most of the commands shown below are CLI versions of the Wireshark features discussed in Wireshark: Packet Operations (Task 2).
• TShark explains the parameters used at the beginning of the output line.
  • For example, you will use the phs option to view the protocol hierarchy. Once you use this command, the result will start with the "Packet Hierarchy Statistics" header.

Parameter	Purpose
–color	• Wireshark-like colourised output. • tshark --color
-z	• Statistics • There are multiple options available under this parameter. You can view the available filters under this parameter with: ◦ tshark -z help • Sample usage. ◦ tshark -z filter • Each time you filter the statistics, packets are shown first, then the statistics provided. You can suppress packets and focus on the statistics by using the -q parameter.

Statistics | Endpoints

The endpoint statistics view helps analysts to overview the unique endpoints. It also shows the number of packets associated with each endpoint. If you are familiar with Wireshark, you should know that endpoints can be viewed in multiple formats. Similar to Wireshark, TShark supports multiple source filtering options for endpoint identification. Use the -z endpoints,ip -q parameters to view IP endpoints. Note that you can choose other available protocols as well.

Filters for the most common viewing options are explained below.

Filter	Purpose
eth	• Ethernet addresses
ip	• IPv4 addresses
ipv6	• IPv6 addresses
tcp	• TCP addresses • Valid for both IPv4 and IPv6
udp	• UDP addresses • Valid for both IPv4 and IPv6
wlan	• IEEE 802.11 addresses

You can filter the packets and follow the streams by using the parameters given below.

• TCP Streams: z follow,tcp,ascii,0 -q
• UDP Streams: z follow,udp,ascii,0 -q
• HTTP Streams: z follow,http,ascii,0 -q

You can filter the packets and follow the streams by using the parameters given below.

• -export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q

Credentials

This option helps analysts to detect and collect cleartext credentials from FTP, HTTP, IMAP, POP and SMTP. You can filter the packets and find the cleartext credentials using the parameters below.

• z credentials -q

Advanced Filtering Options | Contains, Matches and Extract Fields

Accomplishing in-depth packet analysis sometimes ends up with a special filtering requirement that cannot be covered with default filters. TShark supports Wireshark's "contains" and "matches" operators, which are the key to the advanced filtering options. You can visit the Wireshark: Packet Operations room (Task 6) if you are unfamiliar with these filters.

A quick recap from the Wireshark: Packet Operations room:

Filter	Details
Contains	• Search a value inside packets. • Case sensitive. • Similar to Wireshark's "find" option.
Matches	• Search a pattern inside packets. • Supports regex. • Case insensitive. • Complex queries have a margin of error.

Note: The "contains" and "matches" operators cannot be used with fields consisting of "integer" values.

Tip: Using HEX and regex values instead of ASCII always has a better chance of a match.

Extract Fields

This option helps analysts to extract specific parts of data from the packets. In this way, analysts have the opportunity to collect and correlate various fields from the packets. It also helps analysts manage the query output on the terminal. The query structure is explained in the table given below.

Main Filter	Target Field	Show Field Name
-T fields	-e <field name>	-E header=y

Note: You need to use the -e parameter for each field you want to display.

You can filter any field by using the field names as shown below.

• T fields -e ip.src -e ip.dst -E header=y

Filter: "contains"

Filter	contains
Type	Comparison operator
Description	Search a value inside packets. It is case-sensitive and provides similar functionality to the "Find" option by focusing on a specific field.
Example	Find all "Apache" servers.
Workflow	List all HTTP packets where the "server" field contains the "Apache" keyword.
Usage	http.server contains "Apache"

Filter: "matches"

Filter	matches
Type	Comparison operator
Description	Search a pattern of a regular expression. It is case-insensitive, and complex queries have a margin of error.
Example	Find all .php and .html pages.
Workflow	List all HTTP packets where the "request method" field matches the keywords "GET" or "POST".
Usage	http.request.method matches "(GET|POST)"

Use Cases

When investigating a case, a security analyst should know how to extract hostnames, DNS queries, and user agents to hunt low-hanging fruits after viewing the statistics and creating an investigation plan. The most common four use cases for every security analyst are demonstrated below. If you want to learn more about the mentioned protocols and benefits of the extracted info, please refer to the Wireshark Traffic Analysis room.

Extract Hostnames

Extract hostnames

user@ubuntu$ tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname     92-rkd
92-rkd
T3400

T3400

60-alfb-sec2
60-alfb-sec2

aminott
...

 

The above example shows how to extract hostnames from DHCP packets with TShark. However, the output is hard to manage when multiple duplicate values exist. A skilled analyst should know how to use native Linux tools/utilities to manage and organise the command line output, as shown below.

Extract hostnames

user@ubuntu$ tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname | awk NF | sort -r | uniq -c | sort -r     26 202-ac
     18 92-rkd
     14 93-sts-sec
...

 

Now the output is organised and ready to process/use. The logic of the query is explained below.

Query	Purpose
tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname	Main query.Extract the DHCP hostname value.
awk NF	Remove empty lines.
sort -r	Sort recursively before handling the values.
uniq -c	Show unique values, but calculate and show the number of occurrences.
sort -r	The final sort process.Show the output/results from high occurrences to less.

Extract DNS Queries

Matches filter

user@ubuntu$ tshark -r dns-queries.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r     96 connectivity-check.ubuntu.com.rhodes.edu
     94 connectivity-check.ubuntu.com
      8 3.57.20.10.in-addr.arpa
      4 e.9.d.b.c.9.d.7.1.b.0.f.a.2.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
      4 0.f.2.5.6.b.e.f.f.f.b.7.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
      2 _ipps._tcp.local,_ipp._tcp.local
      2 84.170.224.35.in-addr.arpa
      2 22.2.10.10.in-addr.arpa

 

Extract User Agents

Matches filter

user@ubuntu$ tshark -r user-agents.pcap -T fields -e http.user_agent | awk NF | sort -r | uniq -c | sort -r      6 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
      5 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
      5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
      4 sqlmap/1.4#stable (http://sqlmap.org)
      3 Wfuzz/2.7
      3 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)