Tshark

Tshark is a tool or program available on Windows and Linux.  Having no GUI only command line interface. Wireshark is packet capturing tool, which have GUI option. Tshark is the command line version of wireshark.  It captures the bytes over computer network and displays the capture on screen or saves in a file.  By default tshark is available on linux operating systems.  On windows during installation of wireshark , this tool is also installed.

The installation location on Windows id C:\Program Files\Wireshark  and on linux its /usr/sbin/tshark.  The path where tshark is installed on linux is added to the PATH. So to check its location following is the command.

# which tshark
/usr/sbin/tshark

Following are the tshark examples

Capturing is done on specific interfaces or all interfaces. To list down the interfaces available for capturing:

#tshark -D
1. virbr0
2. nflog (Linux netfilter log (NFLOG) interface)
3. nfqueue (Linux netfilter queue (NFQUEUE) interface)
4. usbmon1 (USB bus number 1)
5. eth12
6. eth13
7. any (Pseudo-device that captures on all interfaces)
8. lo

Now we have list of network interfaces to capture the computer network bytes.  Capture is for analyse a network message flow. Mostly when need to verify protocol behavior.  Next step is to do analysis of  captured file. More accurate the capture, more easy and fast analysis will be.  First step to select the interfaces, where the relevant packets are available.

For catapulting on a interface, you can give numeric value or name. Here we are using name.

#tshark -i eth12

For capturing on multiple interfaces.

#tshark -i eth12 -i eth13

For capturing on all interfaces.

#tshark -i any

Reading pcap capture :

A .pcap file is the output file , when captured with the tshark command.  Wireshark is the GUI based tool. Wireshark reads the .pcap file and shown the the full packet in text and value format. If can have multiple filters.  The command line tool provides command line functionality to analyze a captured file.   Suppose there is a captured file example.pcap

Reading a file, this uses -r option of tshark. Displayes ass packets. 

#tshark -r example.pcap

 1 0.000000000 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1
2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0
3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0
5 1.001294556 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1
6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0
8 1.966601407.  192.168..1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
9 2.002598633 18:d6:c7:eb:5a:57 -> Broadcast ARP 60 Who has 192.168.1.8? Tell 192.168.1.1
10 2.277095183 fe80::19b0:571:6e26:445c -> ff02::1:2 DHCPv6 150 Solicit XID: 0xdb1fa2 CID: 000100011f73ed8f88ae1dac510e

Reading packets with specific host ip address. 

# tshark -r example.pcap ip.host=="192.168.1.4"
Running as user "root" and group "root". This could be dangerous.
2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0
3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0
6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0
8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
11 2.297914597 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=193 Win=16309 Len=0
13 2.522839755 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
14 2.819578550 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=257 Win=16293 Len=0

List of packet with specific source ip address. 

# tshark -r example.pcap ip.src=="192.168.1.4"
Running as user "root" and group "root". This could be dangerous.
2 0.157957107 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=1 Win=16357 Len=0
4 0.872624803 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=65 Win=16341 Len=0
7 1.464842127 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=129 Win=16325 Len=0
11 2.297914597 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=193 Win=16309 Len=0
14 2.819578550 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=257 Win=16293 Len=0
17 3.460140798 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=321 Win=16277 Len=0
29 3.995859046 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=385 Win=16261 Len=0
41 4.602727936 192.168.1.4 -> 192.168.1.160 TCP 60 60914 > ssh [ACK] Seq=1 Ack=449 Win=16245 Len=0

List of packet with specific destination ip address.

# tshark -r example.pcap ip.dst=="192.168.1.4"
Running as user "root" and group "root". This could be dangerous.
3 0.660430483 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
6 1.253629845 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
8 1.966601407 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
13 2.522839755 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
16 3.255651199 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
19 3.777443706 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64
39 4.349803703 192.168.1.160 -> 192.168.1.4 SSH 118 Encrypted response packet len=64

 

Leave a Reply

Your email address will not be published. Required fields are marked *