TSHARK: CLI WIRESHARK FEATURES
CLI WIRESHARK FEATURES I | STATISTICS I
Use the "Desktop/exercise-files/write-demo.pcap" file. What is the byte value of the TCP protocol?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ tshark -r write-demo.pcap -z io,phs -q
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:1 bytes:62
ip frames:1 bytes:62
tcp frames:1 bytes:62
===================================================================Use the "Desktop/exercise-files/write-demo.pcap" file. In which packet lengths row is our packet listed?
root@thm:~$ tshark -r write-demo.pcap -z plen,tree -q
==================================================================================================================================
Packet Lengths:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
----------------------------------------------------------------------------------------------------------------------------------
Packet Lengths 1 62.00 62 62 100% 0.0100 0.000
0-19 0 - - - 0.00% - -
20-39 0 - - - 0.00% - -
40-79 1 62.00 62 62 100.00% 0.0100 0.000
80-159 0 - - - 0.00% - -
160-319 0 - - - 0.00% - -
320-639 0 - - - 0.00% - -
640-1279 0 - - - 0.00% - -
1280-2559 0 - - - 0.00% - -
2560-5119 0 - - - 0.00% - -
5120 and greater 0 - - - 0.00% - -
----------------------------------------------------------------------------------------------------------------------------------
Use the "Desktop/exercise-files/write-demo.pcap" file. What is the summary of the expert info?
root@thm:~$ tshark -r write-demo.pcap -z expert -q
Chats (1)
=============
Frequency Group Protocol Summary
1 Sequence TCP Connection establish request (SYN): server port 80Use the "Desktop/exercise-files/demo.pcapng" file. List the communications. What is the IP address that exists in all IPv4 conversations? Enter your answer in defanged format.
root@thm:~$ tshark -r demo.pcapng -z conv,ip -q
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
65.208.228.223 <-> 145.254.160.237 16 1351 18 19344 34 20695 0.000000000 30.3937
145.254.160.237 <-> 216.239.59.99 4 3236 3 883 7 4119 2.984291000 1.7926
145.253.2.203 <-> 145.254.160.237 1 89 1 188 2 277 2.553672000 0.3605
================================================================================
root@thm:~$ cyberchef.io
input: 145.254.160.237
recipe: Defang IP Addresses
output: 145[.]254[.]160[.]237CLI WIRESHARK FEATURES II | STATISTICS II
Use the "Desktop/exercise-files/demo.pcapng" file. Which IP address has 7 appearances? Enter your answer in defanged format.
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z ip_hosts,tree -q
=================================================================================================================================
IPv4 Statistics/All Addresses:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
---------------------------------------------------------------------------------------------------------------------------------
All Addresses 43 0.0014 100% 0.0400 2.554
145.254.160.237 43 0.0014 100.00% 0.0400 2.554
65.208.228.223 34 0.0011 79.07% 0.0300 0.911
216.239.59.99 7 0.0002 16.28% 0.0300 3.916
145.253.2.203 2 0.0001 4.65% 0.0100 2.554
---------------------------------------------------------------------------------------------------------------------------------
root@dco:~$ cyberchef.io
input: 216.239.59.99
recipe: Defang IP Addresses
output: 216[.]239[.]59[.]99Use the "Desktop/exercise-files/demo.pcapng" file. What is the "destination address percentage" of the previous IP address?
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z ip_srcdst,tree -q
================================================================================================================================================
IPv4 Statistics/Source and Destination Addresses:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
------------------------------------------------------------------------------------------------------------------------------------------------
Source IPv4 Addresses 43 0.0014 100% 0.0400 2.554
145.254.160.237 20 0.0007 46.51% 0.0200 0.911
65.208.228.223 18 0.0006 41.86% 0.0200 2.554
216.239.59.99 4 0.0001 9.30% 0.0200 3.916
145.253.2.203 1 0.0000 2.33% 0.0100 2.914
Destination IPv4 Addresses 43 0.0014 100% 0.0400 2.554
145.254.160.237 23 0.0008 53.49% 0.0200 2.554
65.208.228.223 16 0.0005 37.21% 0.0200 0.911
216.239.59.99 3 0.0001 6.98% 0.0100 2.984
145.253.2.203 1 0.0000 2.33% 0.0100 2.554
------------------------------------------------------------------------------------------------------------------------------------------------Use the "Desktop/exercise-files/demo.pcapng" file. Which IP address constitutes "2.33% of the destination addresses"? Enter your answer in defanged format.
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z ip_srcdst,tree -q
================================================================================================================================================
IPv4 Statistics/Source and Destination Addresses:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
------------------------------------------------------------------------------------------------------------------------------------------------
Source IPv4 Addresses 43 0.0014 100% 0.0400 2.554
145.254.160.237 20 0.0007 46.51% 0.0200 0.911
65.208.228.223 18 0.0006 41.86% 0.0200 2.554
216.239.59.99 4 0.0001 9.30% 0.0200 3.916
145.253.2.203 1 0.0000 2.33% 0.0100 2.914
Destination IPv4 Addresses 43 0.0014 100% 0.0400 2.554
145.254.160.237 23 0.0008 53.49% 0.0200 2.554
65.208.228.223 16 0.0005 37.21% 0.0200 0.911
216.239.59.99 3 0.0001 6.98% 0.0100 2.984
145.253.2.203 1 0.0000 2.33% 0.0100 2.554
------------------------------------------------------------------------------------------------------------------------------------------------
root@dco:~$ cyberchef.io
input: 145.253.2.203
recipe: Defang IP Addresses
output: 145[.]253[.]2[.]203Use the "Desktop/exercise-files/demo.pcapng" file. What is the average "Qname Len" value?
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z dns,tree -q
==============================================================================================================================================
DNS:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
----------------------------------------------------------------------------------------------------------------------------------------------
Total Packets 2 0.0055 100% 0.0100 2.554
rcode 2 0.0055 100.00% 0.0100 2.554
No error 2 0.0055 100.00% 0.0100 2.554
opcodes 2 0.0055 100.00% 0.0100 2.554
Standard query 2 0.0055 100.00% 0.0100 2.554
Query/Response 2 0.0055 100.00% 0.0100 2.554
Response 1 0.0028 50.00% 0.0100 2.914
Query 1 0.0028 50.00% 0.0100 2.554
Query Type 2 0.0055 100.00% 0.0100 2.554
A (Host Address) 2 0.0055 100.00% 0.0100 2.554
Class 2 0.0055 100.00% 0.0100 2.554
IN 2 0.0055 100.00% 0.0100 2.554
Payload size 2 96.50 47 146 0.0055 100% 0.0100 2.554
Query Stats 0 0.0000 100% - -
Qname Len 1 29.00 29 29 0.0028 0.0100 2.554
Label Stats 0 0.0000 - -
3rd Level 1 0.0028 0.0100 2.554
4th Level or more 0 0.0000 - -
2nd Level 0 0.0000 - -
1st Level 0 0.0000 - -
Response Stats 0 0.0000 100% - -
no. of questions 2 1.00 1 1 0.0055 0.0200 2.914
no. of authorities 2 0.00 0 0 0.0055 0.0200 2.914
no. of answers 2 4.00 4 4 0.0055 0.0200 2.914
no. of additionals 2 0.00 0 0 0.0055 0.0200 2.914
Service Stats 0 0.0000 100% - -
request-response time (secs) 1 0.36 0.360518 0.360518 0.0028 0.0100 2.914
no. of unsolicited responses 0 0.0000 - -
no. of retransmissions 0 0.0000 - -
----------------------------------------------------------------------------------------------------------------------------------------------CLI WIRESHARK FEATURES III | STREAMS, OBJECTS & CREDENTIALS
Use the "Desktop/exercises-files/demo.pcapng" file. Follow the "UDP stream 0". What is the "Node 0" value? Enter your answer in defanged format.
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z follow,udp,ascii,0 -q
===================================================================
Follow: udp,ascii
Filter: udp.stream eq 0
Node 0: 145.254.160.237:3009
Node 1: 145.253.2.203:53
47
.#...........pagead2.googlesyndication.com.....
146
.#...........pagead2.googlesyndication.com..................pagead2.google.&.;.......z...pagead.google.akadns.net..X.......{....;h.X.......{....;c
===================================================================
root@dco:~$ cyberchef.io
input: 145.254.160.237:3009
recipe: Defang IP Addresses
output: 145[.]254[.]160[.]237:3009Use the "Desktop/exercises-files/demo.pcapng" file. Follow the "HTTP stream 1". What is the "Referer" value? Enter your answer in defanged format.
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z follow,http,ascii,1 -q
===================================================================
Follow: http,ascii
Filter: tcp.stream eq 1
Node 0: 145.254.160.237:3371
Node 1: 216.239.59.99:80
721
GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 HTTP/1.1
Host: pagead2.googlesyndication.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.ethereal.com/download.html
...
root@dco:~$ cyberchef.io
input: http://www.ethereal.com/download.html
recipe: Defang URL
output: hxxp[://]www[.]ethereal[.]com/download[.]htmlUse the "Desktop/exercises-files/credentials.pcapng" file. What is the total number of detected credentials?
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r credentials.pcap -z credentials -q
===================================================================
Packet Protocol Username Info
------ -------- -------- --------
72 FTP admin Username in packet: 37
80 FTP admin Username in packet: 47
83 FTP admin Username in packet: 54
118 FTP admin Username in packet: 93
123 FTP admin Username in packet: 97
129 FTP admin Username in packet: 101
136 FTP admin Username in packet: 106
150 FTP admin Username in packet: 115
156 FTP admin Username in packet: 120
167 FTP administrator Username in packet: 13
...
root@dco:~$ tshark -r credentials.pcap -z credentials -q | wc -l
79 - 4 non-pertinent lines = 75ADVANCED FILTERING OPTIONS | CONTAINS, MATCHES AND FIELDS
Use the "Desktop/exercises-files/demo.pcapng" file. What is the HTTP packet number that contains the keyword "CAFE"?
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -Y 'http contains "CAFE"'
27 3.955688 216.239.59.99 ? 145.254.160.237 HTTP 214 HTTP/1.1 200 OK (text/html)Use the "Desktop/exercises-files/demo.pcapng" file. Filter the packets with "GET" and "POST" requests and extract the packet frame time. What is the first time value found?
root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -Y 'http.request.method matches "(GET|POST)"' -T fields -e frame.time -E header=y
frame.time
May 13, 2004 10:17:08.222534000 UTC
May 13, 2004 10:17:10.295515000 UTCUSE CASES | EXTRACT INFORMATION
Use the "Desktop/exercises-files/hostnames.pcapng" file. What is the total number of unique hostnames?
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dhcp
https://www.wireshark.org/docs/dfref/d/dhcp.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dhcp.html > CTRL+F
search: hostname
dhcp.option.hostname Host Name Character string 3.0.0 to 4.4.5
root@dco:~$ tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname | awk NF | sort -r | uniq -c | wc -l
30
* the "awk NF" in the pipeline will remove empty lines.Use the "Desktop/exercises-files/hostnames.pcapng" file. What is the total appearance count of the "prus-pc" hostname?
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dhcp
https://www.wireshark.org/docs/dfref/d/dhcp.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dhcp.html > CTRL+F
search: hostname
dhcp.option.hostname Host Name Character string 3.0.0 to 4.4.5
root@dco:~$ tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname | awk NF | sort -r | uniq -c
6 temp_open
12 prus-pc
...
* the "awk NF" in the pipeline will remove empty lines.Use the "Desktop/exercises-files/dns-queries.pcap" file. What is the total number of queries of the most common DNS query?
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.name Name Character string 1.0.0 to 4.4.5
root@dco:~$ tshark -r dns-queries.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
472 db.rhodes.edu
6 connectivity-check.ubuntu.com.rhodes.edu
94 connectivity-check.ubuntu.com
8 3.57.20.10.in-addr.arpa
4 e.9.d.b.c.9.d.7.1.b.0.f.a.2.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
4 6.7.f.8.5.4.e.f.f.f.0.d.4.d.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
4 3.4.b.1.3.c.e.f.f.f.4.0.e.e.8.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
4 1.1.a.2.6.2.e.f.f.f.1.9.9.f.8.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
4 1.0.18.172.in-addr.arpa
4 1.0.17.172.in-addr.arpa
4 0.f.2.5.6.b.e.f.f.f.b.7.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
2 _ipps._tcp.local,_ipp._tcp.local
2 84.170.224.35.in-addr.arpa
2 22.2.10.10.in-addr.arpa
2 21.2.10.10.in-addr.arpa
* the "awk NF" in the pipeline will remove empty lines.Use the "Desktop/exercises-files/user-agents.pcap" file. What is the total number of the detected "Wfuzz user agents"?
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: http
https://www.wireshark.org/docs/dfref/h/http.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
search: agent
http.user_agent User-Agent Character string 1.0.0 to 4.4.5
root@dco:~$ tshark -r user-agents.pcap -T fields -e http.user_agent | awk NF | sort -r | uniq -c | sort -r
1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36
2 Microsoft-WNS/10.0
3 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
3 Wfuzz/2.7
4 sqlmap/1.4#stable (http://sqlmap.org)
5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
5 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
6 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
9 Wfuzz/2.4
* the "awk NF" in the pipeline will remove empty lines.Use the "Desktop/exercises-files/user-agents.pcap" file. What is the "HTTP hostname" of the nmap scans? Enter your answer in defanged format.
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: http
https://www.wireshark.org/docs/dfref/h/http.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
search: agent
http.user_agent User-Agent Character string 1.0.0 to 4.4.5
search: host
http.host Host Character string 1.0.0 to 4.4.5
root@dco:~$ tshark -r user-agents.pcap -T fields -e http.user_agent -e 'http.host' | awk NF | sort -r | uniq -c | sort
1 Microsoft-WNS/10.0 cdn.content.prod.cms.msn.com
1 Microsoft-WNS/10.0 tile-service.weather.microsoft.com
1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 connectivitycheck.gstatic.com
1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) 172.16.172.129
2 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 i7.photobucket.com
2 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 images.craigslist.org
2 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 vancouver.en.craigslist.ca
2 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 testphp.vulnweb.com
2 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) 172.16.172.129:8180
3 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 10.10.47.123:9696
3 Wfuzz/2.7 172.16.172.129
4 sqlmap/1.4#stable (http://sqlmap.org) 172.16.172.129
5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36 connectivitycheck.gstatic.com
9 Wfuzz/2.4 172.16.172.129
* the "awk NF" in the pipeline will remove empty lines.
root@dco:~$ cyberchef.io
input: 172.16.172.129
recipe: Defang IP Addresses
output: 172[.]16[.]172[.]129Last updated