TSHARK: CLI WIRESHARK FEATURES

CLI WIRESHARK FEATURES I | STATISTICS I

Use the "Desktop/exercise-files/write-demo.pcap" file. What is the byte value of the TCP protocol?

root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ tshark -r write-demo.pcap -z io,phs -q

 ===================================================================
 Protocol Hierarchy Statistics
 Filter: 

 eth                                      frames:1 bytes:62
   ip                                     frames:1 bytes:62
     tcp                                  frames:1 bytes:62
===================================================================

Use the "Desktop/exercise-files/write-demo.pcap" file. In which packet lengths row is our packet listed?

root@thm:~$ tshark -r write-demo.pcap -z plen,tree -q

 ==================================================================================================================================
 Packet Lengths:
 Topic / Item       Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
 ----------------------------------------------------------------------------------------------------------------------------------
 Packet Lengths     1             62.00         62            62                          100%          0.0100        0.000        
  0-19              0             -             -             -                           0.00%         -             -            
  20-39             0             -             -             -                           0.00%         -             -            
  40-79             1             62.00         62            62                          100.00%       0.0100        0.000        
  80-159            0             -             -             -                           0.00%         -             -            
  160-319           0             -             -             -                           0.00%         -             -            
  320-639           0             -             -             -                           0.00%         -             -            
  640-1279          0             -             -             -                           0.00%         -             -            
  1280-2559         0             -             -             -                           0.00%         -             -            
  2560-5119         0             -             -             -                           0.00%         -             -            
  5120 and greater  0             -             -             -                           0.00%         -             -            

 ----------------------------------------------------------------------------------------------------------------------------------

Use the "Desktop/exercise-files/write-demo.pcap" file. What is the summary of the expert info?

root@thm:~$ tshark -r write-demo.pcap -z expert -q

 Chats (1)
 =============
    Frequency      Group           Protocol  Summary
            1   Sequence                TCP  Connection establish request (SYN): server port 80

Use the "Desktop/exercise-files/demo.pcapng" file. List the communications. What is the IP address that exists in all IPv4 conversations? Enter your answer in defanged format.

root@thm:~$ tshark -r demo.pcapng -z conv,ip -q
 ================================================================================
 IPv4 Conversations
 Filter:<No Filter>
                                                |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
 65.208.228.223       <-> 145.254.160.237           16      1351      18     19344      34     20695     0.000000000        30.3937
 145.254.160.237      <-> 216.239.59.99              4      3236       3       883       7      4119     2.984291000         1.7926
 145.253.2.203        <-> 145.254.160.237            1        89       1       188       2       277     2.553672000         0.3605
 ================================================================================
 
 root@thm:~$ cyberchef.io
  input: 145.254.160.237
  recipe: Defang IP Addresses
  output: 145[.]254[.]160[.]237

CLI WIRESHARK FEATURES II | STATISTICS II

Use the "Desktop/exercise-files/demo.pcapng" file. Which IP address has 7 appearances? Enter your answer in defanged format.

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z ip_hosts,tree -q

 =================================================================================================================================
 IPv4 Statistics/All Addresses:
 Topic / Item      Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
 ---------------------------------------------------------------------------------------------------------------------------------
 All Addresses     43                                                      0.0014        100%          0.0400        2.554        
  145.254.160.237  43                                                      0.0014        100.00%       0.0400        2.554        
  65.208.228.223   34                                                      0.0011        79.07%        0.0300        0.911        
  216.239.59.99    7                                                       0.0002        16.28%        0.0300        3.916        
  145.253.2.203    2                                                       0.0001        4.65%         0.0100        2.554        

 ---------------------------------------------------------------------------------------------------------------------------------
 
root@dco:~$ cyberchef.io
 input: 216.239.59.99
 recipe: Defang IP Addresses
 output: 216[.]239[.]59[.]99

Use the "Desktop/exercise-files/demo.pcapng" file. What is the "destination address percentage" of the previous IP address?

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z ip_srcdst,tree -q

 ================================================================================================================================================
 IPv4 Statistics/Source and Destination Addresses:
 Topic / Item                     Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
 ------------------------------------------------------------------------------------------------------------------------------------------------
 Source IPv4 Addresses            43                                                      0.0014        100%          0.0400        2.554        
  145.254.160.237                 20                                                      0.0007        46.51%        0.0200        0.911        
  65.208.228.223                  18                                                      0.0006        41.86%        0.0200        2.554        
  216.239.59.99                   4                                                       0.0001        9.30%         0.0200        3.916        
  145.253.2.203                   1                                                       0.0000        2.33%         0.0100        2.914        
 Destination IPv4 Addresses       43                                                      0.0014        100%          0.0400        2.554        
  145.254.160.237                 23                                                      0.0008        53.49%        0.0200        2.554        
  65.208.228.223                  16                                                      0.0005        37.21%        0.0200        0.911        
  216.239.59.99                   3                                                       0.0001        6.98%         0.0100        2.984        
  145.253.2.203                   1                                                       0.0000        2.33%         0.0100        2.554        

 ------------------------------------------------------------------------------------------------------------------------------------------------

Use the "Desktop/exercise-files/demo.pcapng" file. Which IP address constitutes "2.33% of the destination addresses"? Enter your answer in defanged format.

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z ip_srcdst,tree -q

 ================================================================================================================================================
 IPv4 Statistics/Source and Destination Addresses:
 Topic / Item                     Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
 ------------------------------------------------------------------------------------------------------------------------------------------------
 Source IPv4 Addresses            43                                                      0.0014        100%          0.0400        2.554        
  145.254.160.237                 20                                                      0.0007        46.51%        0.0200        0.911        
  65.208.228.223                  18                                                      0.0006        41.86%        0.0200        2.554        
  216.239.59.99                   4                                                       0.0001        9.30%         0.0200        3.916        
  145.253.2.203                   1                                                       0.0000        2.33%         0.0100        2.914        
 Destination IPv4 Addresses       43                                                      0.0014        100%          0.0400        2.554        
  145.254.160.237                 23                                                      0.0008        53.49%        0.0200        2.554        
  65.208.228.223                  16                                                      0.0005        37.21%        0.0200        0.911        
  216.239.59.99                   3                                                       0.0001        6.98%         0.0100        2.984        
  145.253.2.203                   1                                                       0.0000        2.33%         0.0100        2.554        

 ------------------------------------------------------------------------------------------------------------------------------------------------
 
root@dco:~$ cyberchef.io
 input: 145.253.2.203
 recipe: Defang IP Addresses
 output: 145[.]253[.]2[.]203

Use the "Desktop/exercise-files/demo.pcapng" file. What is the average "Qname Len" value?

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z dns,tree -q
 ==============================================================================================================================================
 DNS:
 Topic / Item                   Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
 ----------------------------------------------------------------------------------------------------------------------------------------------
 Total Packets                  2                                                       0.0055        100%          0.0100        2.554        
  rcode                         2                                                       0.0055        100.00%       0.0100        2.554        
   No error                     2                                                       0.0055        100.00%       0.0100        2.554        
  opcodes                       2                                                       0.0055        100.00%       0.0100        2.554        
   Standard query               2                                                       0.0055        100.00%       0.0100        2.554        
  Query/Response                2                                                       0.0055        100.00%       0.0100        2.554        
   Response                     1                                                       0.0028        50.00%        0.0100        2.914        
   Query                        1                                                       0.0028        50.00%        0.0100        2.554        
  Query Type                    2                                                       0.0055        100.00%       0.0100        2.554        
   A (Host Address)             2                                                       0.0055        100.00%       0.0100        2.554        
  Class                         2                                                       0.0055        100.00%       0.0100        2.554        
   IN                           2                                                       0.0055        100.00%       0.0100        2.554        
 Payload size                   2             96.50         47            146           0.0055        100%          0.0100        2.554        
 Query Stats                    0                                                       0.0000        100%          -             -            
  Qname Len                     1             29.00         29            29            0.0028                      0.0100        2.554        
  Label Stats                   0                                                       0.0000                      -             -            
   3rd Level                    1                                                       0.0028                      0.0100        2.554        
   4th Level or more            0                                                       0.0000                      -             -            
   2nd Level                    0                                                       0.0000                      -             -            
   1st Level                    0                                                       0.0000                      -             -            
 Response Stats                 0                                                       0.0000        100%          -             -            
  no. of questions              2             1.00          1             1             0.0055                      0.0200        2.914        
  no. of authorities            2             0.00          0             0             0.0055                      0.0200        2.914        
  no. of answers                2             4.00          4             4             0.0055                      0.0200        2.914        
  no. of additionals            2             0.00          0             0             0.0055                      0.0200        2.914        
 Service Stats                  0                                                       0.0000        100%          -             -            
  request-response time (secs)  1             0.36          0.360518      0.360518      0.0028                      0.0100        2.914        
  no. of unsolicited responses  0                                                       0.0000                      -             -            
  no. of retransmissions        0                                                       0.0000                      -             -            

----------------------------------------------------------------------------------------------------------------------------------------------

CLI WIRESHARK FEATURES III | STREAMS, OBJECTS & CREDENTIALS

Use the "Desktop/exercises-files/demo.pcapng" file. Follow the "UDP stream 0". What is the "Node 0" value? Enter your answer in defanged format.

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z follow,udp,ascii,0 -q
 ===================================================================
 Follow: udp,ascii
 Filter: udp.stream eq 0
 Node 0: 145.254.160.237:3009
 Node 1: 145.253.2.203:53
 47
 .#...........pagead2.googlesyndication.com.....
 	146
 .#...........pagead2.googlesyndication.com..................pagead2.google.&.;.......z...pagead.google.akadns.net..X.......{....;h.X.......{....;c
===================================================================

root@dco:~$ cyberchef.io
 input: 145.254.160.237:3009
 recipe: Defang IP Addresses
 output: 145[.]254[.]160[.]237:3009

Use the "Desktop/exercises-files/demo.pcapng" file. Follow the "HTTP stream 1". What is the "Referer" value? Enter your answer in defanged format.

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -z follow,http,ascii,1 -q
 ===================================================================
 Follow: http,ascii
 Filter: tcp.stream eq 1
 Node 0: 145.254.160.237:3371
 Node 1: 216.239.59.99:80
 721
 GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 HTTP/1.1
 Host: pagead2.googlesyndication.com
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip,deflate
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 300
 Connection: keep-alive
 Referer: http://www.ethereal.com/download.html
 ...
 
root@dco:~$ cyberchef.io
 input: http://www.ethereal.com/download.html
 recipe: Defang URL
 output: hxxp[://]www[.]ethereal[.]com/download[.]html

Use the "Desktop/exercises-files/credentials.pcapng" file. What is the total number of detected credentials?

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r credentials.pcap -z credentials -q
 ===================================================================
 Packet     Protocol         Username         Info            
 ------     --------         --------         --------
 72         FTP              admin            Username in packet: 37
 80         FTP              admin            Username in packet: 47
 83         FTP              admin            Username in packet: 54
 118        FTP              admin            Username in packet: 93
 123        FTP              admin            Username in packet: 97
 129        FTP              admin            Username in packet: 101
 136        FTP              admin            Username in packet: 106
 150        FTP              admin            Username in packet: 115
 156        FTP              admin            Username in packet: 120
 167        FTP              administrator    Username in packet: 13
 ...
 
root@dco:~$ tshark -r credentials.pcap -z credentials -q | wc -l
 79 - 4 non-pertinent lines = 75

ADVANCED FILTERING OPTIONS | CONTAINS, MATCHES AND FIELDS

Use the "Desktop/exercises-files/demo.pcapng" file. What is the HTTP packet number that contains the keyword "CAFE"?

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -Y 'http contains "CAFE"'
 27   3.955688 216.239.59.99 ? 145.254.160.237 HTTP 214 HTTP/1.1 200 OK  (text/html)

Use the "Desktop/exercises-files/demo.pcapng" file. Filter the packets with "GET" and "POST" requests and extract the packet frame time. What is the first time value found?

root@dco:~$ cd Desktop/exercise-files
root@dco:~$ tshark -r demo.pcapng -Y 'http.request.method matches "(GET|POST)"' -T fields -e frame.time -E header=y
 frame.time
 May 13, 2004 10:17:08.222534000 UTC
 May 13, 2004 10:17:10.295515000 UTC

USE CASES | EXTRACT INFORMATION

Use the "Desktop/exercises-files/hostnames.pcapng" file. What is the total number of unique hostnames?

root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dhcp
  https://www.wireshark.org/docs/dfref/d/dhcp.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dhcp.html > CTRL+F
 search: hostname
  dhcp.option.hostname	Host Name	Character string	3.0.0 to 4.4.5
  
root@dco:~$ tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname | awk NF | sort -r | uniq -c | wc -l
 30
 
 * the "awk NF" in the pipeline will remove empty lines.

Use the "Desktop/exercises-files/hostnames.pcapng" file. What is the total appearance count of the "prus-pc" hostname?

root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dhcp
  https://www.wireshark.org/docs/dfref/d/dhcp.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dhcp.html > CTRL+F
 search: hostname
  dhcp.option.hostname	Host Name	Character string	3.0.0 to 4.4.5
  
root@dco:~$ tshark -r hostnames.pcapng -T fields -e dhcp.option.hostname | awk NF | sort -r | uniq -c
 6 temp_open
 12 prus-pc
 ...
 
 * the "awk NF" in the pipeline will remove empty lines.

Use the "Desktop/exercises-files/dns-queries.pcap" file. What is the total number of queries of the most common DNS query?

root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.name	Name	Character string	1.0.0 to 4.4.5

root@dco:~$ tshark -r dns-queries.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
 472 db.rhodes.edu
   6 connectivity-check.ubuntu.com.rhodes.edu
  94 connectivity-check.ubuntu.com
   8 3.57.20.10.in-addr.arpa
   4 e.9.d.b.c.9.d.7.1.b.0.f.a.2.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
   4 6.7.f.8.5.4.e.f.f.f.0.d.4.d.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
   4 3.4.b.1.3.c.e.f.f.f.4.0.e.e.8.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
   4 1.1.a.2.6.2.e.f.f.f.1.9.9.f.8.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
   4 1.0.18.172.in-addr.arpa
   4 1.0.17.172.in-addr.arpa
   4 0.f.2.5.6.b.e.f.f.f.b.7.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
   2 _ipps._tcp.local,_ipp._tcp.local
   2 84.170.224.35.in-addr.arpa
   2 22.2.10.10.in-addr.arpa
   2 21.2.10.10.in-addr.arpa

 * the "awk NF" in the pipeline will remove empty lines.

Use the "Desktop/exercises-files/user-agents.pcap" file. What is the total number of the detected "Wfuzz user agents"?

root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: http
  https://www.wireshark.org/docs/dfref/h/http.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
 search: agent
  http.user_agent	User-Agent	Character string	1.0.0 to 4.4.5

root@dco:~$ tshark -r user-agents.pcap -T fields -e http.user_agent | awk NF | sort -r | uniq -c | sort -r
 1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36
 2 Microsoft-WNS/10.0
 3 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
 3 Wfuzz/2.7
 4 sqlmap/1.4#stable (http://sqlmap.org)
 5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
 5 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
 6 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
 9 Wfuzz/2.4
   
 * the "awk NF" in the pipeline will remove empty lines.

Use the "Desktop/exercises-files/user-agents.pcap" file. What is the "HTTP hostname" of the nmap scans? Enter your answer in defanged format.

root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: http
  https://www.wireshark.org/docs/dfref/h/http.html
root@dco:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
 search: agent
  http.user_agent	User-Agent	Character string	1.0.0 to 4.4.5
 search: host
  http.host	Host	Character string	1.0.0 to 4.4.5
 
root@dco:~$ tshark -r user-agents.pcap -T fields -e http.user_agent -e 'http.host' | awk NF | sort -r | uniq -c | sort
 1 Microsoft-WNS/10.0	cdn.content.prod.cms.msn.com
 1 Microsoft-WNS/10.0	tile-service.weather.microsoft.com
 1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36	connectivitycheck.gstatic.com
 1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	172.16.172.129
 2 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10	i7.photobucket.com
 2 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10	images.craigslist.org
 2 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10	vancouver.en.craigslist.ca
 2 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0	testphp.vulnweb.com
 2 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	172.16.172.129:8180
 3 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0	10.10.47.123:9696
 3 Wfuzz/2.7	172.16.172.129
 4 sqlmap/1.4#stable (http://sqlmap.org)	172.16.172.129
 5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36	connectivitycheck.gstatic.com
 9 Wfuzz/2.4	172.16.172.129

 * the "awk NF" in the pipeline will remove empty lines.
 
root@dco:~$ cyberchef.io
 input: 172.16.172.129
 recipe: Defang IP Addresses
 output: 172[.]16[.]172[.]129

PreviousTSHARK: THE BASICS NextENDPOINT SECURITY MONITORING

Last updated 8 months ago