TSHARK: THE BASICS
CMD-LINE PACKET ANALYSIS | TSHARK & SUPPLEMENTAL CLI TOOLS
Use the "Desktop/exercise-files/demo.pcapng" file. View the details of the demo.pcapng file with "capinfors". What is the "RIPEMD160" value?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
demo.pcapng
root@thm:~$ capinfos demo.pcapng
File name: demo.pcapng
File type: Wireshark/tcpdump/... - pcap
Number of packets: 43
File size: 25 kB
Data size: 25 kB
Capture duration: 30.393704 seconds
First packet time: 2004-05-13 10:17:07.311224
Last packet time: 2004-05-13 10:17:37.704928
SHA256: 25a72bdf10339f2c29916920c8b9501d294923108de8f29b19aba7cc001ab60d
RIPEMD160: 6ef5f0c165a1db4a3cad3116b0c5bcc0cf6b9ab7
SHA1: 3aac91181c3b7eb34fb7d2b6dd6783f4827fcf07TSHARK FUNDAMENTALS I | MAIN PARAMETERS I
What is the installed TShark version in the given VM?
root@thm:~$ tshark -v
TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)List the available interfaces with TShark. What is the number of available interfaces in the given VM?
root@thm:~$ sudo tshark -D
Running as user "root" and group "root". This could be dangerous.
1. ens5
2. lo (Loopback)
3. any
4. bluetooth-monitor
5. nflog
6. nfqueue
7. ciscodump (Cisco remote capture)
8. dpauxmon (DisplayPort AUX channel monitor capture)
9. randpkt (Random packet generator)
10. sdjournal (systemd Journal Export)
11. sshdump (SSH remote capture)
12. udpdump (UDP Listener remote capture)TSHARK FUNDAMENTALS I | MAIN PARAMETERS II
Read the "Desktop/exercise-files/demo.pcapng" file with TShark. What are the assigned TCP flags in the 29th packet?
root@dco:~$ tshark -r Desktop/exercise-files/demo.pcapng -Y "frame.number == 29"
29 4.105904 65.208.228.223 ? 145.254.160.237 TCP 1434 80 ? 3372 [PSH, ACK] Seq=12421 Ack=480 Win=6432 Len=1380 [TCP segment of a reassembled PDU]
* the -Y flag in tshark is used to apply a display filter to the packets
being processed. it ensures that only packets matching the given filter
expression are displayedRead the "Desktop/exercise-files/demo.pcapng" file with TShark. What is the "Ack" value of the 25th packet?
root@dco:~$ tshark -r demo.pcapng -Y "frame.number == 25" -V
Transmission Control Protocol, Src Port: 3372, Dst Port: 80, Seq: 480, Ack: 12421, Len: 0
Source Port: 3372
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 480 (relative sequence number)
Sequence number (raw): 951058419
[Next sequence number: 480 (relative sequence number)]
Acknowledgment number: 12421 (relative ack number)
Acknowledgment number (raw): 290230800
0101 .... = Header Length: 20 bytes (5)Read the "Desktop/exercise-files/demo.pcapng" file with TShark. What is the "Window size value" of the 9th packet?
root@dco:~$ tshark -r demo.pcapng -Y "frame.number == 9" -V
Transmission Control Protocol, Src Port: 3372, Dst Port: 80, Seq: 480, Ack: 2761, Len: 0
Source Port: 3372
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 480 (relative sequence number)
Sequence number (raw): 951058419
[Next sequence number: 480 (relative sequence number)]
Acknowledgment number: 2761 (relative ack number)
Acknowledgment number (raw): 290221140
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ???????A????]
Window size value: 9660TSHARK FUNDAMENTALS II | CAPTURE CONDITIONS
TSHARK FUNDAMENTALS III | PACKET FILTERING OPTIONS: CAPTURE VS DISPLAY FILTERS
TSHARK FUNDAMENTALS IV | PACKET FILTERING OPTIONS: CAPTURE FILTERS
Create a capture filter against the host 10.10.10.10 then send a curl request. What is the number of packets with SYN bytes?
root@dco:~$ tshark -f "host 10.10.10.10" -Y "tcp.flags.syn == 1"
1 0.000000000 10.10.206.155 ? 10.10.10.10 TCP 74 38988 ? 80 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=4084908581 TSecr=0 WS=128
2 0.000352497 10.10.10.10 ? 10.10.206.155 TCP 74 80 ? 38988 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=8961 SACK_PERM=1 TSval=2817215441 TSecr=4084908581 WS=64
root@dco:~$ curl -v 10.10.10.10Create a capture filter against the host 10.10.10.10 then send a curl request. What is the number of packets sent to the IP address "10.10.10.10"?
root@dco:~$ tshark -f "host 10.10.10.10" -Y "ip.dst == 10.10.10.10"
Capturing on 'ens5'
1 0.000000000 10.10.206.155 ? 10.10.10.10 TCP 74 38994 ? 80 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=4085186229 TSecr=0 WS=128
3 0.000400186 10.10.206.155 ? 10.10.10.10 TCP 66 38994 ? 80 [ACK] Seq=1 Ack=1 Win=62848 Len=0 TSval=4085186229 TSecr=2817493051
4 0.000598133 10.10.206.155 ? 10.10.10.10 HTTP 141 GET / HTTP/1.1
7 0.001022934 10.10.206.155 ? 10.10.10.10 TCP 66 38994 ? 80 [ACK] Seq=76 Ack=187 Win=62720 Len=0 TSval=4085186230 TSecr=2817493052
9 0.001063822 10.10.206.155 ? 10.10.10.10 TCP 66 38994 ? 80 [ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085186230 TSecr=2817493052
10 0.001321450 10.10.206.155 ? 10.10.10.10 TCP 66 38994 ? 80 [FIN, ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085186230 TSecr=2817493052
12 0.001516967 10.10.206.155 ? 10.10.10.10 TCP 66 38994 ? 80 [ACK] Seq=77 Ack=1408 Win=61568 Len=0 TSval=4085186230 TSecr=2817493052
Create a capture filter against the host 10.10.10.10 then send a curl request. What is the number of packets with ACK bytes?
root@thm:~$ tshark -f "host 10.10.10.10" -Y "tcp.flags.ack == 1"
Capturing on 'ens5'
2 0.000421520 10.10.10.10 ? 10.10.206.155 TCP 74 80 ? 38996 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=8961 SACK_PERM=1 TSval=2817557592 TSecr=4085250778 WS=64
3 0.000458347 10.10.206.155 ? 10.10.10.10 TCP 66 38996 ? 80 [ACK] Seq=1 Ack=1 Win=62848 Len=0 TSval=4085250778 TSecr=2817557592
4 0.000527530 10.10.206.155 ? 10.10.10.10 HTTP 141 GET / HTTP/1.1
5 0.000819345 10.10.10.10 ? 10.10.206.155 TCP 66 80 ? 38996 [ACK] Seq=1 Ack=76 Win=62592 Len=0 TSval=2817557592 TSecr=4085250779
6 0.001184454 10.10.10.10 ? 10.10.206.155 TCP 252 HTTP/1.1 200 OK [TCP segment of a reassembled PDU]
7 0.001184564 10.10.10.10 ? 10.10.206.155 HTTP 1286 HTTP/1.1 200 OK (text/html)
8 0.001193656 10.10.206.155 ? 10.10.10.10 TCP 66 38996 ? 80 [ACK] Seq=76 Ack=187 Win=62720 Len=0 TSval=4085250779 TSecr=2817557593
9 0.001225622 10.10.206.155 ? 10.10.10.10 TCP 66 38996 ? 80 [ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085250779 TSecr=2817557593
10 0.001526379 10.10.206.155 ? 10.10.10.10 TCP 66 38996 ? 80 [FIN, ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085250780 TSecr=2817557593
11 0.001968903 10.10.10.10 ? 10.10.206.155 TCP 66 80 ? 38996 [FIN, ACK] Seq=1407 Ack=77 Win=62592 Len=0 TSval=2817557593 TSecr=4085250780
12 0.002118941 10.10.206.155 ? 10.10.10.10 TCP 66 38996 ? 80 [ACK] Seq=77 Ack=1408 Win=61568 Len=0 TSval=4085250780 TSecr=2817557593
TSHARK FUNDAMENTALS V | PACKET FILTERING OPTIONS: DISPLAY FILTERS
Use the "Desktop/exercise-files/demo.pcapng" file. What is the number of packets with a "65.208.228.223" IP address?
root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "ip.addr == 65.208.228.223" | wc -l
34Use the "Desktop/exercise-files/demo.pcapng" file. What is the number of packets with a "TCP port 3371"?
root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "tcp.port == 3371" | wc -l
7Use the "Desktop/exercise-files/demo.pcapng" file. What is the number of packets with a "145.254.160.237" IP address as a source address?
root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "ip.src == 145.254.160.237" | wc -l
20Use the "Desktop/exercise-files/demo.pcapng" file. Filter on packets with a "145.254.160.237" IP address as a source address. What is the packet number of the "Duplicate" packet?
root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "ip.src == 145.254.160.237"
37 4.776868 145.254.160.237 ? 216.239.59.99 TCP 54 [TCP Dup ACK 28#1] 3371 ? 80 [ACK] Seq=722 Ack=1591 Win=8760 Len=0
* Duplicate packets are shown as "TCP/UDP Dup.."Last updated