TSHARK: THE BASICS

CMD-LINE PACKET ANALYSIS | TSHARK & SUPPLEMENTAL CLI TOOLS

Use the "Desktop/exercise-files/demo.pcapng" file. View the details of the demo.pcapng file with "capinfors". What is the "RIPEMD160" value?

root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 demo.pcapng
root@thm:~$ capinfos demo.pcapng
 File name:           demo.pcapng
 File type:           Wireshark/tcpdump/... - pcap
 Number of packets:   43
 File size:           25 kB
 Data size:           25 kB
 Capture duration:    30.393704 seconds
 First packet time:   2004-05-13 10:17:07.311224
 Last packet time:    2004-05-13 10:17:37.704928
 SHA256:              25a72bdf10339f2c29916920c8b9501d294923108de8f29b19aba7cc001ab60d
 RIPEMD160:           6ef5f0c165a1db4a3cad3116b0c5bcc0cf6b9ab7
 SHA1:                3aac91181c3b7eb34fb7d2b6dd6783f4827fcf07

TSHARK FUNDAMENTALS I | MAIN PARAMETERS I

What is the installed TShark version in the given VM?

root@thm:~$ tshark -v
 TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

List the available interfaces with TShark. What is the number of available interfaces in the given VM?

root@thm:~$ sudo tshark -D
 Running as user "root" and group "root". This could be dangerous.
 1. ens5
 2. lo (Loopback)
 3. any
 4. bluetooth-monitor
 5. nflog
 6. nfqueue
 7. ciscodump (Cisco remote capture)
 8. dpauxmon (DisplayPort AUX channel monitor capture)
 9. randpkt (Random packet generator)
 10. sdjournal (systemd Journal Export)
 11. sshdump (SSH remote capture)
 12. udpdump (UDP Listener remote capture)

TSHARK FUNDAMENTALS I | MAIN PARAMETERS II

Read the "Desktop/exercise-files/demo.pcapng" file with TShark. What are the assigned TCP flags in the 29th packet?

root@dco:~$ tshark -r Desktop/exercise-files/demo.pcapng -Y "frame.number == 29"
 29   4.105904 65.208.228.223 ? 145.254.160.237 TCP 1434 80 ? 3372 [PSH, ACK] Seq=12421 Ack=480 Win=6432 Len=1380 [TCP segment of a reassembled PDU]

 * the -Y flag in tshark is used to apply a display filter to the packets 
   being processed. it ensures that only packets matching the given filter 
   expression are displayed

Read the "Desktop/exercise-files/demo.pcapng" file with TShark. What is the "Ack" value of the 25th packet?

root@dco:~$ tshark -r demo.pcapng -Y "frame.number == 25" -V
 Transmission Control Protocol, Src Port: 3372, Dst Port: 80, Seq: 480, Ack: 12421, Len: 0
    Source Port: 3372
    Destination Port: 80
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 480    (relative sequence number)
    Sequence number (raw): 951058419
    [Next sequence number: 480    (relative sequence number)]
    Acknowledgment number: 12421    (relative ack number)
    Acknowledgment number (raw): 290230800
    0101 .... = Header Length: 20 bytes (5)

Read the "Desktop/exercise-files/demo.pcapng" file with TShark. What is the "Window size value" of the 9th packet?

root@dco:~$ tshark -r demo.pcapng -Y "frame.number == 9" -V
 Transmission Control Protocol, Src Port: 3372, Dst Port: 80, Seq: 480, Ack: 2761, Len: 0
    Source Port: 3372
    Destination Port: 80
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 480    (relative sequence number)
    Sequence number (raw): 951058419
    [Next sequence number: 480    (relative sequence number)]
    Acknowledgment number: 2761    (relative ack number)
    Acknowledgment number (raw): 290221140
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ???????A????]
    Window size value: 9660

TSHARK FUNDAMENTALS II | CAPTURE CONDITIONS

Which parameter can help analysts to create a continuous capture dump?

-b

Can we combine autostop and ring buffer parameters with TShark? y/n

TSHARK FUNDAMENTALS III | PACKET FILTERING OPTIONS: CAPTURE VS DISPLAY FILTERS

Which parameter is used to set "Capture Filters"?

-f

Which parameter is used to set "Display Filters"?

-Y

TSHARK FUNDAMENTALS IV | PACKET FILTERING OPTIONS: CAPTURE FILTERS

Create a capture filter against the host 10.10.10.10 then send a curl request. What is the number of packets with SYN bytes?

root@dco:~$ tshark -f "host 10.10.10.10" -Y "tcp.flags.syn == 1"
 1 0.000000000 10.10.206.155 ? 10.10.10.10  TCP 74 38988 ? 80 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=4084908581 TSecr=0 WS=128
 2 0.000352497  10.10.10.10 ? 10.10.206.155 TCP 74 80 ? 38988 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=8961 SACK_PERM=1 TSval=2817215441 TSecr=4084908581 WS=64

root@dco:~$ curl -v 10.10.10.10

Create a capture filter against the host 10.10.10.10 then send a curl request. What is the number of packets sent to the IP address "10.10.10.10"?

root@dco:~$ tshark -f "host 10.10.10.10" -Y "ip.dst == 10.10.10.10"
Capturing on 'ens5'
 1 0.000000000 10.10.206.155 ? 10.10.10.10  TCP 74 38994 ? 80 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=4085186229 TSecr=0 WS=128
 3 0.000400186 10.10.206.155 ? 10.10.10.10  TCP 66 38994 ? 80 [ACK] Seq=1 Ack=1 Win=62848 Len=0 TSval=4085186229 TSecr=2817493051
 4 0.000598133 10.10.206.155 ? 10.10.10.10  HTTP 141 GET / HTTP/1.1 
 7 0.001022934 10.10.206.155 ? 10.10.10.10  TCP 66 38994 ? 80 [ACK] Seq=76 Ack=187 Win=62720 Len=0 TSval=4085186230 TSecr=2817493052
 9 0.001063822 10.10.206.155 ? 10.10.10.10  TCP 66 38994 ? 80 [ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085186230 TSecr=2817493052
 10 0.001321450 10.10.206.155 ? 10.10.10.10  TCP 66 38994 ? 80 [FIN, ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085186230 TSecr=2817493052
 12 0.001516967 10.10.206.155 ? 10.10.10.10  TCP 66 38994 ? 80 [ACK] Seq=77 Ack=1408 Win=61568 Len=0 TSval=4085186230 TSecr=2817493052

Create a capture filter against the host 10.10.10.10 then send a curl request. What is the number of packets with ACK bytes?

root@thm:~$ tshark -f "host 10.10.10.10" -Y "tcp.flags.ack == 1"
Capturing on 'ens5'
 2 0.000421520  10.10.10.10 ? 10.10.206.155 TCP 74 80 ? 38996 [SYN, ACK] Seq=0 Ack=1 Win=62643 Len=0 MSS=8961 SACK_PERM=1 TSval=2817557592 TSecr=4085250778 WS=64
 3 0.000458347 10.10.206.155 ? 10.10.10.10  TCP 66 38996 ? 80 [ACK] Seq=1 Ack=1 Win=62848 Len=0 TSval=4085250778 TSecr=2817557592
 4 0.000527530 10.10.206.155 ? 10.10.10.10  HTTP 141 GET / HTTP/1.1 
 5 0.000819345  10.10.10.10 ? 10.10.206.155 TCP 66 80 ? 38996 [ACK] Seq=1 Ack=76 Win=62592 Len=0 TSval=2817557592 TSecr=4085250779
 6 0.001184454  10.10.10.10 ? 10.10.206.155 TCP 252 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
 7 0.001184564  10.10.10.10 ? 10.10.206.155 HTTP 1286 HTTP/1.1 200 OK  (text/html)
 8 0.001193656 10.10.206.155 ? 10.10.10.10  TCP 66 38996 ? 80 [ACK] Seq=76 Ack=187 Win=62720 Len=0 TSval=4085250779 TSecr=2817557593
 9 0.001225622 10.10.206.155 ? 10.10.10.10  TCP 66 38996 ? 80 [ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085250779 TSecr=2817557593
 10 0.001526379 10.10.206.155 ? 10.10.10.10  TCP 66 38996 ? 80 [FIN, ACK] Seq=76 Ack=1407 Win=61568 Len=0 TSval=4085250780 TSecr=2817557593
 11 0.001968903  10.10.10.10 ? 10.10.206.155 TCP 66 80 ? 38996 [FIN, ACK] Seq=1407 Ack=77 Win=62592 Len=0 TSval=2817557593 TSecr=4085250780
 12 0.002118941 10.10.206.155 ? 10.10.10.10  TCP 66 38996 ? 80 [ACK] Seq=77 Ack=1408 Win=61568 Len=0 TSval=4085250780 TSecr=2817557593

TSHARK FUNDAMENTALS V | PACKET FILTERING OPTIONS: DISPLAY FILTERS

Use the "Desktop/exercise-files/demo.pcapng" file. What is the number of packets with a "65.208.228.223" IP address?

root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "ip.addr == 65.208.228.223" | wc -l
 34

Use the "Desktop/exercise-files/demo.pcapng" file. What is the number of packets with a "TCP port 3371"?

root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "tcp.port == 3371" | wc -l
 7

Use the "Desktop/exercise-files/demo.pcapng" file. What is the number of packets with a "145.254.160.237" IP address as a source address?

root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "ip.src == 145.254.160.237" | wc -l
 20

Use the "Desktop/exercise-files/demo.pcapng" file. Filter on packets with a "145.254.160.237" IP address as a source address. What is the packet number of the "Duplicate" packet?

root@thm:~$ cd Desktop/exercise-files
root@thm:~$ tshark -r demo.pcapng -Y "ip.src == 145.254.160.237"
 37   4.776868 145.254.160.237 ? 216.239.59.99 TCP 54 [TCP Dup ACK 28#1] 3371 ? 80 [ACK] Seq=722 Ack=1591 Win=8760 Len=0
 
 * Duplicate packets are shown as "TCP/UDP Dup.."

PreviousWIRESHARK: TRAFFIC ANALYSIS NextTSHARK: CLI WIRESHARK FEATURES

Last updated 9 months ago