...
- $ tshark -r "filename"
- To write raw packet data to file
- $ tshark -i "eth0" -w "filename"
- To write raw packet data to file
NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the -w option for this.
DNS Protocol
How to filter DNS packets
a. tshark –i “eth0” –Y “dns”
How to filter DNS query packets
a. $ tshark –I “eth0” –Y “dns.flags.response==0”
How to filter DNS response packets
a. $ tshark -i "eth0" -Y "dns.flags.response==1"
How to filter inverse packets
a. $ tshark -i "eth0" -Y "dns.qry.type==0x000c"
How to find DNS query packets for a specific domain name
a. $ tshark -i "eth0" -Y 'dns.qry.name=="www.example.com"'
How to find DNS packets that contain a specific string
a. $ tshark -i "eth0" -Y 'dns contains "example"'
How to find DNS packets that contain a canonical name
a. $ tshark -i "eth0" -Y "dns.resp.type==0x0005"
How to filter DNS traffic that has error conditions
a. $ tshark -i "eth0" -Y "dns.flags.rcode!=0"
How to Identify possible ip-flux (Fast-flux) response traffic
a. $ tshark -i "eth0" -Y "(dns.flags.response==1) && (dns.count.answers>=5) && (dns.resp.ttl<3600 || dns.resp.ttl<86400 || dns.resp.ttl<259200)"
How to identify possible domain-flux (DGA) query traffic
a. $ tshark -i "eth0" -Y "dns.flags.rcode==3"
DHCP Protocol
How to filter DHCP packets
a. $ tshark -i "eth0" -Y "dhcpv6"
How to filter TCP packets
a. $ tshark -i "eth0" -Y "tcp"
How to filter IP packets
a. $ tshark -i "eth0" -Y "ip"
b. $ tshark –I “eth0” –Y “ipv6”
How to find fragmented ip packets?
a. $ tshark -i "eth0" -Y "ip.flags.mf == 1 || ip.frag_offset > 0"
How to filter on a speciffic ip address?
a. $ tshark -i "eth0" -Y "ip.src==8.8.8.8"
b. $ tshark –I “eth0” –Y “ip.dst==8.8.8.8”
c. $ tshark -i "eth0" -Y "ip.addr==8.8.8.8"
How to detect ARP poisoning
a. $ tshark -i "eth0" -Y "arp.duplicate-address-detected"
How to filter ARP packets
a. $ tshark -i "eth0" -Y "arp"
How to find ARP reply packets
a. $ tshark -i "eth0" -Y "arp.opcode==0x0002"
How to find ARP request packets
a. $ tshark -i "eth0" -Y "arp.opcode==0x0001"
How to filter http packets
a. $ tshark -i "eth0" -Y "http"
b. $ tshark -i "eth0" -f "tcp.port==80"
How to filter http get or post requests
a. $ tshark -i "eth0" -Y 'http.request.method=="GET" || http.request.method=="POST"'
How to find http client or server errors
a. $ tshark -i "eth0" -Y "http.response.code > 399"
How to find http requests to a specific target
a. $ tshark -i "eth0" -Y 'http.host=="www.example.com"'
How to find http requests which contain a specific string in user-agent
a. $ tshark -i "eth0" -Y 'http.user_agent contains "Mozilla"'
Anylze HTTP Traffic
How to filter FTP packets
a. $ tshark -i "eth0" -Y "ftp || ftp-data"
How to find successful ftp logins
a. $ tshark -i "eth0" -Y ftp.request.code==230
How to look for all hosts attempting to login to a ftp server
a. $ tshark -i "eth0" -Y ftp.request.command==USER || ftp.request.command==PASS
How to filter ICMP packets
a. $ tshark -i "eth0" -Y "icmp"
How to detect OS fingerprinting
$ tshark -i "eth0" -Y "icmp.type==13 || icmp.type==15 || icmp.type==17"
How to find icmp fragmentation needed packets from a router
a. $ tshark -i "eth0" -Y "icmp.type==3 && icmp.code==4"
How to find icmp ping request (ping sweep detection) or response
a. $ tshark -i "eth0" -Y "icmp.type==8 || icmp.type==0"
How to discover icmp destination unreachable response due to a possible firewall reject
a. $ tshark -i "eth0" -Y "icmp.type==3 && (icmp.code==0 || icmp.code==1 || icmp.code==2 || icmp.code==3 || icmp.code==9 || icmp.code==10 || icmp.code==13)"
How to filter SSL packets
a. $ tshark -i "eth0" -Y "ssl"
b. $ tshark -i "eth0" -f "tcp.port==443"
How to find TLS/SSL change cipher spec message
a. $ tshark -i "eth0" -Y "ssl.record.content_type==20"
How to find tls/ssl handshake traffic
a. $ tshark -i "eth0" -Y "ssl.record.content_type==22"
How to find tls/ssl client hello message
a. $ tshark -i "eth0" -Y "ssl.handshake.type==1"
How to find tls/ssl Server hello message
a. $ tshark -i "eth0" -Y "ssl.handshake.type==2"
How to find tls/ssl client key exchange message
a. $ tshark -i "eth0" -Y "ssl.handshake.type==1"
Show Hosts
a. $ tshark -r $FILE -q -z hosts,ipv4
Show Hierarchy
a. $ tshark -r $FILE -q -z io,phs
Show all sessions and destination ports
a. $ tshark -o column.format:'"Source", "%s", "Destination", "%d", "dstport", "%uD"' -r $FILE |sort|uniq
Show all conversations
a. $ tshark -o column.format:'"Source", "%s", "Destination", "%d", "dstport", "%uD"' -r $FILE |sort|uniq
Show all TCP Streams
a. tshark -r $FILE -q -z conv,tcp
35. Show top talkers for all packets using tcpdump
TCP Protocol
IP Protocol
Arp Protocol
HTTP Protocol
a. $tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
FTP Protocol
ICMP Protocol
SSL Protocol
TSHARK Statistical Data
Filters for Extracting useful information from pcaps
Note: This is useful to see who are the noisiest hosts on the network. A noisy
host is a busy host and therefore requires further investigation.
tcpdump -tnr $FILE |awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail
45. Show uris
...
46. Unique urls
...
47. Top ten urls from (http://goo.gl/qd5aI)
...
a. tshark -r sample.pcap -tad -R"tcp" -o column.format:'"Time","%t", "Source", "%s","Destination", "%d"'
...
49. HTTP statistics
...
50. Counting the total number of packets in trace files
$ tshark -r traffic_sample.pcap | wc –l
449802