Cool TShark Tricks

Download Simple Tshark Poster

Download Advanced Tshark Poster

Advanced TShark Commands

Print a summary of DNS information within a PCAP file:

tshark -r <pcap file name> -q -z dns,tree

Print a list of all endpoints that appear within a PCAP file, along with a communication summary:

tshark -r <pcap file name> -q -z endpoints,ip

Print a list of endpoints communicating with each other, along with a communication summary:

tshark -r <pcap file name> -q -z conv,ip

Display only specific frame fields:

tshark -r <pcap file name> -T fields -e <field 1> -e <field 2> …

Example, print the source and destination IP address, but only when the SYN flag is set:

tshark -n -r decode1.pcap -T fields -e ip.src -e ip.dst tcp.flags==2

Extract the TCP payloads being exchanged between two IP addresses:

tshark -r <pcap file> -T fields -e tcp.payload ip.addr==<1st IP> and ip.addr==<2nd IP>

Example, extract the HTTP traffic between two specified IP addresses, convert the Hex output to ASCII, and pause output:

tshark -r perimeter_class.pcap -T fields -e tcp.payload ip.addr==192.168.1.10 and ip.addr==1.2.3.4 and tcp.port==80 | xxd -r -p | less -S

Example, similar to above, but extract ICMP payloads and convert to ASCII:

tshark -r weird-icmp.pcap -T fields -e data.data ip.addr==192.168.1.10 and ip.addr==1.2.3.4 and icmp | xxd -r -p | less -S

Advanced TShark Output Manipulation

sort - Sort the output data from left to right alphanumerically. Use the “-n” switch to sort numerically.

Use “-r” to sort in reverse order. Use “-k” to offset where to start sorting.

uniq - Collapse multiple repeating lines into a single line. Use “-c” to count the number of lines that have been collapsed.

datamash - Perform basic statistical operations on a range of numbers. This can include counting or adding up a series of numbers, identifying the min or max value, or calculating the range or standard deviation of a series of numbers.

Example, count the number of TCP connections between two IP addresses:

tshark -r decode1.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src==192.168.1.10 and ip.dst==1.2.3.4 | datamash count 1

Example, for a specified pair of IP addresses, print the delta time between each session:

tshark -r decode1.pcap -T fields -e ip.src -e ip.dst -e frame.time_delta_displayed tcp.flags==2 and ip.src==192.168.1.10 and ip.dst==1.2.3.4 | less

Example, for a specified pair of IP addresses that have connected multiple times, identify the minimum and maximum delta time between connections. Further, calculate the mean and the standard deviation (good for hunting beacons):

tshark -r decode1.pcap -T fields -e ip.src -e ip.dst -e frame.time_delta_displayed tcp.flags==2 and ip.src==192.168.1.10 and ip.dst==1.2.3.4 | datamash -g 1,2 min 3 max 3 mean 3 sstdev 3

Identify which 10 internal systems are sending the most data out to the internet, and to which destination IP address:

tshark -r <pcap file name> -T fields -e ip.src -e ip.dst -e ip.len ip.proto==6 and ip.src == 192.168.0.0/16 or ip.src == 10.0.0.0/8 or ip.src == 172.16.0.0/12 | sort | datamash -g 1,2 sum 3 | sort -k 3 -rn | head

Cool Tshark Tricks

By Chris Brenton

Simple TShark Output Manipulation

Pipe the data through “less” so that the data can be navigated using the spacebar, page up, page down, and arrow keys (press “q” to quit display):

tshark -r <pcap file name> | less

Make output easier to read by removing line wrap:

tshark -r <pcap file name> | less -S

Print the first <number> lines of output (default is 10):

tshark -r <pcap file name> | head -<number>

Print the last <number> lines of output (default is 10):

tshark -r <pcap file name> | tail -<number>

Basic TShark Commands

Print a summary of each frame in a PCAP file:

tshark -r <pcap file name>

Disable name resolution:

tshark -n -r <pcap file name>

Print all frame fields (verbose output):

tshark -V -r <pcap file name>

Print absolute (instead of relative) timestamps:

tshark -t a -r <pcap file name>

Display frames that meet a specified criteria:

tshark -r <pcap file name> <display filter>

Example, display frames sent/received from a specified IP address:

tshark -r decode1.pcap ip.addr==10.0.0.204

Example, print frames where the time to live value is equal to 64:

tshark -n -r decode1.pcap ip.ttl==64

Example, print TCP frames where the Reset flag is turned on:

tshark -r decode1.pcap tcp.flags.reset!=0

Print frames with a display field that contains a case sensitive value:

tshark -r <pcap file name> <display filter> contains <value>

Example, print URIs that contain the string “windowsupdate”:

tshark -r decode1.pcap http.request.uri contains “windowsupdate”

List of all possible display filters:

wireshark.org/docs/dfref/

Combine multiple display filters using logical “and” and “or” to further refine filtering.

Example:

tshark -r decode1.pcap ip.src==10.0.0.204 and tcp.dstport==443

Send frames that match a specified display filter to a new PCAP file:

tshark -r <pcap file name> -w <new pcap file> <display filter>

Back to the Zine

Cool Tshark Tricks

Active Countermeasures CTF

The Sneakiest Command and Control Channel