SECURITY RESEARCH, TOOLS, TUTORIAL |

tshark tutorial and filter examples

tshark is a packet capture tool from Wireshark that also has powerful reading and parsing features for pcap analysis.

wireshark Logo

This tutorial provides practical examples to get you started using tshark and begin carving valuable information from the wire.

Tshark examples

Use these as the basis for starting to build extraction commands. The syntax for capturing and reading a pcap is very similar to tcpdump.

Capture Packets with Tshark

tshark -i wlan0 -w capture-output.pcap

Read a Pcap with Tshark

tshark -r capture-output.pcap

HTTP Analysis with Tshark

The following example shows how to extract data from any HTTP requests that are seen.

  • -T specifies we want to extract fields
  • -e option identifies which fields we want to extract.
tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent 

searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
ads.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

The default separator for the fields in the output above is TAB. We could also use the parameter -E seperator=, to change the delimiter to a comma.

Parse User Agents and Frequency with Standard Shell Commands

Using the previous command to extract the http.user_agent, we now extract from a pcap file instead of the live interface. In this example, we demonstrate how combining it with standard shell commands enables the sorting and counting of http.user_agent occurrences.

tshark -r example.pcap -Y http.request -T fields -e http.host -e http.user_agent | sort | uniq -c | sort -n

Utilizing this method, we can efficiently parse even very large pcap files and obtain a summary of all the user agents observed. This technique is valuable for detecting malware, identifying outdated browsers on your network, and spotting scripts.

Using additional HTTP filters in Analysis

It is possible to perform a similar analysis with the request URL in place of the user agent -e http.request.full_uri. Other fields that could be included in the output are -e ip.dst and -e http.request.method. As illustrated, by combining various filters and output fields, we can develop highly complex data extraction commands for tshark, enabling us to uncover intriguing details within a capture.

tshark -r example.pcap -Y http.request -T fields -e http.host -e ip.dst -e http.request.full_uri

DNS Analysis with Tshark

Here is an example that extracts both the DNS query and the response address.

tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr

68 campus-map.stanford.edu	171.64.144.142
www.google.com	
itunes.apple.com	104.74.40.29
71 itunes.apple.com	
campus-map.stanford.edu	
admission.stanford.edu	171.67.215.200
74 financialaid.stanford.edu	171.67.215.200
admission.stanford.edu	

Add time and source / destination IP addresses -e frame.time -e ip.src -e ip.dst to your output.

tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr

Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com	198.74.56.127
1 Apr 22, 2015 23:20:17.314244000 8.8.8.8 192.168.1.7 wprecon.com	
2 Apr 22, 2015 23:20:18.090110000 8.8.8.8 192.168.1.7 code.jquery.com
One of the great advantages tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output.

Passwords

Let's get passwords.... in a HTTP post. By not specifying the fields option, we will receive the full TCP stream of the HTTP Post. If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.

tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password

csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123

Extract Files from PCAP using Tshark

An excellent feature of tshark is the ability to export objects (files) from pcaps using the command line.

The export objects feature has been available in wireshark for a long time now. Having this ability available on the command line is an excellent addition to tshark.

You will need version 2.3.0 or higher for the export objects parameter to be available to tshark.

This command will extract files from an SMB stream and extract them to the location tmpfolder.

tshark -nr test.pcap --export-objects smb,tmpfolder

This command will do the same except from HTTP, extracting all the files seen in the pcap.

tshark -nr test.pcap --export-objects http,tmpfolder

It is a quick and easy way to get all the images, html, js and other HTTP objects from a pcap containing HTTP traffic.

Conclusion

Hopefully this tutorial has given you a quick taste of the useful features that are available to you when using tshark for extracting data from the wire or from pcaps.