TShark Network Protocol Analyzer
Overview
TShark is the command-line network protocol analyzer from the Wireshark project. It provides powerful packet capture and analysis capabilities for security investigations, forensic analysis, and network troubleshooting. This skill covers authorized security operations including traffic analysis, credential extraction, malware detection, and forensic examination.
IMPORTANT: Network packet capture may expose sensitive information and must only be conducted with proper authorization. Ensure legal compliance and privacy considerations before capturing network traffic.
Quick Start
Basic packet capture and analysis:
# Capture packets on interface
sudo tshark -i eth0
# Capture 100 packets and save to file
sudo tshark -i eth0 -c 100 -w capture.pcap
# Read and analyze capture file
tshark -r capture.pcap
# Apply display filter
tshark -r capture.pcap -Y "http.request.method == GET"
# Extract HTTP objects
tshark -r capture.pcap --export-objects http,extracted_files/
Core Workflow
Network Analysis Workflow
Progress: [ ] 1. Verify authorization for packet capture [ ] 2. Identify target interface and capture requirements [ ] 3. Capture network traffic with appropriate filters [ ] 4. Analyze captured packets for security indicators [ ] 5. Extract artifacts (files, credentials, sessions) [ ] 6. Document findings and security implications [ ] 7. Securely handle and store capture files [ ] 8. Clean up sensitive data per retention policy
Work through each step systematically. Check off completed items.
1. Authorization Verification
CRITICAL: Before any packet capture:
- Confirm written authorization for network monitoring
- Verify legal compliance (wiretapping laws, privacy regulations)
- Understand data handling and retention requirements
- Document scope of capture (interfaces, duration, filters)
- Ensure secure storage for captured data
2. Interface Discovery
Identify available network interfaces:
# List all interfaces
tshark -D
# List with interface details
sudo tshark -D
# Capture on specific interface
sudo tshark -i eth0
sudo tshark -i wlan0
# Capture on any interface
sudo tshark -i any
# Capture on multiple interfaces
sudo tshark -i eth0 -i wlan0
Interface types:
- eth0/ens33: Ethernet interface
- wlan0: Wireless interface
- lo: Loopback interface
- any: All interfaces (Linux only)
- mon0: Monitor mode interface (wireless)
3. Basic Packet Capture
Capture network traffic:
# Capture indefinitely (Ctrl+C to stop)
sudo tshark -i eth0
# Capture specific number of packets
sudo tshark -i eth0 -c 1000
# Capture for specific duration (seconds)
sudo tshark -i eth0 -a duration:60
# Capture to file
sudo tshark -i eth0 -w capture.pcap
# Capture with ring buffer (rotate files)
sudo tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5
Capture options:
-c <count>: Capture packet count-a duration:<sec>: Auto-stop after duration-w <file>: Write to file-b filesize:<KB>: Rotate at file size-b files:<num>: Keep N ring buffer files
4. Capture Filters
Apply BPF (Berkeley Packet Filter) during capture for efficiency:
# Capture only HTTP traffic
sudo tshark -i eth0 -f "tcp port 80"
# Capture specific host
sudo tshark -i eth0 -f "host 192.168.1.100"
# Capture subnet
sudo tshark -i eth0 -f "net 192.168.1.0/24"
# Capture multiple ports
sudo tshark -i eth0 -f "tcp port 80 or tcp port 443"
# Exclude specific traffic
sudo tshark -i eth0 -f "not port 22"
# Capture SYN packets only
sudo tshark -i eth0 -f "tcp[tcpflags] & tcp-syn != 0"
Common capture filters:
host <ip>: Traffic to/from IPnet <cidr>: Traffic to/from networkport <port>: Specific porttcp|udp|icmp: Protocol typesrc|dst: Direction filterand|or|not: Logical operators
5. Display Filters
Analyze captured traffic with Wireshark display filters:
# HTTP requests only
tshark -r capture.pcap -Y "http.request"
# HTTP responses
tshark -r capture.pcap -Y "http.response"
# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0"
# TLS handshakes
tshark -r capture.pcap -Y "tls.handshake.type == 1"
# Suspicious traffic patterns
tshark -r capture.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0"
# Failed connections
tshark -r capture.pcap -Y "tcp.flags.reset==1"
Advanced display filters:
# HTTP POST requests with credentials
tshark -r capture.pcap -Y "http.request.method == POST and (http contains \"password\" or http contains \"username\")"
# SMB file transfers
tshark -r capture.pcap -Y "smb2.cmd == 8 or smb2.cmd == 9"
# Suspicious User-Agents
tshark -r capture.pcap -Y "http.user_agent contains \"python\" or http.user_agent contains \"curl\""
# Large data transfers
tshark -r capture.pcap -Y "tcp.len > 1400"
# Beaconing detection (periodic traffic)
tshark -r capture.pcap -Y "http" -T fields -e frame.time_relative -e ip.dst
6. Protocol Analysis
Analyze specific protocols:
HTTP/HTTPS Analysis:
# Extract HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri
# Extract HTTP User-Agents
tshark -r capture.pcap -Y "http.user_agent" -T fields -e ip.src -e http.user_agent
# HTTP status codes
tshark -r capture.pcap -Y "http.response" -T fields -e ip.src -e http.response.code
# Extract HTTP cookies
tshark -r capture.pcap -Y "http.cookie" -T fields -e ip.src -e http.cookie
DNS Analysis:
# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e ip.src -e dns.qry.name
# DNS responses
tshark -r capture.pcap -Y "dns.flags.response == 1" -T fields -e dns.qry.name -e dns.a
# DNS tunneling detection (long domain names)
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | awk 'length > 50'
# DNS query types
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.type -e dns.qry.name
TLS/SSL Analysis:
# TLS handshakes
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name
# TLS certificates
tshark -r capture.pcap -Y "tls.handshake.certificate" -T fields -e tls.handshake.certificate
# SSL/TLS versions
tshark -r capture.pcap -Y "tls" -T fields -e tls.record.version
# Weak cipher suites
tshark -r capture.pcap -Y "tls.handshake.ciphersuite" -T fields -e tls.handshake.ciphersuite
SMB/CIFS Analysis:
# SMB file access
tshark -r capture.pcap -Y "smb2" -T fields -e ip.src -e smb2.filename
# SMB authentication
tshark -r capture.pcap -Y "ntlmssp" -T fields -e ip.src -e ntlmssp.auth.username
# SMB commands
tshark -r capture.pcap -Y "smb2" -T fields -e smb2.cmd
7. Credential Extraction
Extract credentials from network traffic (authorized forensics only):
HTTP Basic Authentication:
# Extract HTTP Basic Auth credentials
tshark -r capture.pcap -Y "http.authbasic" -T fields -e ip.src -e http.authbasic
# Decode Base64 credentials
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization | base64 -d
FTP Credentials:
# Extract FTP usernames
tshark -r capture.pcap -Y "ftp.request.command == USER" -T fields -e ip.src -e ftp.request.arg
# Extract FTP passwords
tshark -r capture.pcap -Y "ftp.request.command == PASS" -T fields -e ip.src -e ftp.request.arg
NTLM/Kerberos:
# Extract NTLM hashes
tshark -r capture.pcap -Y "ntlmssp.auth.ntlmv2response" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.auth.ntlmv2response
# Kerberos tickets
tshark -r capture.pcap -Y "kerberos.CNameString" -T fields -e kerberos.CNameString -e kerberos.realm
Email Credentials:
# SMTP authentication
tshark -r capture.pcap -Y "smtp.req.command == AUTH" -T fields -e ip.src
# POP3 credentials
tshark -r capture.pcap -Y "pop.request.command == USER or pop.request.command