Tshark

tshark-chacho

Why Use `tshark` Over Wireshark?¶

Tshark is a powerful command-line alternative to Wireshark, especially useful in scenarios where efficiency, automation, and resource constraints are factors. Unlike Wireshark’s GUI, tshark excels in processing large data sets, automating repetitive tasks, and operating in headless environments, making it ideal for large-scale or automated network analysis tasks.

Basic Capture Commands¶

Capture Traffic¶

On a Specific Interface.

tshark -i eth0

With a Filter.

tshark -i eth0 -f "port 80"

Write Capture to a File¶

tshark -i eth0 -w capture.pcap

Read a Capture File¶

tshark -r capture.pcap

4. Apply Display Filters¶

Filter HTTP Traffic.

tshark -r <file_name>.pcap -Y "http"

Filter Specific IP.

tshark -r <file_name>.pcap -Y "ip.src == 192.168.1.1"

Malicious Traffic Detection¶

Detecting DNS Tunneling¶

DNS tunneling is a method attackers use to exfiltrate data or communicate with a compromised system through DNS queries. Tshark can help identify such traffic by filtering for specific domain patterns or unusual query behavior.

tshark -r capture.pcap -Y "dns.qry.name contains 'example.com'" -T fields -e dns.qry.name

Reads the capture file capture.pcap, applies a display filter to show DNS queries that contain "example.com", and extracts only the queried domain names. This is useful to spot potential DNS tunneling activity, where a specific domain is repeatedly queried.

Detecting Command-and-Control (C2) Communication¶

Filter for consistent timing patterns in SSL/TLS traffic.

tshark -r capture.pcap -q -z conv,ip,tcp,1,"frame.time_delta>1 && frame.time_delta<5"

Captures TCP conversations where the time delta between packets is consistently between 1 and 5 seconds, which may indicate beaconing behavior associated with C2 communication.

Identify Long-Lived Connections: C2 traffic may involve persistent connections.

tshark -r capture.pcap -z conv,tcp -q

This lists TCP conversations, highlighting those that last longer than expected.

Filter by Uncommon Ports or Protocols: C2 traffic might use non-standard ports.

tshark -r capture.pcap -Y "tcp.port > 1024 && tcp.flags.syn == 1"

This filters SYN packets on non-standard ports, which could reveal unusual traffic.

Beaconing Detection¶

Beaconing occurs when malware repeatedly contacts an external server at regular intervals. This behavior can be flagged by filtering traffic based on consistent timing patterns.

tshark -r capture.pcap -q -z io,stat,1,"COUNT(frame)frame.time_delta>0.1&&frame.time_delta<0.5"

Analyzes the capture file to generate statistics on packet inter-arrival times (in the range of 0.1 to 0.5 seconds). Consistent intervals could indicate beaconing behavior, which is characteristic of malware trying to maintain communication with a C2 server.

Identifying Data Exfiltration¶

Data exfiltration can occur through large, unexpected data transfers, especially via uncommon or unauthorized protocols. Tshark can filter for these scenarios and flag suspicious activity.

tshark -r capture.pcap -Y "tcp.flags == 0x18 && frame.len > 1500"

Filters for TCP packets where both the ACK and PSH flags are set (0x18), indicating data transmission, and where the packet length is greater than 1500 bytes. Large packets like these could signal data exfiltration if they are unexpected. Knowing what is normal on your network provides more context for identifying anomalous results.

Anomaly Detection in HTTP Traffic¶

Unusual HTTP requests, such as those with large payloads or requests to uncommon endpoints, might indicate exploitation attempts. Tshark can filter and analyze this traffic.

tshark -r capture.pcap -Y "http.request.method == 'POST' && http.content_length > 1000"

Filters for HTTP POST requests with a content length greater than 1000 bytes. Large POST requests might suggest that significant data is being uploaded, potentially indicating an exploitation attempt or data exfiltration.